Azure VPN Gateway Documentation

Azure VPN Gateway is a service that provides encrypted connections between your on-premises networks and Azure, or between your Azure virtual networks.

What is Azure VPN Gateway?

Azure VPN Gateway is a type of virtual network gateway that uploads, uses, and manages VPN connections. It's a managed service that allows you to create and manage secure, cross-premises connectivity.

Key Features:

Site-to-Site (S2S) VPNs: Connect your on-premises datacenter to Azure.
Point-to-Site (P2S) VPNs: Connect individual client devices to Azure.
Network-to-Network (N2N) VPNs: Connect multiple Azure virtual networks.
High Availability: Redundant configurations for business continuity.
Scalability: Choose gateway SKUs based on performance and throughput needs.
Azure Active Directory integration: For enhanced security and authentication.

Common Use Cases

Azure VPN Gateway is essential for a variety of hybrid cloud scenarios:

Extending your datacenter: Securely access Azure resources as if they were part of your on-premises network.
Disaster Recovery: Establish a DR site in Azure and connect it to your primary datacenter.
Development and Testing: Create secure environments for testing applications deployed in Azure.
Secure Remote Access: Allow employees to securely connect to corporate resources from anywhere.

Types of VPN Connections

Site-to-Site (S2S) VPN

This is the most common type of VPN connection. It establishes a secure, encrypted tunnel between your on-premises VPN device (or firewall) and an Azure VPN Gateway. This allows resources in your on-premises network and your Azure VNet to communicate securely.

Azure VPN Gateway Site-to-Site Connection Diagram

Diagram illustrating a Site-to-Site VPN connection.

Point-to-Site (P2S) VPN

P2S VPN allows individual client computers to connect to an Azure VNet. This is useful for remote workers or individual users who need secure access to Azure resources without needing a dedicated VPN device on their machine. Azure supports SSTP (Secure Socket Tunneling Protocol) and IKEv2/IPsec protocols for P2S connections.

Azure VPN Gateway Point-to-Site Connection Diagram

Diagram illustrating a Point-to-Site VPN connection.

Network-to-Network (N2N) VPN

N2N VPNs connect two or more Azure Virtual Networks (VNets). This is particularly useful when you have different VNets for different environments (e.g., development, production) or different departments, and they need to communicate securely with each other. This is also achieved through Azure VPN Gateway.

Configuring Azure VPN Gateway

Setting up a VPN Gateway involves several steps:

Create a Virtual Network Gateway: Choose the appropriate SKU (e.g., VpnGw1, VpnGw2, VpnGw3) based on your throughput and feature requirements.
Create a Local Network Gateway: This represents your on-premises network, including its IP address space and the IP address of your on-premises VPN device.
Create a Connection: Establish the connection object between your Virtual Network Gateway and your Local Network Gateway. Define the shared key for authentication.
Configure your On-Premises VPN Device: Ensure your on-premises VPN device is compatible with Azure VPN Gateway and configured with the correct parameters (IP addresses, shared key, encryption algorithms).

Example Configuration Snippet (Conceptual)

This is a conceptual representation of the parameters you might configure.


# Azure CLI Example (Conceptual)

# 1. Create a Virtual Network Gateway
az network vnet-gateway create \
    --name MyVpnGw \
    --resource-group MyResourceGroup \
    --location eastus \
    --public-ip-address MyVpnGwPip \
    --gateway-type Vpn \
    --vpn-type RouteBased \
    --sku VpnGw1 \
    --vnet MyVNet

# 2. Create a Local Network Gateway
az network local-gateway create \
    --name MyLocalGw \
    --resource-group MyResourceGroup \
    --location eastus \
    --gateway-ip-address YOUR_ONPREM_VPN_DEVICE_PUBLIC_IP \
    --local-address-prefixes "10.1.0.0/16" "192.168.1.0/24"

# 3. Create a Connection
az network vpn-connection create \
    --name MyS2SConnection \
    --resource-group MyResourceGroup \
    --local-gateway MyLocalGw \
    --remote-gateway MyVpnGw \
    --shared-key YOUR_SECURE_SHARED_KEY \
    --connection-type IPsec

Key Considerations

SKU Selection: The Gateway SKU significantly impacts performance, features (like BGP support), and cost. Choose wisely based on your bandwidth needs.
IP Address Space: Ensure there is no overlapping IP address space between your on-premises network and your Azure VNets.
Shared Key: Use a strong, complex shared key for secure authentication between your VPN devices.
Firewall Rules: Ensure that any firewalls in your on-premises network or Azure network allow the necessary VPN traffic (e.g., UDP ports 500 and 4500).
Monitoring: Utilize Azure Monitor to track VPN tunnel status, bandwidth utilization, and potential issues.

Note: For production environments, consider using Azure Active Directory integration for Point-to-Site VPNs for more robust authentication.

Tip: Always test your VPN connection thoroughly after configuration and periodically afterwards to ensure it remains stable.