Azure Networking: VPN Gateway

This documentation provides comprehensive information about Azure VPN Gateway, a service that enables you to create secure, cross-premises connectivity between your on-premises networks and Azure. It also allows for secure site-to-site (S2S) or point-to-site (P2S) connections.

What is Azure VPN Gateway?

Azure VPN Gateway is a managed service that you can use to send encrypted traffic between your Azure Virtual Network (VNet) and your on-premises network location or between VNets. VPN Gateway is a type of Virtual Network Gateway.

Key Features:

  • Site-to-Site (S2S) VPN: Connect your on-premises network to Azure securely.
  • Multi-Site Connection: Connect multiple on-premises locations to a single Azure VNet.
  • VNet-to-VNet Connection: Connect Azure VNets in different regions or subscriptions.
  • Point-to-Site (P2S) VPN: Connect individual client devices to Azure.
  • ExpressRoute + VPN Gateway Coexistence: Combine the benefits of ExpressRoute private connectivity with the flexibility of VPN Gateway.
  • Active-Active VPN Gateways: Provides higher availability and throughput.
  • Zone-Redundant Gateways: Offers availability across multiple availability zones.

Common Use Cases

Azure VPN Gateway is instrumental in various scenarios:

  • Hybrid Cloud Connectivity: Seamlessly extend your on-premises infrastructure into Azure.
  • Disaster Recovery: Establish a backup connection for your critical workloads.
  • Secure Remote Access: Enable employees to securely access Azure resources from anywhere.
  • Application Connectivity: Connect different applications hosted in various VNets.

Configuring VPN Gateway

Configuring a VPN Gateway involves several steps, including creating a Virtual Network Gateway, defining local network gateways, and establishing connections. Here's a high-level overview:

  1. Create a Virtual Network (VNet): Ensure you have a VNet configured in Azure.
  2. Create a Gateway Subnet: A dedicated subnet named GatewaySubnet is required for the VPN Gateway.
  3. Create a Virtual Network Gateway: Choose the VPN type (e.g., Route-based, Policy-based) and SKU based on your performance and feature requirements.
  4. Create a Local Network Gateway: Represent your on-premises network's IP address space and VPN device information.
  5. Create a Connection: Link your Virtual Network Gateway to your Local Network Gateway, specifying a shared key for authentication.
Important Note: Ensure that the IP address ranges of your on-premises network and your Azure VNet do not overlap. This is crucial for successful routing.

Key Concepts

  • Virtual Network Gateway: The resource in Azure that manages VPN connections.
  • Local Network Gateway: A resource that represents your on-premises network to Azure.
  • Connection: A resource that defines the parameters and status of a connection between two gateways.
  • IPsec/IKE: The standard protocols used for establishing secure VPN tunnels.
  • BGP Routing: Border Gateway Protocol can be used for dynamic routing between your on-premises network and Azure.

Monitoring and Troubleshooting

Azure provides robust tools for monitoring the health and performance of your VPN Gateways. Utilize Azure Monitor and Network Watcher to diagnose connectivity issues.

  • Check the connection status and data transfer metrics.
  • Review gateway logs for any errors or warnings.
  • Use Connection Troubleshoot in Network Watcher for advanced diagnostics.

Related Documentation