Azure VPN Gateway Architecture
Understanding the architecture of Azure VPN Gateway is crucial for designing secure and reliable hybrid cloud solutions. This section details the core components and concepts that make up a robust VPN Gateway setup.
Core Components
Azure VPN Gateway is a managed service that enables you to create secure, cross-premises connections between your on-premises networks and your Azure Virtual Networks (VNets). It also allows you to establish site-to-site (S2S) VPN connections between VNets.
- Virtual Network Gateway: The primary resource that represents your VPN gateway. It resides in a dedicated subnet within your VNet called GatewaySubnet.
- GatewaySubnet: A special subnet in your VNet that must be named exactly
GatewaySubnet. It's used exclusively by the VPN gateway. - Public IP Address: A static public IP address is assigned to the VPN gateway, used for establishing connections from external networks.
- Local Network Gateway: Represents your on-premises network (or another VNet). It contains the public IP address of your on-premises VPN device and the address space(s) of your on-premises network.
- Connection Resource: This resource links your Virtual Network Gateway to a Local Network Gateway. It defines the type of VPN (S2S, VNet-to-VNet, P2S) and configuration details like shared keys.
High-Level Architecture Diagram
A simplified representation of a Site-to-Site VPN connection using Azure VPN Gateway.
Connection Types
Azure VPN Gateway supports several connection types:
- Site-to-Site (S2S) VPN: Connects your on-premises network to an Azure VNet. This is ideal for hybrid scenarios where you want to extend your datacenter to Azure.
- VNet-to-VNet VPN: Connects two or more Azure VNets together. This is useful for disaster recovery, geographical distribution, or segregating workloads.
- Point-to-Site (P2S) VPN: Connects individual client devices (like laptops) to an Azure VNet. This is often used for remote access for employees.
Key Architectural Considerations
- Gateway SKUs: Azure VPN Gateway offers various SKUs (e.g., Basic, VpnGw1, VpnGw2, VpnGw1AZ, VpnGw2AZ) that determine performance, tunnel count, and features. Choosing the right SKU is vital for meeting your bandwidth and connectivity needs.
- Active-Active vs. Active-Standby: For higher availability, you can configure your VPN gateway in an active-standby or active-active configuration. Active-active provides greater resilience by having two gateway instances simultaneously active.
- Redundancy: Azure VPN Gateway is inherently redundant within a region. For cross-region disaster recovery, consider using VNet-to-VNet connections or multiple gateways in different regions.
- Throughput and Bandwidth: Understand the expected throughput for your chosen SKU and design your network accordingly. Consider the bandwidth available on your on-premises connection.
- IPsec/IKE Protocols: Azure VPN Gateway supports IPsec and IKE protocols for encrypting traffic. Ensure compatibility with your on-premises VPN devices.
Important: Always ensure that the address spaces of your on-premises networks and Azure VNets do not overlap. Overlapping address spaces will prevent routing and connectivity.
Next Steps
Now that you understand the architecture, you can proceed to explore the deployment and configuration options for your Azure VPN Gateway.