Azure VPN Gateway Concepts

Azure VPN Gateway is a service that you use to send encrypted traffic between your on-premises networks and your Azure Virtual Network (VNet) through the public Internet. You can also use VPN Gateway to send encrypted traffic between different Azure VNets, or between Azure compute instances that are on different VNets.

What is Azure VPN Gateway?

Azure VPN Gateway is a fully managed VPN service that offers:

  • Site-to-site (S2S) VPNs: Connect your on-premises network to your Azure VNet.
  • Cross-premises connections: Connect multiple on-premises locations to Azure.
  • VNet-to-VNet connections: Connect multiple Azure VNets securely.
  • Point-to-site (P2S) VPNs: Connect individual clients to your Azure VNet.

Key Components

Understanding the core components of Azure VPN Gateway is crucial for designing and managing your network connectivity:

Virtual Network Gateway

The Virtual Network Gateway is a logical entity in Azure that represents your VPN gateway. It's deployed in a dedicated subnet called GatewaySubnet within your VNet. This gateway facilitates the encrypted connections.

Connection Resources

Connection resources define the properties and status of the connection between two endpoints. They link your Virtual Network Gateway to another gateway or an on-premises device.

Local Network Gateway

A Local Network Gateway is a resource that represents your on-premises network. It contains the public IP address of your on-premises VPN device and the address prefixes that correspond to your on-premises network.

Public IP Address

Your VPN Gateway requires a public IP address to be accessible from the internet. This IP is assigned to the Virtual Network Gateway.

Types of VPN Connections

Site-to-Site (S2S) VPN

This is the most common type of VPN connection. It creates an encrypted tunnel between your on-premises network and your Azure VNet using an IPsec/IKE VPN protocol. This is ideal for:

  • Connecting your corporate datacenter to Azure.
  • Enabling hybrid cloud scenarios.

VNet-to-VNet VPN

This type of connection enables secure communication between two different Azure VNets, potentially in different regions. It's achieved by creating VPN tunnels between the Virtual Network Gateways of each VNet.

Point-to-Site (P2S) VPN

P2S VPN allows individual users to connect to an Azure VNet from their client devices (laptops, desktops). This is useful for remote employees who need to access resources in Azure.

Connection Protocols

  • IPsec/IKE: The standard protocol used for S2S and VNet-to-VNet VPNs. It provides strong encryption and authentication.
  • IKEv2: Supports P2S connections using native client support on Windows, macOS, and Linux.
  • SSTP: A secure socket tunneling protocol, also supported for P2S connections, which uses SSL/TLS.
Tip: For optimal performance and reliability, ensure your on-premises VPN devices are compatible with Azure VPN Gateway and follow Microsoft's recommended configurations.

Key Concepts in VPN Gateway

  • Bandwidth: The throughput capacity of your VPN Gateway, which varies based on the SKU.
  • High Availability (HA): Azure VPN Gateway offers active-standby and active-active configurations for business continuity.
  • Tunnel Type: Policy-based (static routing) or route-based (dynamic routing) tunnels. Route-based is more flexible and generally recommended.
  • BGP (Border Gateway Protocol): Used for dynamic route exchange between your on-premises network and Azure, especially for complex routing scenarios.

By understanding these concepts, you can effectively design and implement secure, reliable network connectivity between your on-premises environment and Azure, or between your Azure VNets.