Introduction to Azure VPN Gateway Connections

Azure VPN Gateway provides secure and reliable connections between your on-premises networks and Azure virtual networks (VNets), or between Azure VNets themselves. These connections are crucial for hybrid cloud deployments, enabling seamless integration of your cloud resources with your existing infrastructure.

VPN Gateway supports several connection types, each designed to meet different connectivity requirements. Understanding these options is key to designing a robust and secure network architecture in Azure.

Types of VPN Gateway Connections

Azure VPN Gateway offers the following primary connection types:

  • Site-to-Site (S2S) VPN: Connects your on-premises network to an Azure VNet.
  • Point-to-Site (P2S) VPN: Connects individual client devices to an Azure VNet.
  • VNet-to-VNet: Connects multiple Azure VNets together.
  • ExpressRoute: A dedicated, private connection from your premises to Azure, often used for higher bandwidth and lower latency needs, though it can be used in conjunction with VPN Gateway for redundancy.

Site-to-Site (S2S) VPN

A Site-to-Site VPN establishes a secure tunnel between your on-premises VPN device and the Azure VPN Gateway. This is ideal for:

  • Connecting your entire on-premises network to Azure.
  • Enabling employees in your office to access Azure resources.
  • Utilizing resources in both on-premises and Azure environments as if they were part of a single network.
Diagram of Azure Site-to-Site VPN Connection

Key Considerations:

  • Requires a compatible on-premises VPN device.
  • Uses IPsec/IKE protocols for encryption.
  • Can be configured for active-standby or active-active failover.

Point-to-Site (P2S) VPN

Point-to-Site VPN allows individual devices, such as laptops or tablets, to connect to an Azure VNet. This is useful for:

  • Enabling remote employees to securely access Azure resources from anywhere.
  • Providing temporary access to developers or administrators.
Note: P2S VPN connections do not support connecting to multiple VNets simultaneously.

Supported Protocols:

  • SSTP (Secure Socket Tunneling Protocol): Uses SSL/TLS over TCP port 443, making it firewall-friendly.
  • IKEv2 VPN: A robust and cross-platform VPN protocol.
  • OpenVPN: Supports both TCP and UDP protocols.

VNet-to-VNet Connections

This connection type allows you to securely connect two or more Azure VNets. This is essential for scenarios where:

  • You have workloads distributed across different VNets that need to communicate.
  • You need to segment your network for security or compliance reasons.
  • You are implementing a hub-and-spoke network topology.
Tip: VNet-to-VNet connections can be established using Azure VPN Gateway or Azure Virtual WAN.

When using VPN Gateway for VNet-to-VNet, you create VPN connections between the VPN gateways of each VNet.

ExpressRoute Connections

While not strictly a VPN, Azure ExpressRoute provides a private, dedicated connection from your on-premises infrastructure to Azure. It offers higher bandwidth, lower latency, and increased reliability compared to standard internet VPNs.

ExpressRoute can be used in conjunction with VPN Gateway to create a hybrid network with:

  • Primary private connection: ExpressRoute for high performance.
  • Backup connection: S2S VPN for failover.

Understanding Connection Properties

When configuring an Azure VPN connection, several key properties need to be defined:

  • Connection Type: S2S, P2S, VNet-to-VNet.
  • Virtual Network Gateway: The VPN gateway in Azure you are connecting to.
  • Local Network Gateway: Represents your on-premises network's IP address ranges and the public IP of your VPN device.
  • Shared Key (Pre-Shared Key - PSK): A secret key used for authentication between the VPN devices.
  • IPsec/IKE Policy: Defines the encryption and integrity algorithms, key exchange parameters, and lifetimes.
  • BGP (Border Gateway Protocol): Used for dynamic routing between networks.

For Site-to-Site connections, ensuring that your on-premises VPN device is configured with compatible IPsec/IKE settings is crucial.

Warning: Mismatched IPsec/IKE policies are a common cause of VPN connection failures. Always refer to the Azure documentation for supported parameters.

Troubleshooting Common Issues

Troubleshooting VPN connections can be complex. Here are some common areas to investigate:

  • Connectivity Status: Check the status of the connection in the Azure portal.
  • Firewall Rules: Ensure necessary ports (e.g., UDP 500, UDP 4500 for IKE/IPsec) are open on your on-premises firewall.
  • IP Address Configuration: Verify that the Local Network Gateway and Virtual Network Gateway IPs are correctly configured.
  • Shared Key Mismatch: Double-check the pre-shared key on both ends.
  • IPsec/IKE Policy: Confirm that the encryption, hashing, and DH group settings match.
  • Routing: Ensure proper routes are advertised and present for traffic to flow.

Azure provides diagnostic tools and logs within the VPN Gateway blade to assist in troubleshooting.