Azure VPN Gateway FAQ

What is Azure VPN Gateway?

Azure VPN Gateway is a service that you use to send encrypted traffic between your on-premises networks and your Azure Virtual Network through the public Internet. It can also be used to send encrypted traffic between your Azure Virtual Networks.

What are the different types of VPN gateways?

Azure offers several types of VPN gateways, including:

  • Route-based VPNs: Support multiple tunnels to on-premises sites and can connect multiple VNets.
  • Policy-based VPNs: Support only a limited number of IPsec tunnels and are suitable for simple scenarios.
How does Azure VPN Gateway work?

Azure VPN Gateway uses IPsec (Internet Protocol Security) to establish secure, encrypted connections over the public internet. It acts as a bridge between your on-premises network and your Azure Virtual Network, ensuring data privacy and integrity.

What are the benefits of using Azure VPN Gateway?

Key benefits include:

  • Secure Connectivity: Encrypts traffic to protect sensitive data.
  • Cost-Effective: Leverages the public internet for connectivity, reducing the need for dedicated leased lines.
  • Scalability: Offers various SKUs to meet different performance and throughput requirements.
  • Hybrid Cloud Integration: Enables seamless integration between on-premises and cloud resources.
  • Site-to-Site and VNet-to-VNet: Supports connecting on-premises networks to Azure and connecting multiple Azure VNets.
What is a VPN tunnel?

A VPN tunnel is a secure, encrypted connection established over a public network (like the Internet) between two endpoints. In the context of Azure VPN Gateway, it typically connects your on-premises network to your Azure Virtual Network, or connects two Azure Virtual Networks.

What is a Virtual Network Gateway SKU?

A Virtual Network Gateway SKU defines the performance, features, and pricing for your VPN gateway. Different SKUs offer varying levels of throughput, connection limits, and supported features. Common SKUs include VpnGw1, VpnGw2, VpnGw1AZ, VpnGw2AZ, and more, with 'AZ' indicating availability zone support.

How do I choose the right VPN Gateway SKU?

The choice of SKU depends on your specific requirements, including:

  • Required throughput: Estimate the data transfer needs between your networks.
  • Number of connections: Determine how many tunnels you need to establish.
  • High availability: Consider if you need zone redundancy (AZ SKUs).
  • Budget: Different SKUs have different pricing tiers.

Consult the Azure VPN Gateway SKUs documentation for detailed comparison.

What is the difference between Route-based and Policy-based VPNs?

Route-based VPNs use dynamic routing protocols and can create multiple tunnels between networks. They are more flexible and recommended for most scenarios, especially for connecting multiple on-premises sites or multiple VNets.

Policy-based VPNs create specific tunnels based on predefined IP address ranges and are generally simpler but less flexible. They are suitable for connecting a single on-premises site with a limited number of subnets.

Can I connect my on-premises network to multiple Azure VNets?

Yes, you can. You can use Azure VPN Gateway to establish a site-to-site VPN connection to one Azure VNet, and then use VNet-to-VNet connections to link that VNet to others. Alternatively, with certain gateway configurations and depending on your on-premises VPN device capabilities, you might be able to establish multiple site-to-site tunnels from your on-premises network to different Azure VNets.

What is Network Address Translation (NAT) for VPN Gateway?

NAT allows you to translate private IP addresses on your on-premises network to different private IP addresses in Azure, or vice-versa. This is useful for scenarios where you have overlapping IP address spaces between your on-premises network and your Azure Virtual Network, or when you want to control which IP addresses are exposed.