Azure VPN Gateway Performance Documentation

Azure VPN Gateway Performance

This document provides comprehensive guidance on understanding, evaluating, and optimizing the performance of Azure VPN Gateways. Efficiently utilizing VPN Gateway performance is crucial for ensuring reliable and high-speed connectivity between your on-premises networks and Azure, as well as between different Azure virtual networks.

Key Performance Factors

Several factors significantly influence Azure VPN Gateway performance:

Gateway SKU: Different SKUs offer varying levels of performance, tunnel count, and features.
Bandwidth: The provisioned bandwidth of the gateway and the network links involved.
Packet Size: Smaller packets often lead to lower throughput due to encapsulation overhead.
Protocol: IKEv1 vs. IKEv2, and IPsec/IKE parameters can affect performance.
Encryption Strength: Stronger encryption algorithms consume more CPU resources.
Number of Tunnels: Each active tunnel adds overhead.
Network Congestion: Latency and packet loss on the underlying network.
Virtual Network Configuration: Subnet sizing and routing tables.

Performance Tiers and SKUs

Azure VPN Gateway offers a range of SKUs to meet diverse performance requirements. The following table summarizes key performance indicators for common SKUs. Note that actual performance can vary based on workload and network conditions.

SKU	Max Connections	Aggregate Throughput (Gbps)	Tunnel Throughput (Mbps)	Features
VpnGw1	100	0.6	Up to 100	Site-to-Site, Point-to-Site
VpnGw2	250	1.2	Up to 200	Site-to-Site, Point-to-Site
VpnGw3	500	2.0	Up to 500	Site-to-Site, Point-to-Site, Active-Active
VpnGw1AZ	100	0.6	Up to 100	Zone-Redundant
VpnGw2AZ	250	1.2	Up to 200	Zone-Redundant
VpnGw3AZ	500	2.0	Up to 500	Zone-Redundant, Active-Active
VpnGw-HighPerformance	1000	10	Up to 1000	High Throughput, Active-Active
VpnGw-UltraPerformance	2000	15	Up to 1500	Maximum Throughput, Active-Active

For the most up-to-date details and specific SKU comparisons, please refer to the official Azure VPN Gateway SKUs documentation.

Basic SKU

The Basic SKU is suitable for development and testing scenarios with minimal throughput requirements. It offers limited performance and connections.

VpnGw-AZ SKUs

These SKUs provide zone redundancy, ensuring high availability for your VPN gateway by distributing instances across multiple Azure availability zones within a region.

VpnGw-HighPerformance SKUs

Designed for demanding enterprise workloads, these SKUs offer significantly higher aggregate and tunnel throughput, supporting scenarios with large data transfer needs.

Bandwidth Considerations

The effective bandwidth of your VPN connection is limited by the lowest bandwidth available at any point in the path, including:

The provisioned aggregate throughput of your Azure VPN Gateway SKU.
The bandwidth of your on-premises internet connection.
The bandwidth of intermediate network links.

Important: Azure VPN Gateway throughput is measured as the aggregate throughput across all tunnels on the gateway.

Throughput Optimization

To maximize throughput:

Choose the Right SKU: Select a SKU that meets your projected throughput needs.
Use IKEv2: IKEv2 generally offers better performance than IKEv1.
Optimize IPsec Parameters: Use more efficient encryption and hashing algorithms (e.g., AES256 with SHA256 or higher). Consider using Data Encryption Negotiation (DEN) if supported by your on-premises devices.
Consider Packet Size: Applications sending very small packets may experience lower effective throughput due to encapsulation overhead.
Enable Active-Active: For active-active configurations, ensure you have adequate bandwidth for both active tunnels.
Test with Realistic Workloads: Use tools like iPerf3 to test throughput under conditions that mimic your actual traffic patterns.

Latency Impact

Latency is a critical factor, especially for real-time applications. While VPN encryption adds some processing delay, the primary source of latency is the physical distance and network hops between endpoints.

Geographic Proximity: Deploying Azure resources in regions closer to your on-premises locations reduces latency.
Network Path: The quality and number of hops in the internet path between Azure and your premises will impact latency.
Jumbo Frames: If supported and configured end-to-end, jumbo frames (MTU > 1500) can reduce overhead and potentially improve performance for large transfers, but require careful configuration.

Monitoring Performance

Azure Monitor provides key metrics to help you track VPN Gateway performance:

Total Bytes In/Out: Monitor the overall data transfer volume.
Tunnel Bytes In/Out: Track data transfer per tunnel.
Tunnel Packet Count: Observe packet activity.
CPU Utilization: High CPU can indicate an overloaded gateway.

You can configure alerts based on these metrics to proactively address performance bottlenecks.

Best Practices for Performance

Tip: Regularly review your VPN Gateway SKU and adjust it as your needs evolve. Over-provisioning can be costly, while under-provisioning impacts performance.

Plan for Growth: Select an initial SKU that accommodates anticipated future bandwidth requirements.
Secure Configuration: Use strong encryption and authentication protocols (e.g., AES256, SHA256, Perfect Forward Secrecy - PFS).
Test Thoroughly: Always test performance after making configuration changes or deploying new workloads.
Understand Your Traffic: Profile your network traffic to identify peak usage times and bandwidth demands.
Consult On-Premises Device Documentation: Ensure your on-premises VPN devices are configured to match Azure's IPsec/IKE parameters and that they can handle the expected load.