Azure VPN Gateway Documentation
Azure VPN Gateway provides secure, cross-premises connectivity to Azure. It enables you to send encrypted traffic between your on-premises networks and Azure, or between different Azure virtual networks.
Introduction to VPN Gateway
Azure VPN Gateway is a managed service that allows you to create and manage secure VPN tunnels. It supports two main types of VPN connections:
- Site-to-Site (S2S) VPN: Connects your on-premises network to an Azure virtual network (VNet).
- Point-to-Site (P2S) VPN: Connects an individual client device to an Azure VNet.
- VNet-to-VNet VPN: Connects two or more Azure VNets together securely.
VPN Gateway is crucial for hybrid cloud scenarios, allowing seamless integration of your on-premises infrastructure with Azure resources.
Key Features and Benefits
- Secure Connectivity: Utilizes industry-standard IPsec/IKE protocols for encryption.
- High Availability: Offers active-active and active-standby configurations for resilience.
- Scalability: Supports various gateway SKUs to meet different throughput requirements.
- Hybrid Cloud Enablement: Facilitates secure access to Azure resources from anywhere.
- Global Reach: Connect your networks across Azure regions and on-premises locations.
Types of VPN Gateways
Basic Gateway
The Basic SKU is a cost-effective option for development and testing environments. It has limitations on throughput and features.
VpnGw1, VpnGw2, VpnGw3, VpnGw4, VpnGw5 (and their AZ variants)
These SKUs offer progressively higher performance and features, suitable for production workloads of varying scales. AZ variants provide zone redundancy for higher availability.
Basic, VpnGw1, VpnGw2, VpnGw3 (for VNet-to-VNet)
Specific SKUs are recommended for VNet-to-VNet connections, ensuring optimal performance and compatibility.
Site-to-Site (S2S) VPN Connection
This connection type is used to connect your on-premises network to your Azure virtual network.
Prerequisites
- An Azure Virtual Network (VNet).
- A compatible on-premises VPN device.
- A public IP address for your on-premises VPN device.
Configuration Steps:
- Create a VPN Gateway resource in Azure.
- Configure a Local Network Gateway to represent your on-premises network.
- Create a Connection resource to link the VPN Gateway and Local Network Gateway.
- Configure your on-premises VPN device to match the settings of the Azure VPN Gateway.
Point-to-Site (P2S) VPN Connection
This connection type allows individual client devices to connect securely to your Azure VNet.
Authentication Methods:
- Azure Active Directory (Azure AD): Provides integrated authentication.
- Certificate-based: Uses client certificates for authentication.
- SSTP: Uses SSL/TLS to tunnel VPN traffic over HTTPS.
Configuration Steps:
- Create a VPN Gateway with P2S configuration enabled.
- Configure authentication settings (e.g., root certificates, Azure AD settings).
- Generate and distribute client VPN configuration packages to users.
VNet-to-VNet VPN Connection
Securely connect two or more Azure VNets. This is useful for segmenting workloads or connecting VNets in different regions.
Key Considerations:
- Each VNet requires its own VPN Gateway.
- Connections are established between the VPN Gateways of the respective VNets.
- Ensure IP address spaces do not overlap between connected VNets.
High Availability and Disaster Recovery
Azure VPN Gateway offers several options for ensuring service continuity:
- Active-Standby: One gateway instance is active, the other is on standby. If the active instance fails, the standby takes over.
- Active-Active: Both gateway instances are active simultaneously, providing higher throughput and immediate failover.
- Zone Redundancy: Gateway SKUs with 'AZ' in their name offer availability zone support, distributing gateway instances across multiple availability zones within a region for enhanced resilience.
Monitoring and Troubleshooting
Azure Monitor provides comprehensive tools for monitoring your VPN Gateway:
- Metrics: Track gateway health, traffic throughput, and tunnel status.
- Logs: Analyze connection logs, diagnostic logs, and BGP logs for troubleshooting.
- Network Watcher: Utilize tools like Connection Troubleshoot and IP Flow Verify.
Pricing and SKUs
The cost of Azure VPN Gateway depends on the selected SKU, connection hours, and data transfer. Refer to the official Azure pricing page for the most up-to-date information.
Choosing the right SKU is crucial for balancing performance, features, and cost.
Best Practices
- Plan your IP address spaces carefully to avoid conflicts.
- Use strong shared keys and enable IKEv2 for enhanced security.
- Configure BGP for dynamic routing and efficient management of large networks.
- Implement robust monitoring and alerting.
- Keep your VPN device firmware up-to-date.