Virtual Network Gateways

Azure Virtual Network gateways are used to send encrypted traffic between your Azure Virtual Network and your on-premises location or between Azure Virtual Networks. They are also used for Azure VPNs, ExpressRoute circuits, and as a gateway for features like Virtual WAN.

Types of Virtual Network Gateways

There are two main types of virtual network gateways:

VPN Gateway: Provides connectivity between a virtual network and other networks, either on-premises or other Azure VNets.
ExpressRoute Gateway: Provides connectivity between an Azure Virtual Network and your on-premises network via ExpressRoute circuits.

Key Components and Concepts

Gateway Subnet

A virtual network gateway must reside in a dedicated subnet within your virtual network named GatewaySubnet. This subnet is specifically reserved for the gateway service. Do not deploy any other resources into the GatewaySubnet.

Important: The GatewaySubnet must be named exactly GatewaySubnet. Its address prefix must be large enough to accommodate the IP addresses required by the gateway instances.

Gateway Type

When creating a virtual network gateway, you need to specify the gateway type:

Vpn: For VPN connectivity.
ExpressRoute: For ExpressRoute connectivity.

VPN Type

For VPN gateways, you can choose from several VPN types, depending on your connectivity needs:

PolicyBased: Used for site-to-site VPNs with specific IPsec policies.
RouteBased: More flexible and commonly used for site-to-site, VNet-to-VNet, and Point-to-Site connections.

Creating a Virtual Network Gateway

You can create a virtual network gateway using the Azure portal, Azure CLI, or Azure PowerShell.

Using Azure CLI

Here's an example of how to create a VPN gateway using the Azure CLI:

az network vnet-gateway create \
    --name MyVpnGateway \
    --resource-group MyResourceGroup \
    --location eastus \
    --public-ip-address MyVpnGatewayPip \
    --gateway-type Vpn \
    --vpn-type RouteBased \
    --vnet MyVnet \
    --sku VpnGw1

Common Use Cases

Site-to-Site VPN: Securely connect your on-premises network to Azure.
VNet-to-VNet Connection: Connect two or more Azure VNets for seamless communication.
Point-to-Site VPN: Allow individual clients to connect to your Azure VNet remotely.
ExpressRoute: Establish private, high-bandwidth connections between your datacenter and Azure.

Pro Tip: For high availability, consider deploying your virtual network gateways in an active-active configuration. This provides redundancy and automatic failover.

Managing Virtual Network Gateways

Azure provides extensive tools for monitoring and managing your virtual network gateways. You can view their status, performance metrics, connection status, and configure various settings through the Azure portal.

Troubleshooting

Common issues with virtual network gateways often relate to:

Incorrectly configured GatewaySubnet.
IP address conflicts.
Firewall rules blocking traffic.
Mismatched IPsec/IKE policies for VPN connections.

Refer to the Azure documentation for detailed troubleshooting guides specific to your scenario.

Feature	Description	Use Case
VPN Gateway	Secure encrypted connection over public internet.	Site-to-Site, VNet-to-VNet, P2S VPN.
ExpressRoute Gateway	Private, dedicated connection from on-premises to Azure.	High-throughput, low-latency connectivity.