About Azure VPN Gateway connections

This article describes the different types of connections that you can create with an Azure VPN gateway. VPN gateways are used to send encrypted traffic between your on-premises networks and Azure over the public Internet. They can also be used to send encrypted traffic between Azure virtual networks.

Connection Types

Azure VPN gateway supports several types of connections:

Site-to-Site (S2S) VPN: Connects your on-premises network to an Azure virtual network. This is a common scenario for hybrid cloud deployments.
Point-to-Site (P2S) VPN: Connects an individual client device to an Azure virtual network. This is often used for remote employees or for connecting to test environments.
Network-to-Network (N2N) VPN: Connects two Azure virtual networks together. This is useful for creating complex network topologies across different regions or subscriptions.
ExpressRoute: While not strictly a VPN connection, ExpressRoute provides a private, dedicated connection between your on-premises network and Azure, bypassing the public Internet. It offers higher bandwidth and lower latency compared to VPN connections.

Site-to-Site (S2S) VPN Details

A Site-to-Site VPN connection requires:

An Azure VPN gateway in your virtual network.
A compatible VPN device on your on-premises network.
A public IP address for your on-premises VPN device.
Configuration on both the Azure VPN gateway and your on-premises VPN device, including shared keys or certificates.

S2S VPN can be configured as:

Policy-based VPN: Simpler configuration, but limited to specific IP address prefixes for traffic encryption.
Route-based VPN: More flexible, uses dynamic routing protocols to determine traffic flow and supports more complex scenarios. This is the recommended type for most S2S connections.

Point-to-Site (P2S) VPN Details

P2S VPN allows individual clients to connect securely to your Azure virtual network. It supports two authentication methods:

Azure certificate authentication: Uses client certificates for authentication.
RADIUS authentication: Integrates with your existing RADIUS infrastructure for centralized authentication.

P2S VPN connections can use:

SSL/TLS VPN: A widely supported protocol that is generally easier to configure and traverse NAT devices.
IKEv2 VPN: A more robust protocol that can offer better performance and stability, especially for mobile clients.

Note: You can configure both S2S and P2S VPN connections on the same VPN gateway.

Network-to-Network (N2N) VPN Details

N2N VPN connections are used to connect two Azure virtual networks. This can be achieved by:

Creating separate VPN gateways in each virtual network and configuring a S2S VPN connection between them.
Using a transit topology where a hub virtual network contains the VPN gateway that connects to spoke virtual networks.

This is crucial for scenarios where you need to isolate workloads across different virtual networks but still require them to communicate securely.

Considerations for VPN Gateway Connections

Bandwidth: The throughput of your VPN connection is limited by the SKU of your VPN gateway and the bandwidth of your on-premises internet connection.
Latency: Latency will be affected by the geographical distance between your on-premises network and the Azure region, as well as the number of hops across the internet.
Redundancy: For high availability, Azure VPN gateways offer active-dynamic and active-active configurations.
Security: Ensure you use strong encryption algorithms and authentication methods.