Home > Virtual Networks > Connectivity > VPN Gateway

Azure VPN Gateway

Note: Azure VPN Gateway allows you to send encrypted traffic between your on-premises networks and your Azure Virtual Network (VNet) through the public internet. You can also send encrypted traffic between Azure VNets.

This document provides a comprehensive overview of Azure VPN Gateway, its capabilities, and how to implement it for secure hybrid cloud connectivity.

What is Azure VPN Gateway?

Azure VPN Gateway is a managed service that provides a secure and reliable way to connect your on-premises infrastructure to Azure. It supports various connectivity scenarios, including:

Site-to-Site (S2S) VPN: Connects your on-premises network to an Azure VNet. This is ideal for hybrid cloud scenarios where you need to extend your datacenter to Azure.
Point-to-Site (P2S) VPN: Connects individual client devices to your Azure VNet. This is useful for remote workers who need to access Azure resources securely.
Network-to-Network (N2N) VPN: Connects multiple Azure VNets together.

Key Features

High Availability: VPN Gateway offers active-active and active-standby configurations for increased reliability.
Scalability: Various SKUs are available to meet different performance and throughput requirements.
Global Reach: Connect to your Azure resources from anywhere in the world.
Security: Supports robust encryption protocols like IKEv2 and IPsec.
Policy-Based and Route-Based VPNs: Offers flexibility in how you define your VPN tunnels.

Connectivity Scenarios

Site-to-Site (S2S) VPN

S2S VPN establishes a secure tunnel between your on-premises VPN device and your Azure VPN Gateway. This allows your on-premises machines to communicate with resources in your Azure VNet as if they were on the same network.

Figure 1: Azure Site-to-Site VPN connectivity.

For detailed configuration steps, refer to the Site-to-Site VPN Configuration Guide.

Point-to-Site (P2S) VPN

P2S VPN allows individual clients to connect to your Azure VNet. This is typically used for remote access scenarios where users need secure access to cloud resources from their laptops or desktops.

Figure 2: Azure Point-to-Site VPN connectivity.

Learn more about configuring P2S VPN in our Point-to-Site VPN Configuration Guide.

Network-to-Network (N2N) VPN

Connecting multiple Azure VNets using VPN Gateway provides a secure way to share resources and data across different virtual networks within Azure.

VPN Gateway SKUs

Azure VPN Gateway offers various SKUs, each with different performance characteristics, capabilities, and pricing. Choosing the right SKU depends on your throughput requirements and desired features. Common SKUs include:

Basic
VpnGw1, VpnGw2, VpnGw3, VpnGw4, VpnGw5
VpnGw1AZ, VpnGw2AZ, VpnGw3AZ, VpnGw4AZ, VpnGw5AZ (Zone-redundant SKUs)

Consult the VPN Gateway SKU Comparison for a detailed breakdown of each SKU.

Configuration Best Practices

Plan your IP Addressing: Ensure non-overlapping IP address spaces between your on-premises network and Azure VNets.
Choose the Right SKU: Select a SKU that meets your performance and availability needs.
Implement Network Security Groups (NSGs): Use NSGs to control traffic flow to and from your VPN gateway and other resources.
Monitor Performance: Regularly monitor VPN gateway performance metrics for potential bottlenecks.

Important: Ensure your on-premises VPN device is compatible with Azure VPN Gateway and supports the required protocols and encryption algorithms. A list of compatible devices can be found here.

Related Resources

Azure ExpressRoute - For dedicated, high-bandwidth private connections.
Network Security Groups - For granular network traffic filtering.
Azure Firewall - For centralized network security management.