Azure Documentation

Virtual WAN VPN Gateway

This document provides comprehensive details about configuring and managing VPN gateways within Azure Virtual WAN. VPN gateways are essential components that enable secure and reliable connectivity between your on-premises networks and Azure, or between different Azure regions.

Overview

Azure Virtual WAN offers a highly scalable and global networking solution. VPN gateways in Virtual WAN act as the termination point for Site-to-Site VPN connections. They are managed by Microsoft and provide high availability and performance for your network connections.

Key Features

• High Availability: VPN gateways are deployed in an active-passive or active-active configuration to ensure continuous connectivity.
• Scalability: Supports a large number of connections and high throughput.
• Global Reach: Integrates seamlessly with Virtual WAN's global backbone.
• Simplified Management: Managed by Azure, reducing operational overhead.
• Multiple Connection Types: Supports IPsec/IKE S2S VPN connections from various network devices.

Deployment and Configuration

When you create a Virtual WAN hub, you can optionally deploy a VPN gateway. You can choose between a basic SKU for smaller deployments or a standard SKU for higher performance and features. The standard SKU offers active-active deployment and higher tunnel counts.

Steps to Create a VPN Gateway:

1. Navigate to your Virtual WAN resource in the Azure portal.
2. Select "VPN gateways" from the hub menu.
3. Click "Create VPN gateway".
4. Configure the gateway settings:
   • Gateway type: VPN.
   • SKU: Basic, VpnGw1, VpnGw2, etc.
   • Scale Unit: Determines the capacity.
   • Region: Should match your hub's region.
   • AS Number: Autonomous System number for BGP peering.
5. Click "Review + create" and then "Create".

Connecting to On-Premises Networks

To connect your on-premises network, you'll need to configure a VPN device at your site. This involves defining the connection parameters such as:

• IP Address of VPN Device: The public IP address of your on-premises VPN device.
• Pre-shared Key: A secret key for authentication.
• IKE Version: IKEv1 or IKEv2.
• IPsec/IKE Policy: Encryption and integrity algorithms.

You will then create a "Site-to-Site VPN connection" in your Virtual WAN hub, referencing your on-premises VPN device information. Azure will provide you with the gateway IP addresses and the necessary configurations to set up on your VPN device.

BGP Peering

For dynamic route exchange, Virtual WAN VPN gateways support Border Gateway Protocol (BGP). This allows for automatic propagation of routes between your on-premises network and Azure. When creating a VPN gateway with a standard SKU, you can configure a BGP ASN and peers. The gateway will typically have a private IP address assigned for BGP peering.

BGP Configuration Details:

• AS Number (ASN): A unique ASN for the Azure VPN gateway.
• BGP Peering Address: A private IP address within the hub's address space for BGP communication.
• Peer IP Address: The IP address of your on-premises BGP speaker.

Monitoring and Troubleshooting

Azure Monitor provides extensive capabilities for monitoring the health and performance of your VPN gateways. You can view metrics such as:

• Tunnel status
• Data in/out
• Packet loss
• Latency

For troubleshooting, you can leverage connection diagnostics, IP flow verify, and VPN connection monitor features available in Azure. Logs can be exported to Log Analytics for deeper analysis.

Pricing

The pricing for Virtual WAN VPN gateways depends on the SKU selected, the number of deployed gateways, and the amount of data processed. For detailed pricing information, please refer to the Azure Virtual WAN pricing page.

For the most up-to-date information and advanced configuration options, please consult the official Azure Virtual WAN documentation.