Azure VPN Gateway Documentation

Connect your on-premises networks to Azure securely and reliably.

Introduction to Azure VPN Gateway

Azure VPN Gateway is a service that you use to send encrypted traffic between your on-premises networks and Azure over the public Internet. It can also be used to send encrypted traffic between virtual networks in Azure.

VPN Gateway is a component of Azure networking that enables you to:

  • Connect on-premises servers to Azure virtual networks.
  • Connect Azure virtual networks to each other.
  • Connect to Azure services like Azure Active Directory and Azure Storage.
Important: VPN Gateway provides a secure and cost-effective way to establish hybrid cloud connectivity.

Key Features

  • Site-to-Site (S2S) VPN: Connects your on-premises network to an Azure virtual network.
  • Point-to-Site (P2S) VPN: Connects individual client devices to an Azure virtual network.
  • Network-to-Network (N2N) VPN: Connects two Azure virtual networks.
  • High Availability: Active-standby or active-active configurations for robust connectivity.
  • Scalability: Supports various throughput levels to meet different workload demands.
  • Protocol Support: Supports IKEv1 and IKEv2, and uses IPsec for encryption.

Azure VPN Gateway Types

Azure VPN Gateway offers several SKUs, each with different performance levels, features, and connection limits. Understanding these is crucial for choosing the right gateway for your needs.

Basic SKU

Provides basic VPN functionality for non-production workloads and testing.

VpnGw1, VpnGw2, VpnGw3, VpnGw4, VpnGw5 SKUs

Offer increasing levels of performance, connection limits, and features for production workloads.

VpnGw1AZ, VpnGw2AZ, VpnGw3AZ, VpnGw4AZ, VpnGw5AZ SKUs

Zone-redundant versions of the standard SKUs, providing higher availability by distributing the gateway across availability zones.

For detailed specifications, refer to the Azure VPN Gateway pricing and SLA page.

Planning Your VPN Gateway Deployment

Before deploying, consider the following:

  • Connectivity Requirements: What needs to connect to Azure (e.g., on-premises datacenter, branch offices, individual users)?
  • Throughput Requirements: Estimate the expected network traffic.
  • High Availability Needs: Is an active-standby or active-active configuration required?
  • IP Addressing: Plan your on-premises and Azure virtual network IP address spaces to avoid conflicts.
  • Gateway SKU: Choose the appropriate SKU based on performance and feature requirements.

Deployment Guide

Deploying an Azure VPN Gateway typically involves these steps:

  1. Create a Virtual Network (VNet): Ensure you have a VNet in Azure with an appropriate address space.
  2. Create a Gateway Subnet: This is a dedicated subnet within your VNet named GatewaySubnet. It must be named exactly this and must have at least an address space of /27.
  3. Create the VPN Gateway: Choose the VPN type (VPN), VNet type, region, and the desired SKU.
  4. Configure the Local Network Gateway: Represents your on-premises network, including its public IP address and address space.
  5. Create a Connection: Establish a connection resource linking the VPN Gateway to the Local Network Gateway (for S2S).
  6. Configure your on-premises VPN device: Ensure compatibility and set up matching IPsec parameters.

For detailed step-by-step instructions, see the official Azure VPN Gateway deployment guide.

Basic Configuration Example (S2S VPN)

Here's a simplified example of creating a VPN Gateway and a connection using Azure CLI:


# Create a resource group
az group create --name MyResourceGroup --location eastus

# Create a virtual network
az network vnet create --resource-group MyResourceGroup --name MyVNet --address-prefix 10.1.0.0/16 --location eastus

# Create a Gateway Subnet
az network vnet subnet create --resource-group MyResourceGroup --vnet-name MyVNet --name GatewaySubnet --address-prefix 10.1.255.0/27

# Create a Public IP Address for the VPN Gateway
az network public-ip create --resource-group MyResourceGroup --name VpnGw1-IP --location eastus --allocation-method Dynamic

# Create the VPN Gateway
az network vpn-gateway create --resource-group MyResourceGroup --name VpnGw1 --public-ip-address VpnGw1-IP --location eastus --gateway-type Vpn --sku VpnGw1 --vnet MyVNet --enable-bgp false

# Create a Local Network Gateway (representing your on-prem network)
az network local-gateway create --resource-group MyResourceGroup --name OnPremLocalGateway --gateway-ip-address YOUR_ONPREM_PUBLIC_IP --local-address-prefixes YOUR_ONPREM_ADDRESS_SPACE --location eastus

# Create a Connection
az network vpn-connection create --resource-group MyResourceGroup --name S2SConnection --vnet-gateway1 VpnGw1 --local-gateway2 OnPremLocalGateway --connection-type IPsec --shared-key YOUR_SHARED_KEY --location eastus

Replace placeholders like YOUR_ONPREM_PUBLIC_IP, YOUR_ONPREM_ADDRESS_SPACE, and YOUR_SHARED_KEY with your actual values.

Troubleshooting Common Issues

  • Connection Status: Check the "Connection Status" in the Azure portal. If it shows "Not Connected" or "Unknown", investigate further.
  • IPsec/IKE Parameters: Ensure that the IPsec/IKE parameters on your on-premises VPN device match those configured for the Azure VPN Gateway.
  • Firewall Rules: Verify that no firewalls on-premises or within Azure are blocking VPN traffic (UDP ports 500 and 4500, ESP protocol).
  • Route Tables: Check if routing is correctly configured in both Azure and your on-premises network.
  • Shared Key Mismatch: The shared key must be identical on both ends of the tunnel.

Use Azure Network Watcher's VPN Troubleshoot feature for guided diagnostics.

Performance Tuning and Best Practices

To maximize performance and reliability:

  • Choose the Right SKU: Select a gateway SKU that meets your throughput requirements.
  • Enable BGP: For complex network topologies and dynamic routing, consider enabling Border Gateway Protocol (BGP).
  • Monitor Gateway Metrics: Regularly monitor CPU usage, bandwidth, and active connections.
  • Active-Active Gateways: For critical workloads, deploy an active-active gateway configuration for higher availability and increased throughput.
  • Ensure Sufficient Bandwidth: Both on your on-premises network and within Azure.

Security Best Practices

  • Strong Shared Keys: Use complex and unique shared keys.
  • IPsec/IKE Policies: Configure strong encryption and integrity algorithms.
  • Network Security Groups (NSGs): Apply NSGs to your gateway subnet and other VNets to restrict traffic.
  • Regularly Update Devices: Keep your on-premises VPN devices firmware up-to-date.
  • Principle of Least Privilege: Grant only necessary permissions for managing VPN Gateway resources.