About VPN Gateways
Azure VPN Gateway is a service that is used to send encrypted traffic between your Azure Virtual Network and your on-premises networks or other Azure Virtual Networks. Azure VPN Gateway provides a secure and reliable connection for your hybrid cloud scenarios.
Key Features and Benefits
- Secure Connectivity: Establishes secure tunnels using IPsec/IKE protocols to protect your data in transit.
- Hybrid Cloud Enablement: Connects your on-premises infrastructure to Azure, creating a seamless hybrid environment.
- Site-to-Site VPN: Connects your on-premises network to an Azure Virtual Network.
- VNet-to-VNet VPN: Connects two Azure Virtual Networks, enabling secure communication between them, even across different regions.
- Point-to-Site VPN: Allows individual client devices to connect securely to an Azure Virtual Network.
- High Availability: Offers active-active and active-standby configurations for resilience.
- Scalability: Various gateway SKUs are available to meet different performance and throughput requirements.
Types of VPN Gateways
Azure offers different types of VPN gateways based on connectivity needs:
- Route-based VPN: Uses BGP to dynamically route traffic. Recommended for most scenarios, including VNet-to-VNet and P2S connections.
- Policy-based VPN: Uses static routing and encrypts only specific IP address ranges. Suitable for legacy scenarios or when specific IPsec policies are required.
Gateway SKUs
VPN Gateways are available in different SKUs, each offering varying levels of performance, features, and connection limits:
- Basic: Entry-level SKU for testing and development.
- VpnGw1, VpnGw2, VpnGw3, VpnGw4, VpnGw5: Performance-optimized SKUs for production workloads.
- VpnGw1AZ, VpnGw2AZ, VpnGw3AZ, VpnGw4AZ, VpnGw5AZ: Zone-redundant SKUs for higher availability.
- Basic (PolicyBased): For policy-based VPNs.
- VpnGw1 (PolicyBased), VpnGw2 (PolicyBased), etc.: Performance-optimized policy-based VPNs.
Key Concepts
- Virtual Network Gateway: The resource in Azure that acts as the VPN device.
- Local Network Gateway: Represents your on-premises network infrastructure, including its IP address space and VPN device.
- Connection: The resource that defines the settings for the VPN tunnel between the Virtual Network Gateway and the Local Network Gateway (or another Virtual Network Gateway).
- IPsec/IKE: The protocols used to establish and secure the VPN tunnel.
Deployment Considerations
When deploying a VPN Gateway, consider the following:
- The gateway must reside in its own dedicated subnet named
GatewaySubnetwithin your virtual network. - Choose the appropriate SKU based on your throughput requirements and the number of tunnels you need.
- Configure your on-premises VPN device to match the IPsec/IKE parameters defined in your Azure connection.
Further Reading
For detailed configuration steps and advanced topics, please refer to the official Azure documentation: