Azure VPN Gateway Overview - MSDN Documentation

Overview of Azure VPN Gateway

Azure VPN Gateway provides a highly available, scalable, and secure way to connect your on-premises networks to Azure. It enables you to send and receive data between your on-premises environment and Azure securely over the public internet. This is achieved by encrypting the traffic flowing between your network and Azure.

Key Concepts and Benefits

Secure Connectivity: Encrypts traffic using IPsec/IKE protocols, ensuring data privacy and integrity.
Hybrid Cloud Solutions: Seamlessly integrate your on-premises infrastructure with Azure resources.
Site-to-Site VPN: Connect your entire on-premises network to your Azure Virtual Network.
Point-to-Site VPN: Connect individual client devices (e.g., laptops) to your Azure Virtual Network.
Network Scalability: Offers various SKUs to meet performance and throughput requirements.
High Availability: Designed for resilience with active-active and active-standby configurations.

How VPN Gateway Works

Azure VPN Gateway acts as a managed service within your Azure Virtual Network. It establishes encrypted tunnels (VPN tunnels) to your on-premises VPN devices or to individual client machines. Traffic destined for your Azure Virtual Network from your on-premises network is routed to the VPN Gateway, encrypted, and sent over the internet. On the Azure side, the VPN Gateway receives the traffic, decrypts it, and routes it to the appropriate resources within the virtual network.

Important: Azure VPN Gateway requires a Public IP address and a Gateway IP configuration for its operation.

VPN Gateway SKUs

Azure VPN Gateway offers several SKUs, each with different performance characteristics, tunnel limits, and features. Choosing the right SKU depends on your organization's specific needs for throughput, connectivity, and redundancy.

Common SKUs:

Basic: Entry-level SKU for basic testing and development.
VpnGw1, VpnGw2, VpnGw3, VpnGw4, VpnGw5: Standard SKUs offering increasing levels of performance and throughput for production workloads.
VpnGw1AZ, VpnGw2AZ, etc.: Zone-redundant SKUs providing availability zone resilience.
Basic, VpnGw1, VpnGw2: Support a maximum of 10 S2S tunnels.
VpnGw3 and above: Support a higher number of S2S tunnels and P2S connections.

Types of VPN Connections

Site-to-Site (S2S) VPN:
Connects your on-premises network to an Azure Virtual Network (VNet). This type of connection is ideal for hybrid cloud scenarios where you need to extend your corporate network to Azure.

Requires: An on-premises VPN device compatible with Azure VPN Gateway and a public IP address.
Point-to-Site (P2S) VPN:
Connects an individual client computer directly to an Azure VNet. This is useful for remote employees or for developers who need secure access to Azure resources from their machines.

Requires: Client VPN software (e.g., OpenVPN, SSTP) and appropriate certificates or authentication methods.
VNet-to-VNet VPN:
Connects two or more Azure VNets together securely over the public internet. This is often used to create hub-and-spoke network topologies in Azure or to connect VNets in different regions.

Deployment Considerations

Gateway Type: VPN or ExpressRoute. For this article, we focus on VPN.
VPN Type: Route-based or Policy-based. Route-based is generally recommended for its flexibility.
Virtual Network Subnet: A dedicated subnet named `GatewaySubnet` is required for the VPN Gateway.
Public IP Address: A standard SKU, static public IP address is needed.

Example Configuration Snippet (Conceptual)

                    
    # Azure CLI conceptual command for creating a VPN Gateway
    az network vpn-gateway create \
        --name MyVpnGateway \
        --resource-group MyResourceGroup \
        --location eastus \
        --sku VpnGw1 \
        --public-ip-address MyVpnGatewayPip \
        --connections VpnConnection \
        --gateway-type Vpn
                    
                

Next Steps

To implement a VPN Gateway, you will typically need to:

Create an Azure Virtual Network and a dedicated `GatewaySubnet`.
Create a Public IP address for the gateway.
Create the VPN Gateway itself, specifying the SKU and IP address.
Configure your on-premises VPN device (for S2S) or client software (for P2S).
Establish the VPN connection.

Refer to the official Azure documentation for detailed step-by-step guides and specific configuration parameters for your chosen VPN type and on-premises equipment.