Understanding Azure VPN Gateway

Azure VPN Gateway is a service that you use to send encrypted traffic between your on-premises network and Azure over the public Internet. It can also be used to send encrypted traffic between your virtual networks in Azure.

VPN Gateway is a component of Azure networking that enables you to configure and manage various VPN connections. This service is ideal for scenarios such as:

  • Connecting your on-premises infrastructure to an Azure virtual network.
  • Connecting multiple Azure virtual networks together.
  • Providing remote access for users to your Azure resources.
Note: Azure VPN Gateway uses IPsec/IKE protocols to provide secure connectivity. It does not support PPTP.

Key Features

  • Hybrid Cloud Connectivity: Seamlessly extend your on-premises network to Azure.
  • Site-to-Site VPN: Connect your on-premises devices (like routers or firewalls) to Azure Virtual Network Gateways.
  • Point-to-Site VPN: Enable individual users to connect to an Azure Virtual Network from their client devices.
  • Network-to-Network VPN: Connect multiple Azure Virtual Networks together securely.
  • High Availability: Offers active-passive and active-active configurations for robust connectivity.
  • Scalability: Supports various performance tiers to meet different throughput requirements.
  • Azure ExpressRoute Coexistence: Can be deployed alongside ExpressRoute for redundancy or hybrid scenarios.

Types of VPN Gateways

Azure VPN Gateway offers different types to suit your needs:

VPN Type
ExpressRoute Type

VPN Type Gateway

This is the most common type, used for establishing secure IPsec VPN tunnels. It supports both Site-to-Site and Point-to-Site connections.

SKU Max Throughput (Inbound/Outbound) Tunnel Max
Basic 100 Mbps 10
VpnGw1 250 Mbps 30
VpnGw2 500 Mbps 100
VpnGw1AZ 250 Mbps 30
VpnGw2AZ 500 Mbps 100
Tip: VPN Type gateways can be configured as Zone-Redundant Gateways (e.g., VpnGw1AZ) for higher availability across Azure Availability Zones.

ExpressRoute Type Gateway

This type is used for ExpressRoute circuits to connect to your Azure Virtual Network. It is not used for IPsec VPN tunnels.

SKU Max Throughput (Inbound/Outbound) Tunnel Max
ErGw1AZ 500 Mbps 10
ErGw2AZ 1 Gbps 10
ErGw3AZ 10 Gbps 10
Important: ExpressRoute gateways are designed for high-bandwidth, low-latency connections. They do not provide the same encryption capabilities as VPN gateways.

Connectivity Options

Site-to-Site VPN

Connect your on-premises network to your Azure VNet using an IPsec VPN tunnel. This is achieved by configuring a VPN device on your premises and an Azure VPN Gateway.

Site-to-Site VPN Diagram Conceptual diagram of a Site-to-Site VPN connection.

Point-to-Site VPN

Allows individual users to connect securely to your Azure VNet from their devices. This is useful for remote workers. It supports SSTP, IKEv2, and OpenVPN protocols.

Point-to-Site VPN Diagram Conceptual diagram of a Point-to-Site VPN connection.

Network-to-Network VPN

Establish secure tunnels between two or more Azure Virtual Networks. This is crucial for multi-VNet architectures where resources need to communicate across network boundaries.

Note: For network-to-network connectivity, ensure that the address spaces of the VNets do not overlap.

Deployment Guide

Deploying an Azure VPN Gateway involves several steps:

  1. Create a Virtual Network: Ensure you have a VNet with a dedicated subnet named GatewaySubnet. This subnet must be at least /27 or larger.
  2. Create the VPN Gateway: In the Azure portal, search for "Virtual network gateways" and create a new one. Select the appropriate type (VPN), SKU, generation, and region.
  3. Configure Connection: Once the gateway is deployed, create a connection resource. This will link your VPN gateway to another gateway or a local network, specifying the shared key for authentication.
  4. Configure On-Premises Device: Configure your on-premises VPN device with the corresponding settings, including IP addresses, encryption protocols, and the shared key.

You can automate this process using Azure CLI or PowerShell:

# Example Azure CLI command (simplified)
az network vnet-gateway create \
    --resource-group MyResourceGroup \
    --name VpnGateway1 \
    --public-ip-address VpnGw1-IP \
    --gateway-type Vpn \
    --vpn-type RouteBased \
    --sku VpnGw1 \
    --vnet MyVnet \
    --local-networks '{"AddressPrefixes":["10.0.0.0/16"]}'
Tip: Always refer to the official Azure documentation for the most up-to-date CLI and PowerShell commands.

Monitoring and Troubleshooting

Effective monitoring is essential for maintaining healthy VPN connections.

Key Metrics to Monitor:

  • Tunnel Status: Ensure tunnels are up and connected.
  • Data In/Out: Track bandwidth usage to identify potential bottlenecks.
  • Packet Loss: Monitor for packet drops, which can indicate network issues.
  • Latency: Keep an eye on connection latency.

Troubleshooting Common Issues:

  • Configuration Mismatch: Verify that shared keys, IPsec policies, and other settings match on both ends of the tunnel.
  • Firewall Rules: Ensure that firewalls on both sides allow necessary VPN traffic (e.g., UDP ports 500 and 4500).
  • Routing Issues: Check that routes are correctly configured to direct traffic through the VPN tunnel.
  • SKU Limitations: Ensure your gateway SKU meets your throughput requirements.

Azure Monitor and Network Watcher provide robust tools for diagnosing VPN Gateway issues.

Pricing

Azure VPN Gateway pricing is based on several factors:

  • Gateway SKU: Higher SKUs offer more throughput and features but cost more.
  • Connection Type: Site-to-Site, Point-to-Site, and Network-to-Network connections have different pricing models.
  • Data Transfer: Data egress from Azure to the internet is typically charged, while ingress is free. Data transfer between Azure regions might incur charges.
  • Hourly Rate: You are charged for the time the gateway is provisioned.

For detailed pricing information, please visit the Azure VPN Gateway Pricing page.