Virtual Network Gateway
A Virtual Network Gateway is a cloud-based VPN service that you can use to send encrypted traffic between your on-premises networks and your Azure virtual networks, or between Azure virtual networks.
Overview
Virtual network gateways are used to enable:
- Site-to-Site VPNs: Connect your on-premises network to Azure Virtual Network.
- Point-to-Site VPNs: Connect individual clients to Azure Virtual Network.
- VNet-to-VNet connections: Connect multiple Azure Virtual Networks.
- ExpressRoute: Provide a private, dedicated connection to Azure.
Gateway Types
There are two main types of virtual network gateways:
VPN Gateway
A VPN gateway uses an encrypted tunnel over the public internet to connect networks. It's cost-effective and suitable for many scenarios.
- Route-based VPN: Supports VNet-to-VNet, S2S, and P2S. Requires Azure VPN client software for P2S.
- Policy-based VPN: Supports only S2S connections. Simpler configuration but less flexible.
ExpressRoute Gateway
An ExpressRoute gateway is used for ExpressRoute circuits, providing a private, high-throughput, low-latency connection between your on-premises network and Azure. This bypasses the public internet.
Key Components and Concepts
- GatewaySubnet: A dedicated subnet within your virtual network specifically for the gateway. It must be named
GatewaySubnet. - Public IP Address: A public IP address is required for the VPN gateway to be reachable over the internet.
- Local Network Gateway: Represents your on-premises network or another Azure VNet that you are connecting to. It contains the IP address ranges and VPN device IP address of the remote network.
- Connection: Defines the link between your virtual network gateway and a local network gateway. It specifies the connection type, shared key, and IPsec/IKE policies.
Creating a Virtual Network Gateway
You can create a virtual network gateway using the Azure portal, Azure CLI, or PowerShell. The process typically involves:
- Creating a
GatewaySubnetin your virtual network. - Creating the Virtual Network Gateway resource, specifying its type (VPN or ExpressRoute), SKU, generation, and associating it with the
GatewaySubnetand a public IP address. - Configuring a Local Network Gateway.
- Creating a Connection between the Virtual Network Gateway and the Local Network Gateway.
GatewaySubnet must be named exactly GatewaySubnet. The size of the subnet depends on the gateway SKU you choose.
Gateway SKUs and Performance
Azure offers various gateway SKUs (e.g., Basic, VpnGw1, VpnGw2, VpnGw1AZ, etc.) that determine throughput, connection limits, and features. Higher SKUs offer better performance and support more connections.
| SKU | Max Throughput (Gbps) | Max Connections |
|---|---|---|
| Basic | 100 Mbps | 10 |
| VpnGw1 | 200 Mbps | 100 |
| VpnGw2 | 300 Mbps | 100 |
| VpnGw1AZ | 200 Mbps | 100 |
| VpnGw2AZ | 300 Mbps | 100 |
Troubleshooting
Common issues include incorrect IPsec/IKE configurations, firewall rules blocking traffic, or problems with the on-premises VPN device. Utilize Azure Monitor and connection diagnostics tools for troubleshooting.