VPN Gateway Connections - MSDN Documentation

Understanding VPN Gateway Connections

This article provides a comprehensive overview of VPN gateway connections, their types, configuration, and best practices for secure and reliable network connectivity between your on-premises networks and Azure, or between different Azure virtual networks.

What is a VPN Gateway?

A VPN gateway is a type of virtual network gateway that sends encrypted traffic through a public connection to connect your on-premises network to your Azure virtual network. It can also be used to connect Azure virtual networks to each other.

Types of VPN Gateways

Site-to-Site (S2S) VPN: Connects your on-premises network to an Azure virtual network. This is ideal for hybrid cloud scenarios where you need to extend your datacenter to Azure.
Point-to-Site (P2S) VPN: Connects an individual client device to an Azure virtual network. This is useful for remote workers who need secure access to Azure resources without a dedicated VPN device.
Network-to-Network (N2N) VPN: Connects two Azure virtual networks together. This allows for secure communication between VNets, which can be in different regions or subscriptions.

Key Components and Concepts

Virtual Network Gateway: The primary resource in Azure that enables VPN connectivity.
Local Network Gateway: Represents your on-premises network's IP address ranges and VPN device's public IP address.
Connection Resource: Links the Virtual Network Gateway and the Local Network Gateway, defining the parameters for the VPN tunnel.
IPsec/IKE Protocols: Standard protocols used for establishing secure VPN tunnels.
BGP (Border Gateway Protocol): Used for dynamic route exchange between your on-premises network and Azure, essential for complex network topologies.

Ensure your on-premises VPN device is compatible with Azure VPN Gateway requirements. Refer to the official compatibility list for details.

Configuring a Site-to-Site VPN Connection

The typical steps for configuring an S2S VPN connection involve:

Creating a Virtual Network Gateway in your Azure Virtual Network.
Creating a Local Network Gateway representing your on-premises network.
Creating a Connection resource to link the two gateways.
Configuring your on-premises VPN device with the shared key and tunnel endpoints.


// Example Azure CLI command to create a Virtual Network Gateway
az network vnet-gateway create \
    --name MyVNetGateway \
    --public-ip-address MyVNetGatewayPIP \
    --resource-group MyResourceGroup \
    --location eastus \
    --gateway-type Vpn \
    --vpn-type RouteBased \
    --sku VpnGw1

Best Practices

Choose the Right SKU: Select a VPN gateway SKU that meets your throughput and availability requirements.
Use BGP: For dynamic routing and automatic failover, leverage BGP for route exchange.
Monitor Performance: Regularly monitor gateway health, tunnel status, and bandwidth utilization.
Security: Use strong shared keys and consider using certificate-based authentication for enhanced security.

For high availability, consider deploying active-active VPN gateways.

Troubleshooting Common Issues

If you encounter connectivity problems, check the following:

Shared key mismatch between Azure and your on-premises device.
Firewall rules blocking VPN traffic.
Incorrect IP address ranges configured in Local Network Gateway.
BGP peer status if BGP is enabled.

Changes to VPN configurations can impact network connectivity. Plan and test any modifications carefully.

For detailed troubleshooting steps and advanced configurations, please refer to the official Azure documentation.