Azure VPN Gateway Concepts

This article introduces Azure VPN Gateway and its role in creating secure, cross-premises connectivity solutions.

Note: VPN Gateway is a specific type of Virtual Network Gateway that is used to send encrypted traffic throughout a public connection between your on-premises environment and your Azure virtual network.

What is Azure VPN Gateway?

Azure VPN Gateway is a managed service that allows you to securely connect your on-premises networks to Azure virtual networks. It provides:

Site-to-Site (S2S) VPN: Connects your on-premises network to an Azure virtual network. This is often used for hybrid cloud scenarios where you need to extend your datacenter to Azure.
Point-to-Site (P2S) VPN: Connects individual client devices (like laptops or desktops) to an Azure virtual network. This is useful for remote workers or when you need to secure access to individual resources.
VNet-to-VNet VPN: Connects two or more Azure virtual networks securely. This is essential for distributed applications or for securely connecting different environments within Azure.

Key Components

A VPN Gateway consists of the following key components:

Virtual Network Gateway: This is the Azure resource that represents the VPN device for your virtual network. It is deployed within a dedicated subnet named GatewaySubnet.
Local Network Gateway: This resource represents your on-premises network from the perspective of Azure. It contains information about your on-premises IP address ranges and the IP address of your on-premises VPN device.
Connection: This resource defines the connection between a Virtual Network Gateway and a Local Network Gateway. It specifies the type of VPN (e.g., S2S, P2S), the shared key for authentication, and other parameters.
Gateway IP Configuration: This configures the public IP address for the Virtual Network Gateway.

VPN Gateway SKUs

Azure VPN Gateway offers different SKUs, each with varying performance, tunnel count, and feature support. Common SKUs include:

Basic: Suitable for development/testing and small workloads.
VpnGw1, VpnGw2, VpnGw3, VpnGw4, VpnGw5: Offer increasing levels of performance and tunnel support for production workloads.
Standard, HighPerformance: Older SKUs, generally recommended to use the VpnGw SKUs for new deployments.

Choosing the right SKU depends on your bandwidth requirements, the number of tunnels you need, and your budget.

Tunneling Protocols

Azure VPN Gateway supports the following standard tunneling protocols:

IKEv2 and IKEv1 (IPsec): Internet Key Exchange (IKE) is used to establish a security association (SA) for IPsec. Azure supports both IKEv1 and IKEv2.
SSTP: Secure Socket Tunneling Protocol uses SSL/TLS to encapsulate VPN traffic, making it useful for traversing firewalls.
L2TP/IPsec: Layer 2 Tunneling Protocol with IPsec provides an encrypted tunnel.
OpenVPN: An open-source VPN protocol that provides robust security and flexibility.

Tip: For most modern deployments, using IKEv2 is recommended due to its improved reliability and security.

Use Cases

Azure VPN Gateway is ideal for:

Connecting an on-premises datacenter to Azure for hybrid cloud solutions.
Providing secure remote access for employees.
Connecting multiple Azure virtual networks for disaster recovery or application segmentation.
Meeting compliance requirements that mandate encrypted data in transit.

Getting Started

To set up a VPN Gateway, you typically follow these high-level steps:

Create a Virtual Network and a dedicated GatewaySubnet.
Create a Virtual Network Gateway resource.
Configure your on-premises VPN device (if applicable).
Create a Local Network Gateway representing your on-premises network.
Create a Connection resource to link your Virtual Network Gateway and Local Network Gateway.

Important: Ensure your on-premises VPN device is compatible with Azure VPN Gateway and that your firewall rules allow the necessary VPN traffic.

Refer to the detailed Azure documentation for specific configuration steps and best practices.