Virtual Network Gateway

Azure Virtual Network Gateway is a type of virtual network, used to send encrypted traffic between your Azure Virtual Network and your on-premises location, or between your virtual networks. You can also use it for transit routing, if you have multiple virtual networks and need them to communicate with each other.

Introduction

A virtual network gateway is a specific type of virtual network that is used to enable connectivity between an Azure virtual network and other networks, such as your on-premises data center or other virtual networks in Azure. It acts as a bridge, allowing secure and reliable data transfer.

Virtual network gateways are essential for building hybrid cloud solutions and extending your network infrastructure to Azure. They support various connectivity options, including VPN and ExpressRoute.

Types of Gateways

Azure offers two primary types of virtual network gateways:

VPN Gateway: Used to send encrypted traffic between your Azure Virtual Network and your on-premises location over the public internet.
ExpressRoute Gateway: Used to send traffic between your Azure Virtual Network and your on-premises network over a private connection using Azure ExpressRoute.

VPN Gateway

A VPN gateway is a VPN device that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public internet. You can also use it to send encrypted traffic between your Azure virtual networks.

Configuration

Configuring a VPN gateway involves several steps, including defining the gateway type (VPN), selecting a SKU (which determines performance and features), creating a public IP address, and configuring the gateway subnet.

A typical configuration might look like this:


az network vnet-gateway create \
  --resource-group MyResourceGroup \
  --name VpnGw1 \
  --public-ip-address VpnGw1-IP \
  --sku VpnGw1 \
  --gateway-type Vpn \
  --vpn-type RouteBased \
  --vnet MyVNet \
  --admin-username azureuser \
  --admin-password 'Str0ngP@ssw0rd!'

Gateway SKUs

VPN gateways come in various SKUs, each offering different performance levels and features:

Basic: Suitable for development and testing, offering limited throughput.
VpnGw1, VpnGw2, VpnGw3: Offer increasing levels of performance and concurrent connection capabilities.
VpnGw1AZ, VpnGw2AZ, VpnGw3AZ: Zone-redundant versions for higher availability.

The choice of SKU depends on your bandwidth requirements and the number of connections you need to support.

Connections

VPN gateways support two main types of connections:

Site-to-Site (S2S) VPN: Connects your on-premises network to your Azure VNet via a VPN tunnel over the internet.
VNet-to-VNet VPN: Connects two or more Azure VNets together, allowing them to communicate securely.

You also have the option of P2S (Point-to-Site) VPN, which allows individual clients to connect to your Azure VNet.

ExpressRoute Gateway

An ExpressRoute gateway is used to connect your Azure Virtual Network to your on-premises network over an Azure ExpressRoute circuit. This provides a private, high-bandwidth, and low-latency connection, bypassing the public internet.

ExpressRoute gateways are ideal for enterprise scenarios that require predictable performance and enhanced security for sensitive data.

Key features include:

High throughput options.
Connection to private peering and Microsoft peering.
Support for ExpressRoute FastPath for lower latency.

Active-Active Gateways

Azure Virtual Network Gateways can be configured in an active-active setup. In this configuration, both gateway instances are active and processing traffic simultaneously. This enhances availability and throughput.

Benefits of active-active configuration:

Increased availability: If one instance fails, the other continues to handle traffic.
Higher aggregate throughput.
Faster failover times.

This requires using Gateway SKUs that support active-active mode (e.g., VpnGw2AZ, VpnGw3AZ) and configuring two public IP addresses.

Troubleshooting

Common issues with virtual network gateways can include:

VPN tunnel disconnections.
Low throughput.
Connectivity problems between VNets or on-premises.

Azure provides several tools for troubleshooting, including:

Connection Troubleshooter: Diagnoses common VPN connection issues.
Gateway Diagnostics: Provides health and performance metrics for the gateway.
Packet Capture: Allows you to capture network traffic for deep analysis.

Tip: Ensure your on-premises VPN device is configured with compatible encryption and hashing algorithms. Refer to the Azure documentation for a list of supported parameters.