Azure Virtual Network Gateway Overview

Introduction

Azure Virtual Network Gateway is a type of virtual network gateway used to send encrypted traffic between your Azure virtual network and your on-premises location over the public Internet. You can also use it to send encrypted traffic between your Azure virtual networks in different Azure regions.

Azure Virtual Network Gateway provides connectivity to and from Azure. It's composed of two services: Virtual network gateway connections and VPN services. The Azure VPN Gateway service provides the capability to create and manage VPN gateways.

What is a Virtual Network Gateway?

A virtual network gateway is a specific type of virtual network gateway that is used to send encrypted traffic between your Azure virtual network and your on-premises location over the public Internet. You can also use it to send encrypted traffic between your Azure virtual networks in different Azure regions.

Azure Virtual Network Gateway Overview Diagram

Simplified architecture of Azure Virtual Network Gateway.

Virtual network gateways are logically located in their own subnet within the virtual network, which is named GatewaySubnet. This subnet must be named GatewaySubnet. The gateway subnet can contain only the virtual network gateway resources.

Types of Gateways

Azure offers two primary types of virtual network gateways:

VPN Gateways

A VPN gateway is used to send encrypted traffic between your Azure virtual network and an on-premises location over the public Internet. It can also be used to send encrypted traffic between Azure virtual networks in different Azure regions. VPN gateways support several connectivity scenarios:

Site-to-Site (S2S) VPN: Connects your on-premises network to an Azure virtual network.
Network-to-Network (N2N) VPN: Connects two Azure virtual networks located in different regions.
Point-to-Site (P2S) VPN: Connects individual client devices to an Azure virtual network.

ExpressRoute Gateways

An ExpressRoute gateway is used to connect to your Azure ExpressRoute circuit, which provides private connectivity between your on-premises network and Azure. This offers higher bandwidth, lower latency, and greater reliability than VPN connections.

                Note: A virtual network can have only one virtual network gateway. You cannot have both a VPN gateway and an ExpressRoute gateway in the same virtual network.
            

VPN Gateway Connectivity Options

Site-to-Site (S2S) VPN

Site-to-Site VPN connects your on-premises network to your Azure Virtual Network. This is achieved by connecting a VPN device or firewall that is located on your network to the Azure VPN gateway. This connection type is ideal for hybrid cloud scenarios where you need to extend your on-premises infrastructure into Azure.

On-premises Network <-----> VPN Device <-----> Public Internet <-----> Azure VPN Gateway <-----> Azure VNet

Network-to-Network (N2N) VPN

Network-to-Network VPN allows you to connect two different Azure Virtual Networks that might reside in different regions. This is useful for disaster recovery, data replication, or when different teams manage separate virtual networks that need to communicate.

Azure VNet 1 <-----> Azure VPN Gateway 1 <-----> Public Internet <-----> Azure VPN Gateway 2 <-----> Azure VNet 2

Point-to-Site (P2S) VPN

Point-to-Site VPN allows individual client computers to connect directly to your Azure Virtual Network. This is often used for remote workers who need secure access to resources within the Azure VNet without requiring a dedicated VPN device on their end. Clients can connect using VPN client software.

Client Device <-----> Public Internet <-----> Azure VPN Gateway <-----> Azure VNet

ExpressRoute Gateway Connectivity Options

An ExpressRoute gateway connects your virtual network to your ExpressRoute circuit. This provides a private, dedicated connection from your on-premises network to Azure. This is the preferred method for enterprise-grade connectivity requiring high throughput and low latency.

On-premises Network <-----> ExpressRoute Circuit <-----> ExpressRoute Gateway <-----> Azure VNet

Key Components

GatewaySubnet: A dedicated subnet within your virtual network that hosts the virtual network gateway. It must be named GatewaySubnet.
Virtual Network Gateway (VNG): The actual gateway resource deployed in the GatewaySubnet. It has its own public IP address.
Local Network Gateway: Represents your on-premises network, including its IP address space and the public IP address of your on-premises VPN device.
Connection Resource: Defines the relationship and configuration settings between a Virtual Network Gateway and a Local Network Gateway (for S2S VPN) or another Virtual Network Gateway (for N2N VPN).
VPN Device: The hardware or software device on your on-premises network that establishes the VPN tunnel to the Azure VPN gateway.

Use Cases

Hybrid Cloud Connectivity: Seamlessly extend your on-premises datacenter to Azure for increased scalability and flexibility.
Disaster Recovery: Establish redundant connections for business continuity.
Secure Data Transfer: Encrypt sensitive data in transit between on-premises and Azure environments.
Global Network Interconnect: Connect multiple Azure regions for distributed applications.
Remote Access: Securely connect remote users to Azure resources.

Getting Started

To create and configure a Virtual Network Gateway, you can use the Azure portal, Azure CLI, or Azure PowerShell.

Recommended steps:

Create a Virtual Network with a GatewaySubnet.
Create the Virtual Network Gateway resource in the GatewaySubnet.
Configure a Local Network Gateway representing your on-premises network.
Create a Connection resource to link the Virtual Network Gateway and the Local Network Gateway.

For detailed instructions, please refer to the official Microsoft documentation:

On this page