VPN Gateways in Azure Virtual WAN

This article explains the concepts of VPN gateways in Azure Virtual WAN. VPN gateways are the main components within a Virtual WAN hub that enable connectivity to your on-premises networks and other Azure virtual networks.

Conceptual diagram of Azure Virtual WAN with VPN Gateways.

What is a VPN Gateway?

A VPN gateway in Virtual WAN is a highly available, scalable service that acts as an entry point for your branch office connections. It supports both site-to-site (S2S) VPN and point-to-site (P2S) VPN connections, allowing you to securely connect your on-premises networks to your Azure Virtual WAN hub.

Key Features and Benefits

Scalability: Designed to scale to meet the demands of large enterprises.
High Availability: Built-in redundancy ensures continuous connectivity.
Global Reach: Leverages Azure's global network to provide reliable connections.
Simplified Management: Centralized management through the Azure portal.
Rich Connectivity Options: Supports S2S, P2S, and inter-hub routing.

Types of VPN Gateways

In the context of Virtual WAN, you primarily interact with VPN gateways deployed within your Virtual WAN hubs. These are distinct from the standalone VPN gateways you might deploy in a traditional VNet.

Virtual WAN Hub VPN Gateway

When you create a Virtual WAN hub, you have the option to deploy a VPN gateway within it. This gateway is managed by Azure and provides the core functionality for connecting your sites.

Connection Management

Connections to the VPN gateway are established using standard IPsec/IKE protocols. You can configure:

Site-to-Site VPN: Connects your on-premises VPN devices to the Virtual WAN hub.
Point-to-Site VPN: Allows individual users to connect remotely to your Azure network via the hub.

Deployment Considerations

When deploying VPN gateways in Virtual WAN, consider the following:

Gateway SKUs: Different SKUs offer varying levels of performance and features. Choose a SKU that matches your throughput and connection requirements.
Region: Deploy your Virtual WAN hub and its VPN gateway in a region that is geographically close to your connected sites for optimal performance.
Redundancy: Virtual WAN hubs are inherently redundant, and VPN gateways deployed within them benefit from this resilience.

Note: Azure Virtual WAN VPN gateways are designed for hub-and-spoke architectures. They are not intended as a replacement for standalone VPN gateways in traditional VNet deployments if your architecture differs.

Configuration Steps

Configuring a VPN gateway typically involves the following high-level steps:

Create a Virtual WAN resource.
Create a Virtual WAN hub within your Virtual WAN.
If needed, deploy a VPN gateway within the hub.
Configure your on-premises VPN devices or client VPN profiles to connect to the gateway.

Connecting Devices

For site-to-site connections, ensure your on-premises VPN device has compatible configuration parameters (e.g., IPsec policies, pre-shared keys). For point-to-site, you'll download client configuration packages from the Azure portal.

Azure VPN Gateway components.

Summary

VPN Gateways are foundational to securing and managing connectivity in Azure Virtual WAN. They provide a scalable, highly available, and simplified solution for hybrid cloud networking, enabling robust connections between your on-premises environments and Azure.