Azure / Networking / Virtual WAN / Virtual Network Gateway

Virtual Network Gateway

Overview

The Azure Virtual Network Gateway (VPN gateway) provides secure, cross-premises connectivity between Azure virtual networks and on‑premises environments. When combined with Azure Virtual WAN, it enables scalable, branch‑to‑branch, and point‑to‑site connectivity.

  • Supports Site‑to‑Site (S2S), Point‑to‑Site (P2S), and VNet‑to‑VNet connections.
  • Operates in active‑active or active‑standby mode for high availability.
  • Compatible with ExpressRoute, BGP, and Azure Firewall Hub.

Prerequisites

  1. An existing Azure subscription with Virtual WAN hub.
  2. Resource group and virtual network created for the gateway.
  3. Public IP address allocated for the gateway subnet (GatewaySubnet).
  4. Appropriate Azure RBAC permissions (Owner/Contributor or Network Contributor).

Deploy a Virtual Network Gateway

Azure Portal
  1. Navigate to Create a resource → Networking → Virtual network gateway.
  2. Select your subscription and resource group.
  3. Provide a name, region, and choose the Virtual WAN hub.
  4. Set Gateway type to VPN and VPN type to Route based.
  5. Choose the SKU that matches your throughput needs (e.g., VpnGw1, VpnGw2, …).
  6. Assign a public IP (or create a new one) and click Create.
Azure CLI
az network vnet-gateway create \
  --resource-group MyResourceGroup \
  --name MyVNetGateway \
  --location eastus \
  --gateway-type Vpn \
  --vpn-type RouteBased \
  --sku VpnGw2 \
  --asn 65010 \
  --public-ip-address MyGatewayPIP \
  --virtual-network MyVNet \
  --no-wait
PowerShell
$gw = New-AzVirtualNetworkGateway `
  -ResourceGroupName "MyResourceGroup" `
  -Name "MyVNetGateway" `
  -Location "EastUS" `
  -IpConfigurations $ipConfig `
  -GatewayType "Vpn" `
  -VpnType "RouteBased" `
  -GatewaySku "VpnGw2"

Configure Connections

After the gateway is provisioned, create connections to on‑premise sites, other VNets, or point‑to‑site clients.

View Connection Guide

Monitoring & Diagnostics

  • Enable Network Watcher for packet captures and topology.
  • Use Azure Monitor metrics: VpnTunnelIngressBytes, VpnTunnelEgressBytes, GatewayCpuUtilization.
  • Set up alerts for gateway health and connection status.

FAQ

What is the difference between active‑active and active‑standby?

Active‑active deploys two gateway instances in the same region, providing load‑balancing and higher throughput. Active‑standby provides redundancy with a primary instance handling traffic while the secondary remains idle until a failover occurs.

Can I attach a Virtual Network Gateway to multiple Virtual WAN hubs?

No. A gateway can be associated with only one Virtual WAN hub at a time. To connect to multiple hubs, deploy separate gateways in each hub’s virtual network.