VPN Gateway in Azure Virtual WAN
This document provides a comprehensive guide to understanding and configuring VPN Gateways within Azure Virtual WAN. Learn how to establish secure and scalable connections between your on-premises networks, other Azure VNets, and remote users.
What is a VPN Gateway?
A VPN gateway is a component of Azure Virtual WAN that enables you to create secure VPN connections. It supports various scenarios, including:
- Site-to-Site VPN: Connecting your on-premises VPN devices to an Azure Virtual WAN hub.
- VNet-to-VNet VPN: Connecting Azure Virtual Networks to a Virtual WAN hub.
- Point-to-Site VPN: Enabling remote users to connect securely to your Virtual WAN hub using VPN clients.
Key Features and Benefits
- Centralized Management: Manage all your VPN connections from a single point within the Virtual WAN hub.
- Scalability: Built to handle large-scale network deployments with high throughput.
- High Availability: Redundant instances ensure continuous connectivity.
- Global Reach: Leverage Azure's global network for reliable connections.
- Security: Industry-standard encryption protocols (IPsec/IKE) to protect your data in transit.
Configuring a VPN Gateway
The process of configuring a VPN gateway involves several steps, typically performed within the Azure portal. You'll need to:
- Create a Virtual WAN: If you haven't already, provision a Virtual WAN resource.
- Create a Virtual Hub: Deploy a Virtual Hub within your Virtual WAN.
- Add a VPN Gateway to the Hub: Select the "VPN gateway" option within your Virtual Hub.
- Configure Gateway Scale Units: Choose the appropriate scale unit based on your throughput requirements.
- Establish Connections: Configure Site-to-Site, VNet-to-VNet, or Point-to-Site connections.
Site-to-Site VPN Configuration
To connect your on-premises network, you'll need to configure a "site" in your Virtual WAN. This involves:
- Providing the public IP address of your on-premises VPN device.
- Specifying the pre-shared key (PSK) for authentication.
- Defining the address spaces of your on-premises network.
You will then create a connection from the Virtual Hub VPN gateway to this site. The Azure portal will provide you with configuration details (like Azure's gateway public IP and the PSK) to configure your on-premises device.
Point-to-Site VPN Configuration
For remote user access, you'll configure Point-to-Site VPN settings on the VPN gateway. This includes:
- Defining the address pool for VPN clients.
- Specifying the authentication method (e.g., Azure Active Directory, RADIUS, or native Azure certificates).
- Generating and distributing VPN client configuration packages to your users.
Monitoring and Troubleshooting
Azure Virtual WAN provides robust monitoring capabilities for your VPN gateways and connections. You can view:
- Connection status
- Traffic utilization
- Tunnel health
- Event logs
Use Azure Monitor and Network Watcher for in-depth diagnostics and troubleshooting.
Limitations and Considerations
While powerful, VPN gateways have certain considerations:
- Throughput is determined by the selected scale unit.
- IPsec VPN tunnels have a maximum of 1000 tunnels per gateway.
- Ensure your on-premises network has adequate bandwidth to support the VPN traffic.
For detailed configuration steps and advanced scenarios, refer to the following resources: