Azure Virtual Network Gateways
This documentation provides comprehensive information on Azure Virtual Network (VNet) Gateways, a crucial component for connecting your Azure virtual networks to on-premises networks or other Azure regions.
Azure VNet gateways are used to send encrypted traffic between your Azure virtual network and your on-premises location over the public Internet. They also enable you to send encrypted traffic between your on-premises network and Azure, and between different Azure virtual networks.
Types of VNet Gateways
Azure offers two primary types of VNet gateways:
1. VPN Gateway
A VPN gateway is used to send encrypted traffic between your virtual network and an on-premises location. This connection is established over the public internet.
- Site-to-Site (S2S) VPN: Connects your on-premises network to Azure.
- Point-to-Site (P2S) VPN: Connects individual client devices to your virtual network.
- VNet-to-VNet VPN: Connects two or more Azure virtual networks.
2. ExpressRoute Gateway
An ExpressRoute gateway provides a private, dedicated connection between your on-premises network and Azure. This connection bypasses the public internet, offering higher reliability, faster speeds, and lower latencies.
- ExpressRoute connection: Leverages a network service provider to establish a private connection.
Key Concepts and Features
Connection Topologies
VNet gateways support various connection topologies to suit different needs:
| Topology | Description | Use Case |
|---|---|---|
| Site-to-Site | Connects an on-premises network to an Azure VNet. | Hybrid cloud deployments, extending on-premises resources to Azure. |
| Point-to-Site | Connects individual client devices to an Azure VNet. | Remote access for employees, secure access to Azure resources. |
| VNet-to-VNet | Connects multiple Azure VNets. | Interconnecting VNets within the same or different regions for distributed applications. |
| ExpressRoute | Private connection from on-premises to Azure. | High-performance, reliable, and secure connectivity for critical workloads. |
Gateway SKUs
Azure VNet gateways come in various SKUs, each offering different performance levels, connection limits, and features. Choosing the right SKU depends on your bandwidth requirements, number of connections, and desired throughput.
Common SKUs include:
- Basic
- VpnGw1, VpnGw2, VpnGw3, VpnGw4, VpnGw5
- Ultra Performance (for ExpressRoute)
- ErGw1AZ, ErGw2AZ, ErGw3AZ (for ExpressRoute)
Refer to the official VPN Gateway SKU documentation for detailed specifications.
Gateway Types
When creating a VNet gateway, you must choose between a VPN type and an ExpressRoute type.
- Vpn: For VPN gateways.
- ExpressRoute: For ExpressRoute gateways.
Creating a VNet Gateway
You can create a VNet gateway using the Azure portal, Azure CLI, PowerShell, or ARM templates. The process typically involves the following steps:
- Provision a GatewaySubnet: A dedicated subnet named
GatewaySubnetis required within your virtual network. - Configure Gateway IP Address: A public IP address is associated with the gateway.
- Select Gateway Type and SKU: Choose between VPN and ExpressRoute, and select the appropriate SKU.
- Define Virtual Network Gateway: Configure the gateway settings, including the connection type.
Azure CLI Example: Creating a VPN Gateway
This example demonstrates creating a basic VPN gateway.
az network vnet-gateway create \
--name MyVpnGateway \
--resource-group MyResourceGroup \
--location eastus \
--sku VpnGw1 \
--gateway-type Vpn \
--vpn-type RouteBased \
--vnet /subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/MyVnet \
--public-ip-address MyVpnGatewayPip
Connecting to Your VNet Gateway
Once the gateway is provisioned, you can establish connections:
Site-to-Site Connections
Configure your on-premises VPN device to connect to the Azure VPN gateway's public IP address. Ensure you use a shared key and matching encryption/hashing algorithms.
Point-to-Site Connections
Configure the P2S connection settings on your VNet gateway. You'll then download a VPN client package that users can install on their devices to connect to Azure.
VNet-to-VNet Connections
Create a connection resource on each VNet gateway, specifying the gateway it connects to and a shared secret.
Site-to-Site VPN Configuration Details
To establish a Site-to-Site VPN connection:
- Create a Local Network Gateway: This represents your on-premises network, including its IP address space and the BGP peer IP address of your VPN device.
- Create a VPN Connection: On the Azure VPN gateway, create a connection resource. Specify the connection type as
IPsec, link it to the Local Network Gateway, and provide a shared key. - Configure On-Premises VPN Device: Configure your VPN device to establish an IPsec tunnel to the public IP address of the Azure VPN gateway. Ensure the Pre-Shared Key (PSK), encryption, hashing, and Diffie-Hellman group settings match those configured in Azure.
Important: Ensure your on-premises VPN device is compatible with Azure VPN gateways. Refer to the list of compatible VPN devices.
Common Troubleshooting Tips for VNet Gateways
Connection Issues: Verify IP address spaces, subnet configurations, and shared keys. Ensure firewall rules on both ends allow traffic.
Performance Bottlenecks: Check the SKU of your VNet gateway. If you're exceeding the throughput limits, consider upgrading to a higher SKU.
BGP Configuration: If using BGP for dynamic routing, ensure the BGP peer IP addresses and ASN numbers are correctly configured on both Azure and your on-premises network.
Monitoring and Management
Azure Monitor and Azure Network Watcher provide tools to monitor the health, performance, and connectivity of your VNet gateways. You can view metrics like bandwidth usage, connection status, and latency, and diagnose network issues effectively.