Overview of Azure VPN Gateway
Azure VPN Gateway is a service that enables you to create and manage VPN gateways in Azure. These gateways are the endpoints for VPN connections that encrypt traffic traversing a public network, such as the Internet. Azure VPN Gateway supports several types of VPNs to connect your on-premises networks to your Azure virtual networks (VNets).
Key features include:
- Secure connectivity between Azure and your on-premises data centers.
- Site-to-site (S2S) VPN connections.
- Point-to-site (P2S) VPN connections.
- Cross-premises connectivity with network segmentation.
- High availability and redundancy.
Types of VPN Gateways
Azure offers two primary types of VPN gateways:
1. Route-based VPN Gateway
Route-based VPN gateways are the recommended type for most scenarios. They use dynamic routing (BGP) and support a wider range of configurations, including multiple S2S connections and VNet-to-VNet connections.
2. Policy-based VPN Gateway
Policy-based VPN gateways use static routing and are simpler to configure for basic S2S connections. They are suitable for connecting to older on-premises devices that do not support BGP.
SKUs and Performance
Azure VPN Gateway offers various SKUs, each providing different levels of performance, features, and connection limits. Choosing the right SKU depends on your bandwidth requirements, number of connections, and desired throughput.
- Basic: Entry-level SKU for testing and development.
- VpnGw1, VpnGw2, VpnGw3, VpnGw4, VpnGw5: Offer progressively higher performance and throughput.
- VpnGw1AZ, VpnGw2AZ, VpnGw3AZ, VpnGw4AZ, VpnGw5AZ: Zone-redundant versions for higher availability.
For detailed specifications on throughput and connection limits for each SKU, refer to the official Azure VPN Gateway documentation.
Creating a VPN Gateway
You can create a VPN Gateway using the Azure portal, Azure CLI, PowerShell, or ARM templates.
Using Azure CLI:
The following is a simplified example of creating a route-based VPN gateway:
az network vpn-gateway create \
--resource-group MyResourceGroup \
--name VpnGateway1 \
--location eastus \
--sku VpnGw1 \
--vpn-gateway-type RouteBased \
--connect-vnet MyVNet \
--public-ip-address VpnGatewayPip
Configuration
Configuring a VPN gateway involves several key steps:
- Create a Virtual Network Gateway: Define the gateway type, SKU, and region.
- Create a Public IP Address: Assign a static public IP address to the gateway.
- Create a Local Network Gateway: Represent your on-premises network configuration.
- Create a Connection: Link the Virtual Network Gateway and the Local Network Gateway, defining the shared key for authentication.
Site-to-Site (S2S) VPN Configuration
For S2S VPNs, you'll configure your on-premises VPN device to establish a tunnel with the Azure VPN Gateway. Ensure that the IP addresses and pre-shared keys match on both ends.
Point-to-Site (P2S) VPN Configuration
P2S VPNs allow individual clients to connect to your VNet. This typically involves generating client certificates and configuring the gateway to use them for authentication. Clients then use the Azure VPN client software to connect.
Monitoring and Troubleshooting
Azure provides robust tools for monitoring your VPN gateway's health and performance.
- Azure Monitor: Track metrics such as connection status, bandwidth usage, and packet loss.
- Connection Troubleshooter: Use built-in tools to diagnose connectivity issues.
- Gateway Diagnostics: Access logs and detailed information about gateway events.
Best Practices
- Choose the appropriate SKU for your performance needs.
- Utilize route-based VPN gateways for flexibility and advanced features.
- Implement VNet-to-VNet connectivity for securely connecting multiple VNets.
- Leverage ExpressRoute with VPN Gateway coexistence for hybrid cloud scenarios.
- Regularly monitor gateway performance and alerts.
- Keep on-premises VPN device firmware up-to-date.