Azure VPN Gateway
The Azure VPN Gateway connects your on‑premises networks to Azure through site‑to‑site VPN tunnels, point‑to‑site VPN, and VNet‑to‑VNet connections. It provides high‑availability, scalability, and built‑in security.
Getting Started
Prerequisites
- Azure subscription with
OwnerorContributorrole. - Public IP address for your on‑premises VPN appliance.
- Supported VPN device configuration (Cisco, Juniper, etc.).
Deploy a VPN Gateway
Use the Azure portal or Azure CLI to create a gateway.
# Azure CLI example
az network vnet create \
--resource-group MyResourceGroup \
--name MyVNet \
--address-prefix 10.0.0.0/16 \
--subnet-name GatewaySubnet \
--subnet-prefix 10.0.255.0/27
az network public-ip create \
--resource-group MyResourceGroup \
--name MyGatewayIP \
--allocation-method Dynamic
az network vnet-gateway create \
--resource-group MyResourceGroup \
--name MyVPNGateway \
--public-ip-address MyGatewayIP \
--vnet MyVNet \
--gateway-type Vpn \
--vpn-type RouteBased \
--sku VpnGw1 \
--location eastus
Key Features
| Feature | Description |
|---|---|
| Route‑Based VPN | Supports dynamic routing and BGP. |
| Policy‑Based VPN | Static routing for legacy devices. |
| Active‑Active Mode | High‑availability with two tunnels. |
| Point‑to‑Site (P2S) | Secure remote access for individual devices. |
| VNet‑to‑VNet | Secure connectivity between Azure VNets. |
| ExpressRoute Integration | Hybrid connectivity with private peering. |
Pricing
Pricing varies by gateway SKU and usage. Refer to the Pricing page for detailed cost tables.
Configuration Guide
After deployment, configure the connection settings:
- Create a Local Network Gateway representing your on‑premises VPN appliance.
- Define a VPN Connection linking the Azure VPN Gateway and the Local Network Gateway.
- Download the generated VPN device configuration script.
Sample Local Network Gateway CLI
# Create local network gateway
az network local-gateway create \
--resource-group MyResourceGroup \
--name MyOnPremGateway \
--gateway-ip-address 203.0.113.10 \
--local-address-prefixes 10.1.0.0/16
Sample Connection CLI
# Create VPN connection
az network vpn-connection create \
--resource-group MyResourceGroup \
--name MyVPNConnection \
--vnet-gateway1 MyVPNGateway \
--shared-key MySharedKey123 \
--local-gateway2 MyOnPremGateway
Frequently Asked Questions
- Can I use BGP with Azure VPN Gateway? Yes. Route‑Based gateways support BGP for dynamic routing.
- What's the difference between Policy‑Based and Route‑Based? Policy‑Based uses static routes; Route‑Based supports dynamic routing and is required for most advanced scenarios.
- How do I enable active‑active mode? Deploy a gateway with SKU
VpnGw2or higher and set--type ActiveActiveduring creation.