Azure VPN Gateway Documentation

Overview

The Azure VPN Gateway connects an Azure virtual network to on‑premises networks through a secure IPsec/IKE VPN tunnel. It also supports point‑to‑site connections for individual client devices.

Supports Route‑Based (Dynamic) and Policy‑Based (Static) VPN types.
High availability with active‑active and active‑standby SKUs.
Built‑in Azure Monitor integration.

How it works

Azure VPN Gateway creates a highly available gateway resource in a specific subnet called GatewaySubnet. The gateway terminates VPN tunnels and routes traffic between Azure and the on‑premises network.

Configuration

Create a VPN gateway

Create a GatewaySubnet in the virtual network.
Provision a VPN gateway resource (choose SKU).
Configure a local network gateway representing your on‑premises VPN device.
Establish a site‑to‑site connection.

# Azure CLI example
az network vnet create \
  --resource-group MyResourceGroup \
  --name MyVNet \
  --address-prefix 10.0.0.0/16 \
  --subnet-name GatewaySubnet \
  --subnet-prefix 10.0.255.0/27

az network public-ip create \
  --resource-group MyResourceGroup \
  --name MyVpnGatewayIP \
  --allocation-method Dynamic

az network vpn-gateway create \
  --resource-group MyResourceGroup \
  --name MyVpnGateway \
  --public-ip-address MyVpnGatewayIP \
  --vnet MyVNet \
  --gateway-type Vpn \
  --vpn-type RouteBased \
  --sku VpnGw1 \
  --no-wait

Site‑to‑Site connection

# Create local network gateway
az network local-gateway create \
  --resource-group MyResourceGroup \
  --name MyOnPremGateway \
  --gateway-ip-address 203.0.113.1 \
  --address-prefixes 10.1.0.0/16

# Create the connection
az network vpn-connection create \
  --resource-group MyResourceGroup \
  --name MyConnection \
  --vnet-gateway1 MyVpnGateway \
  --local-gateway2 MyOnPremGateway \
  --shared-key MySecretKey

Monitoring & diagnostics

Enable diagnostics logs and metrics via Azure Monitor to track tunnel status, throughput, and connection health.

Metrics: TunnelIngressBytes, TunnelEgressBytes, P2SBandwidth, etc.
Logs: TunnelDiagnosticLog, TunnelDiagnosticLogError.

# PowerShell to enable diagnostics
$gw = Get-AzVirtualNetworkGateway -Name MyVpnGateway -ResourceGroupName MyResourceGroup
Set-AzDiagnosticSetting -ResourceId $gw.Id -WorkspaceId $workspaceId -Enabled $true -Logs @(
    @{category="TunnelDiagnosticLog"; enabled=$true}
) -Metrics @(
    @{category="AllMetrics"; enabled=$true}
)

Best practices

Use the latest VPN gateway SKU for improved throughput.
Deploy active‑active gateways for high availability.
Keep shared keys and certificates secure and rotate regularly.
Monitor connection health and set up alerts for tunnel failures.