VPN Gateway connection overview
What is a VPN Gateway connection?
A VPN Gateway connection enables secure communication between an Azure Virtual Network and an on‑premises network or another virtual network. It uses IPsec/IKE protocols to encrypt the traffic and can be configured for site‑to‑site, point‑to‑site, or VNet‑to‑VNet scenarios.
Key components
| Component | Description |
|---|---|
VPN gateway | Azure resource that routes encrypted traffic to/from a virtual network. |
Local network gateway | Represents the on‑premises VPN device and address space. |
Connection | Defines the tunnel parameters, shared key, and routing type. |
Gateway SKU | Specifies performance and features (VpnGw1, VpnGw2, etc.). |
Supported connection types
- Site‑to‑site (S2S): Azure ↔ on‑premises.
- Point‑to‑site (P2S): Individual client devices to Azure.
- VNet‑to‑VNet: Azure ↔ Azure VNet across regions or subscriptions.
Typical workflow
1. Create a virtual network and subnet for the gateway. 2. Deploy a VPN gateway (choose SKU and policy-based or route-based). 3. Define a local network gateway with your on‑premises address space. 4. Create a connection object linking both gateways. 5. Configure the on‑premises VPN device with the shared secret. 6. Verify connectivity withpingortracert.
Sample ARM template snippet
{
"type": "Microsoft.Network/virtualNetworkGateways",
"apiVersion": "2024-04-01",
"name": "myVpnGateway",
"location": "[resourceGroup().location]",
"properties": {
"gatewayType": "Vpn",
"vpnType": "RouteBased",
"sku": { "name": "VpnGw2", "tier": "VpnGw2" },
"ipConfigurations": [{
"name": "vnetGatewayConfig",
"properties": {
"subnet": { "id": "[variables('gatewaySubnetId')]" },
"publicIPAddress": { "id": "[resourceId('Microsoft.Network/publicIPAddresses','myVpnPublicIP')]" }
}
}]
}
}Best practices
- Use RouteBased gateways for most scenarios.
- Enable Active‑Active mode for high availability.
- Monitor health with Network Watcher.
- Apply Standard or HighPerformance SKUs based on throughput needs.