Microsoft Azure

Azure VPN Gateway is a service that you use to send encrypted traffic between your on-premises networks and Azure, or between two or more Azure virtual networks. Azure VPN Gateway provides the functionality of a VPN device, but without the need for you to manage the on-premises hardware or software.

Azure VPN Gateway supports two main types of VPN connections:

• Site-to-site (S2S) VPN: Connects your on-premises network to an Azure virtual network.
• VNet-to-VNet VPN: Connects two or more Azure virtual networks together.
• Point-to-site (P2S) VPN: Connects an individual client device to an Azure virtual network.

Azure VPN Gateway offers several SKUs (Stock Keeping Units) to meet different performance and feature requirements. These include:

• Basic: Entry-level SKU for dev/test and simple workloads.
• VpnGw1, VpnGw2, VpnGw3, VpnGw4, VpnGw5: General-purpose SKUs with increasing throughput and tunnel counts.
• VpnGw1AZ, VpnGw2AZ, etc.: Zone-redundant versions of the general-purpose SKUs, providing high availability.
• Basic (legacy): Older SKU, not recommended for new deployments.

Each SKU has specific limits on policy-based vs. route-based VPN tunnels, maximum throughput, and connection limits. Refer to the official Azure VPN Gateway documentation for detailed comparisons.

Policy-based VPNs use a predefined set of IP address ranges (traffic selectors) to define what traffic is encrypted and sent over the tunnel. They are simpler but less flexible and typically limited to 1 S2S connection per gateway.

Route-based VPNs use an IPsec tunnel interface and routing rules to determine traffic. They are more flexible, support dynamic routing protocols, and can establish multiple S2S connections over a single gateway. Route-based VPNs are generally recommended for most Azure deployments.

Configuring a S2S VPN connection involves several steps:

1. Create an Azure VPN Gateway in your virtual network.
2. Create a Local Network Gateway in Azure to represent your on-premises network.
3. Create a Connection resource in Azure, linking the VPN Gateway and the Local Network Gateway, specifying the shared key.
4. Configure your on-premises VPN device to establish a tunnel with Azure, matching the settings defined in the Azure connection.

For detailed instructions, please see the Site-to-Site VPN tutorial.

Yes, with route-based VPNs, you can connect multiple on-premises sites to a single Azure VPN Gateway. Each on-premises site will be represented by a Local Network Gateway in Azure.

Azure VPN Gateway supports IKEv1 and IKEv2 for key exchange, and IPsec for data encryption. It supports various encryption algorithms like AES256, SHA256, and Diffie-Hellman groups. For P2S VPNs, SSTP, IKEv2, and OpenVPN are supported.

It's crucial to ensure your on-premises VPN device is compatible with Azure's supported protocols and algorithms. You can find a list of compatible devices and configuration guidance in the VPN device documentation.

The maximum throughput depends on the selected VPN Gateway SKU. Higher-tier SKUs offer significantly higher aggregate throughput for S2S connections.

For example, the VpnGw5 SKU can support up to 10 Gbps aggregate throughput for S2S connections, while the Basic SKU is limited to 100 Mbps. Always check the latest SKU specifications for precise limits.

Azure Monitor provides comprehensive monitoring capabilities for your VPN Gateway:

• Metrics: Track key performance indicators like data in/out, tunnel status, and connection events.
• Connection Diagnostics: Troubleshoot connectivity issues between your virtual network and on-premises network.
• Azure Activity Log: View control plane operations performed on your VPN Gateway.
• Diagnostic Logs: Collect detailed logs for in-depth analysis of gateway behavior.

Azure VPN Gateway provides a secure, encrypted connection over the public internet. It's generally more cost-effective and quicker to set up.

Azure ExpressRoute provides a private, dedicated connection from your on-premises network to Azure, bypassing the public internet. It offers higher bandwidth, lower latency, and greater reliability but typically involves higher costs and longer setup times.