In this post, I’ll give an overview of Azure VPN services and illustrate what they are and what they can offer to your deployments.
VPNs or Virtual Private Networks are encrypted tunnels that allow access to other networks over the internet. Using a VPN connection, data traffic and of course the IP address is masked and protected.
VPN Types
MS Azure supports two VPN types : route-based VPN and policy-based VPN gateways.
- Route-based(dynamic) VPN is commonly used because of the configuration and control flexibility of routing decisions, which depend on the destination address of the packets. For route-based VPNs, the policy is configured as any2any. An example of Route-based VPN is the P2S.
- Policy-based VPN is used for VPN implementations that use specific rules or policies to determine which network traffic is allowed to pass over a VPN connection. An example of Route-based VPN is the S2S.
Info: Azure Gateway will no longer allow you to create a policy-based VPN gateway as of October 1, 2023. Every new VPN gateway will be created as a route-based gateway by default.
VPN Gateway Types
VPN Gateway Types : VPN(S2S, P2S, VNet2VNet) and Express route
- VPNs and Express routes differ primarily in that Express routes utilize a private connection to Azure, bypassing the public internet and providing a high-speed connection through a private provider while the VPN connects over the Public Internet and then to your on-premises network.
- Another significant difference between these two types of VPN gateway is security. With the GW VPN type connection there are potential security risks associated with internet traffic, as compared to the Express route which offers a more reliable and secure connection.
Azure VPN Deploy Options
There are several options to deploy VPN in Azure: Virtual Network Gateways, Virtual WANs, 3rd Party Network Virtual Appliances
- Azure Virtual Network Gateways provides a private and secure connection between an on-premises network and Azure virtual network.
- Azure Virtual WAN provides a streamlined and highly automated branch office connectivity in and across Azure.
- 3rd party Network Virtual Appliances (NVAs) are virtualized network services that can be provisioned in the Azure cloud or on-premises. These network services provide features that help expand the capabilities of the networks.
Info: There are a few differences between Virtual WAN and VPN Gateway that should brought to your attention :
- Virtual WAN offers a hub-and-spoke topology, where branches connect to the Azure backbone through a single hub, as compared to a VPN gateway that includes a p2s and s2s connection.
- Virtual WAN is a large-scale VPN that can connect up to 1000 branch connections compared to VPN gateway is limited to 30 tunnels.
- In the Virtual WAN, the P2S and S2S gateways are distinct units.
For more details click this link: VPN Gateway vs WAN VPN gateway
Azure Virtual Network Gateway Encryption Standards
Azure VPN Gateway encryption standards are the algorithms and key strengths used for encrypting P2S and S2S VPNs.
- P2S VPN
- S2S VPN
Gateway Stock Keeping Units (SKUs)
Gateway SKUs denote a specific gateway model with unique features, specifications or different performance and price levels.
Generation1
VPN Gateway Gen | SKU | S2S/Vnet2Vnet Tunnels | P2S SSTP Connections |
P2S IKEv2/OpenVPN Connections |
Aggregate Throughput Benchmark |
BGP | Zone-redundant | Supported Number of VMs in the Virtual Network |
---|---|---|---|---|---|---|---|---|
Generation1 | Basic | Max. 10 | Max. 128 | Not Supported | 100 Mbps | Not Supported | No | 200 |
Generation1 | VpnGw1 | Max. 30 | Max. 128 | Max. 250 | 650 Mbps | Supported | No | 450 |
Generation1 | VpnGw2 | Max. 30 | Max. 128 | Max. 500 | 1 Gbps | Supported | No | 1300 |
Generation1 | VpnGw3 | Max. 30 | Max. 128 | Max. 1000 | 1.25 Gbps | Supported | No | 4000 |
Generation1 | VpnGw1AZ | Max. 30 | Max. 128 | Max. 250 | 650 Mbps | Supported | Yes | 1000 |
Generation1 | VpnGw2AZ | Max. 30 | Max. 128 | Max. 500 | 1 Gbps | Supported | Yes | 2000 |
Generation1 | VpnGw3AZ | Max. 30 | Max. 128 | Max. 1000 | 1.25 Gbps | Supported | Yes | 5000 |
Generation2
VPN Gateway Gen | SKU | S2S/Vnet2Vnet Tunnels | P2S SSTP Connections |
P2S IKEv2/OpenVPN Connections |
Aggregate Throughput Benchmark |
BGP | Zone-redundant | Supported Number of VMs in the Virtual Network |
---|---|---|---|---|---|---|---|---|
Generation2 | VpnGw2 | Max. 30 | Max. 128 | Max. 500 | 1.25 Gbps | Supported | No | 685 |
Generation2 | VpnGw3 | Max. 30 | Max. 128 | Max. 1000 | 2.5 Gbps | Supported | No | 2240 |
Generation2 | VpnGw4 | Max. 100 | Max. 128 | Max. 5000 | 5 Gbps | Supported | No | 5300 |
Generation2 | VpnGw5 | Max. 100 | Max. 128 | Max. 10000 | 10 Gbps | Supported | No | 6700 |
Generation2 | VpnGw2AZ | Max. 30 | Max. 128 | Max. 500 | 1.25 Gbps | Supported | Yes | 2000 |
Generation2 | VpnGw3AZ | Max. 30 | Max. 128 | Max. 1000 | 2.5 Gbps | Supported | Yes | 3300 |
Generation2 | VpnGw4AZ | Max. 100 | Max. 128 | Max. 5000 | 5 Gbps | Supported | Yes | 4400 |
Generation2 | VpnGw5AZ | Max. 100 | Max. 128 | Max. 10000 | 10 Gbps | Supported | Yes | 9000 |
Deploy VPNs
After reading the above key information about VPNs, below you can find usefull links to deploy VPN tunnels.
VPN Gateway documentation
- Create and manage a VPN gateway using the Azure portal
- Create a site-to-site VPN connection in the Azure portal
- Configure an Always On VPN user tunnel
- Configure an Always On VPN device tunnel
Virtual WAN documentation
- Create a P2S User VPN connection using Azure Virtual WAN
- Create a site-to-site connection using Azure Virtual WAN
- Create a P2S User VPN connection using Azure Virtual WAN – Microsoft Entra authentication
- How to create a Network Virtual Appliance in an Azure Virtual WAN hub
Express route documentation
- Create and modify an ExpressRoute circuit
- Create and modify peering for an ExpressRoute circuit using the Azure portal
- Configure a virtual network gateway for ExpressRoute using the Azure portal
- Connect a virtual network to an ExpressRoute circuit using the Azure portal
General Concepts
- Site-to-site VPN
- Point-to-site VPN
- VNet-to-VNet connections (IPsec/IKE VPN tunnel)
- VNet peering
- Deployment models and methods for S2S and ExpressRoute coexist
VPN Devices
The link below redirects you to the official Microsoft documentation where you can find the Microsoft-supported VPN devices to set up the S2S cross-premises VPN connection.
Validated VPN devices and device configuration guides