In this post, I’ll give an overview of Azure VPN services and illustrate what they are and what they can offer to your deployments.

VPNs or Virtual Private Networks are encrypted tunnels that allow access to other networks over the internet. Using a VPN connection, data traffic and of course the IP address is masked and protected.

VPN Types

MS Azure supports two VPN types : route-based VPN and policy-based VPN gateways.

  • Route-based(dynamic) VPN is commonly used because of the configuration and control flexibility of routing decisions, which depend on the destination address of the packets. For route-based VPNs, the policy is configured as any2any. An example of Route-based VPN is the P2S.
  • Policy-based VPN is used for VPN implementations that use specific rules or policies to determine which network traffic is allowed to pass over a VPN connection. An example of Route-based VPN is the S2S.

Info: Azure Gateway will no longer allow you to create a policy-based VPN gateway as of October 1, 2023. Every new VPN gateway will be created as a route-based gateway by default.

VPN Gateway Types

VPN Gateway Types : VPN(S2S, P2S, VNet2VNet) and Express route

  • VPNs and Express routes differ primarily in that Express routes utilize a private connection to Azure, bypassing the public internet and providing a high-speed connection through a private provider while the VPN connects over the Public Internet and then to your on-premises network.
  • Another significant difference between these two types of VPN gateway is security. With the GW VPN type connection there are potential security risks associated with internet traffic, as compared to the Express route which offers a more reliable and secure connection.

Azure VPN Deploy Options

There are several options to deploy VPN in Azure: Virtual Network Gateways, Virtual WANs, 3rd Party Network Virtual Appliances

  • Azure Virtual Network Gateways provides a private and secure connection between an on-premises network and Azure virtual network.
  • Azure Virtual WAN provides a streamlined and highly automated branch office connectivity in and across Azure.
  • 3rd party Network Virtual Appliances (NVAs) are virtualized network services that can be provisioned in the Azure cloud or on-premises. These network services provide features that help expand the capabilities of the networks.

Info: There are a few differences between Virtual WAN and VPN Gateway that should brought to your attention :

  • Virtual WAN offers a hub-and-spoke topology, where branches connect to the Azure backbone through a single hub, as compared to a VPN gateway that includes a p2s and s2s connection.
  • Virtual WAN is a large-scale VPN that can connect up to 1000 branch connections compared to VPN gateway is limited to 30 tunnels.
  • In the Virtual WAN, the P2S and S2S gateways are distinct units.

For more details click this link: VPN Gateway vs WAN VPN gateway

Azure Virtual Network Gateway Encryption Standards

Azure VPN Gateway encryption standards are the algorithms and key strengths used for encrypting P2S and S2S VPNs.

 

Gateway Stock Keeping Units (SKUs)

Gateway SKUs denote a specific gateway model with unique features, specifications or different performance and price levels.

Generation1

VPN Gateway Gen SKU S2S/Vnet2Vnet Tunnels P2S
SSTP Connections
P2S
IKEv2/OpenVPN Connections
Aggregate
Throughput Benchmark
BGP Zone-redundant Supported Number of VMs in the Virtual Network
Generation1 Basic Max. 10 Max. 128 Not Supported 100 Mbps Not Supported No 200
Generation1 VpnGw1 Max. 30 Max. 128 Max. 250 650 Mbps Supported No 450
Generation1 VpnGw2 Max. 30 Max. 128 Max. 500 1 Gbps Supported No 1300
Generation1 VpnGw3 Max. 30 Max. 128 Max. 1000 1.25 Gbps Supported No 4000
Generation1 VpnGw1AZ Max. 30 Max. 128 Max. 250 650 Mbps Supported Yes 1000
Generation1 VpnGw2AZ Max. 30 Max. 128 Max. 500 1 Gbps Supported Yes 2000
Generation1 VpnGw3AZ Max. 30 Max. 128 Max. 1000 1.25 Gbps Supported Yes 5000

Generation2

VPN Gateway Gen SKU S2S/Vnet2Vnet Tunnels P2S
SSTP Connections
P2S
IKEv2/OpenVPN Connections
Aggregate
Throughput Benchmark
BGP Zone-redundant Supported Number of VMs in the Virtual Network
Generation2 VpnGw2 Max. 30  Max. 128 Max. 500 1.25 Gbps Supported No 685
Generation2   VpnGw3 Max. 30 Max. 128 Max. 1000 2.5 Gbps Supported No 2240
Generation2 VpnGw4 Max. 100 Max. 128 Max. 5000 5 Gbps Supported No 5300
Generation2 VpnGw5 Max. 100 Max. 128 Max. 10000 10 Gbps Supported No 6700
Generation2 VpnGw2AZ Max. 30 Max. 128 Max. 500 1.25 Gbps Supported Yes 2000
Generation2 VpnGw3AZ  Max. 30 Max. 128 Max. 1000 2.5 Gbps Supported Yes 3300
Generation2 VpnGw4AZ Max. 100 Max. 128 Max. 5000 5 Gbps Supported Yes 4400
Generation2 VpnGw5AZ Max. 100 Max. 128 Max. 10000 10 Gbps Supported Yes 9000

 

Deploy VPNs

After reading the above key information about VPNs, below you can find usefull links to deploy VPN tunnels.

VPN Gateway documentation

Virtual WAN documentation

Express route documentation

 

General Concepts

 

VPN Devices

The link below redirects you to the official Microsoft documentation where you can find the Microsoft-supported VPN devices to set up the S2S cross-premises VPN connection.

Validated VPN devices and device configuration guides

 

Share This