Azure VPN gateways are basically your core routers and firewalls within your Azure environment.
An Azure gateway can serve different purposes:
- Internet gateway
- Site-to-site VPN gateway
- Point-to-site VPN gateway
- ExpressRoute gateway
- VNet-to-VNet gateway
The following screenshot shows the Azure service you need to look for when you want to implement an Azure VPN gateway:
Every VNet can have at least one VPN gateway. VPN gateways are available in different service offerings with different features and available services.
The following table shows a short summary:
VPN gateway throughput |
VPN gateway max IPSEC tunnels |
Active - Active VPN |
ExpressRoute gateway throughput |
VPN gateway and ExpressRoute coexist |
Zone redundant |
|
Standard |
100 Mbps |
10 |
No |
1000 Mbps |
Yes |
No |
High Performance |
200 Mbps |
30 |
Yes |
2000 Mbps |
Yes |
No |
Ultra High Performance |
200 Mbps |
30 |
Yes |
9000 Mbps |
Yes |
No |
VpnGw1 |
650 Mbps |
30 |
Yes |
No |
No |
No |
VpnGw1AZ |
650 Mbps |
30 |
Yes |
No |
No |
Yes |
VpnGw2 |
1 Gbps |
30 |
Yes |
No |
No |
No |
VpnGw2AZ |
1 Gbps | 30 | Yes | No | No | Yes |
VpnGw3 |
1,25 Gbps | 30 | Yes | No | No | No |
VpnGw3AZ |
1,25 Gbps | 30 | Yes | No | No | Yes |
ErGw1AZ |
No | No | No | 1000 Mbps | Yes | Yes with separated VPN gateway |
ErGw2AZ |
No | No | No | 2000 Mbps | Yes | Yes with separated VPN gateway |
ErGw3AZ |
No | No | No | 9000 Mbps | Yes | Yes with separated VPN gateway |
The following diagram shows how the basic VPN gateway is connected to your Azure network:
With the standard or performance gateway it would look like the following diagram:
When you start the setup of a gateway, you need to decide what kind of gateway you want to deploy. The basic offering can be deployed via Azure GUI; for the other offerings, you need to do some PowerShell. The following screenshot shows the GUI version:
Depending on your WAN solution, you choose either VPN or ExpressRoute. For ExpressRoute, you need an MPLS solution in place. I will explain that later. For the VPN solution, you need to decide between a Route-based or Policy-based VPN, which means you need to decide if you want to enable dynamic routing with IPSEC IKEv2 or static IPSEC IKEv1.
The decision as to which VPN type you need must be done based on your on-premises VPN device. Not every device can speak Route-based VPN. Microsoft has published a list of supported devices. You can see them here at https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/.
There are also some more additional requirements you need to think of when choosing your VPN gateway in Azure. The following table shows you those provided by Microsoft:
Policy-based basic VPN gateway |
Route-based basic VPN gateway |
Route-based standard VPN gateway |
Route-based high performance VPN gateway |
|
Site-to-site connectivity (S2S) |
Policy-based VPN configuration |
Route-based VPN configuration |
Route-based VPN configuration |
Route-based VPN configuration |
Point-to-site connectivity (P2S) |
Not supported |
Supported (can coexist with S2S) |
Supported (can coexist with S2S) |
Supported (can coexist with S2S) |
Authentication method |
Pre-shared key |
Pre-shared key for S2S connectivity, certificates for P2S connectivity |
Pre-shared key for S2S connectivity, certificates for P2S connectivity |
Pre-shared key for S2S connectivity, certificates for P2S connectivity |
Maximum number of S2S connections |
1 |
10 |
10 |
30 |
Maximum number of P2S connections |
Not supported |
128 |
128 |
128 |
Active routing support |
Not supported |
Not supported |
Supported |
Supported |
In summary, you can basically have the following gateway configurations:
- The policy-based basic VPN Gateway with site-to-site VPN is shown in the following diagram:
- Route-based standard VPN gateway with ExpressRoute shown in the following diagram:
- Route-based basic VPN Gateway with a Site 2 Site VPN and Point 2 Site VPN or a Route-based standard or performance VPN gateway with a Site 2 Site VPN and Point 2 Site VPN in shown in the following diagram:
- Route-based standard or performance VPN gateway with Site to Site or ExpressRoute in shown in the following diagram:
- Route-based standard or performance VPN gateway with a site-to-site VPN and ExpressRoute:
Later in the chapter, you will learn how to configure a VPN gateway with ExpressRoute and a basic VPN with a site-to-site VPN and how to upgrade that VPN to standard or performance. You will also learn what you need to do to implement a point-to-site VPN.