A S2S VPN gateway connection is a connection over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. These connections can be used for hybrid configurations and cross-premises configurations. They were designed to create a secure connection between a location and your virtual network over the internet. This location can be something such as an office. Once the S2S VPN connection has been configured, you can connect every device from that location to Azure using the same VPN location.
A S2S connection requires a compatible VPN device located on-premises that has a public IP address assigned to it. It should not be located behind a NAT.
The following diagram shows a S2S VPN connection from an on-premises environment to Azure:
In the next section, we are going to look at multi-site VPNs.