Skip to content

VPN Gateways

A VPN gateway is a type of virtual network gateway. Azure VPN Gateway instances are deployed in a dedicated subnet of the virtual network and enable the following connectivity:

  • Connect on-premises datacenters to virtual networks through a site-to-site connection.
  • Connect individual devices to virtual networks through a point-to-site connection.
  • Connect virtual networks to other virtual networks through a network-to-network connection.

How many VPN's can be deployed?

You can deploy only one VPN gateway in each virtual network. However, you can use one gateway to connect to multiple locations, which includes other virtual networks or on-premises datacenters.

Gateway Subnet

Before you deploy the VPN gateway, you need to add a dedicated subnet to the vnet you want to connect. This subnet is for hosting the VPN gateway instances, and a CIDR block of /27 or /28 would suffice. The name of the subnet should be GatewaySubnet.

HA modes

Active-Active

Active-StandBy

Types of VPN GW

There are 2 types of VPN gateways:

  1. Policy-based VPN gateways: They specify statically the IP address of packets that should be encrypted through each tunnel. This type of device evaluates every data packet against those sets of IP addresses to choose the tunnel where that packet is going to be sent through.

  2. Route-based gateways: IPSec tunnels are modeled as a network interface or virtual tunnel interface. IP routing (either static routes or dynamic routing protocols) decides which one of these tunnel interfaces to use when sending each packet. Route-based VPNs are the preferred connection method for on-premises devices. They're more resilient to topology changes such as the creation of new subnets.

Azure to On-Premises

There are 2 ways to connect on-premises to Azure 1. VPN gateway 2. ExpressRoute

VPN Gateway connection

The local network gateway refers to the on-premises location. You create a reference resource called a local network gateway in Azure to specify your on-premises site. While creating the local network gateway, you will specify the address prefixes that are there in the on-premises network.

You can use either an IP address or an FQDN to specify your on-premises VPN device. Azure VPN gateway will be establishing connectivity to this device. Other than the IP address and address prefix, you will be asked to choose the subscription, resource group, and location for the resource.

Using a P2S connection, you can create a secure connection from an individual computer to an Azure virtual network over VPN. The P2S connections are always initiated from the client machine. All clients need to download the VPN profile and install it on their device to establish the P2S connection. Before Azure accepts P2S requests from the clients, authentication should be done first.


Was this page helpful?
-->