VPN Gateway Overview
A VPN gateway is a type of virtual network gateway used to send encrypted traffic between:
-
Azure virtual networks and on-premises networks (over the public Internet).
-
Azure virtual networks and other Azure virtual networks (over the Microsoft network).
Key points:
-
Each VNet can have only one VPN gateway.
-
A VPN gateway can have multiple connections, sharing the available gateway bandwidth.
-
VPN gateways can be deployed in Azure Availability Zones for resiliency and higher availability.
Types of VPN Connections
-
Site-to-Site (S2S) – Connects an on-premises datacenter to an Azure VNet.
-
VNet-to-VNet – Connects two Azure VNets.
-
Point-to-Site (P2S) – Connects individual devices to an Azure VNet.
Virtual Network Gateway Structure
-
Composed of two or more VMs deployed to a GatewaySubnet.
-
VMs run routing tables and gateway services.
-
Do not deploy other resources in the gateway subnet.
-
Avoid associating an NSG with the gateway subnet to prevent issues.
Tip: Creating a VPN gateway may take up to 45 minutes.
VPN Gateway Configuration
Settings to configure:
-
Gateway type – VPN or ExpressRoute.
-
VPN type – Route-based (most scenarios: S2S, P2S, VNet-to-VNet) or Policy-based (limited to Basic SKU).
-
SKU – Basic, Standard, High Performance (affects throughput and number of tunnels).
-
Generation – Gen1 or Gen2; SKUs vary by generation.
-
Virtual Network – Must be unique per gateway.
VPN Types:
-
Route-based VPNs: Use routing tables to direct traffic; support multiple tunnels.
-
Policy-based VPNs: Use IPsec policies; limited to one tunnel and Basic SKU; only for S2S connections.
Gateway SKUs and Throughput Benchmarks:
| Gen | SKU | S2S/VNet-to-VNet Tunnels | P2S IKEv2 Connections | Aggregate Throughput |
|---|---|---|---|---|
| 1 | VpnGw1 | Max 30 | Max 250 | 650 Mbps |
| 1 | VpnGw2 | Max 30 | Max 500 | 1.0 Gbps |
| 2 | VpnGw2 | Max 30 | Max 500 | 1.25 Gbps |
| 1 | VpnGw3 | Max 30 | Max 1000 | 1.25 Gbps |
| 2 | VpnGw3 | Max 30 | Max 1000 | 2.5 Gbps |
| 2 | VpnGw4 | Max 30 | Max 5000 | 5.0 Gbps |
Note: Throughput benchmark is aggregated across all tunnels; actual throughput depends on Internet conditions.
Local Network Gateway
Represents the on-premises network:
-
Specify name, public IP, and address prefixes.
-
For BGP-enabled connections, declare the BGP peer host address.
Configuring the On-Premises VPN Device
-
Microsoft validates devices from Cisco, Juniper, Ubiquiti, Barracuda.
-
Required info:
-
Shared key (same on Azure and on-premises device)
-
Public IP of Azure VPN gateway
-
-
You may download device configuration scripts for supported devices.
Reference: Azure VPN devices
Creating the VPN Connection
-
Create gateways in Azure.
-
Add a Connection: choose Site-to-Site (IPSec), VNet-to-VNet, or P2S.
-
Provide:
-
Name
-
Connection type
-
Shared key (PSK)
-
Verification: Use the Azure portal or PowerShell to confirm connectivity.
High Availability Scenarios
-
Active/Standby:
-
Default configuration; one active instance, one standby.
-
Failover restores connectivity in 10–15 seconds (planned), ~1 minute (unplanned).
-
-
Active/Active:
-
Both gateway instances handle traffic simultaneously.
-
Each instance has a unique public IP.
-
Traffic is split across both tunnels; failover is automatic if one instance fails.
-
Demonstration Steps (Portal)
-
Explore Gateway Subnet for a VNet.
-
Add a Virtual Network Gateway.
-
Configure gateway type, VPN type, SKU, and public IP.
-
-
Add a VPN Connection between VNets.
-
Choose connection type and provide shared key.
-
-
Verify Connected Devices and bidirectional connectivity.
