2.2.10 Describe Azure VPNs

Description of Azure VPNs.

VPN Gateways

A VPN gateway is a type of virtual network gateway. Azure VPN gateways are deployed in a dedicated subnet and enable:

• Connect on-prem datacenters to virtual networks via a site-to-site connection.

• Connect individual devices to virtual networks via point-to-site connection.

• Connect virtual networks to other virtual networks via network-to-network connection.

All data transfer is encrypted across the internet. Only one VPN gateway can be deployed in each virtual network. However, one gateway can connect multiple locations.

There are two types of VPN gateway in Azure: policy-based and route-based. Regardless of type, the method of authentication employed is a preshared key:

• Policy-based: specify a static IP address of packets which should be encrypted via each tunnel. This evaluates each packet against IP addresses to choose the tunnel the packet will be sent through.

• Route-based: IPSec tunnels are modelled as a network or virtual tunnel interface. IP routing decides which one of these tunnel interfaces to use for each packet. Route-based VPNs are preferred for on-prem devices.

A route-based VPN gateway should be used for:

• Connections between virtual networks

• Point-to-Site connections

• Multisite connections

• Coexistence with Azure ExpressRoute

High Availability: Active/Standby

VPN gateways are set as two instances in active/standby by default. When planned or unplanned disruption affects the active instance, the standby instance assumes responsibility for active connections automatically. Connections are interrupted by this but typically only for a few seconds for planned disruption and a max of 90 seconds for unplanned disruptions.

High Availability: Active/Active

Gateways can be deployed in an active/active configuration. In active/active, each instance is assigned a unique public IP, then separate tunnels are created from the on-prem device to each IP address. Availability can be extended by deploying an additional on-prem VPN.

ExpressRoute Failover

A gateway can be configured as a secure failover for ExpressRoute connections. Where risk is associated with an outage of an ExpressRoute circuit, a VPN gateway can be used as a way to ensure there is always a connection.

Zone-Redundant Gateways

Deploying gateways in Azure availability zones physically and logically separates gateways in a region while protecting on-prem network connectivity. These require different SKUs and use Standard public IP addresses instead of Basic public IP addresses.