Azure supports three types of VPN gateways. Site-to-Site, Point-to-Site, and VNet-to-VNet. In this article, we will discuss the features and benefits of each type so that you can decide which one is best for your needs.
Checkout this video:
Azure VPN Gateway
Azure supports two types of virtual private networks (VPNs): Point-to-Site and Site-to-Site. Point-to-Site VPNs are used to connect individual clients to an Azure virtual network. Site-to-Site VPNs are used to connect an on-premises network to an Azure virtual network over an IPsec connection.
Policy-Based VPNs (Static Routing) are the older of the two types of Microsoft Azure VNPs supported, and function by defining traffic flows, or routes, and the associated security policies. Each packet that enters or leaves the network is inspected against the policy to determine if it is allowed on the network. Policy-Based VPNs use either Internet Key Exchange version 1 (IKEv1) or IKEv2 for key management, and Microsoft recommends IKEv2 for all deployments. Policy-Based VPNs are sometimes called Static Routing because all traffic is routed through the VPN gateway; this type of routing cannot be changed without reconfiguring the gateway.
Route-Based VPNs are the recommended type to use when connecting Azure VNets together, or when connecting on-premises network to Azure. Route-based VPNs use routes (policies) to direct traffic. Any traffic that matches a route is sent through the VPN tunnel while all other traffic is sent directly.
The following diagram illustrates a basic route-based VPN topology:
In this topology, both on-premises network and Azure VNet have gateways configured with BGP enabled. The gateways exchange route information and program the routing tables accordingly. Traffic is then routed through the VPN tunnel based on these programmed routes.
Route Based VPNs are sometimes also called Policy Based VPNs, because in some vendors’ implementation, you create policies to allow traffic through the tunnel, instead of programming routes into the routing table.
Azure Point-to-Site VPN
Azure Point-to-Site (P2S) VPNs connect an individual computer to Azure over an encrypted connection. This type of VPN is often used when employees are working remotely and need to access company resources. There are a few different protocols that can be used with P2S VPNs, such as SSTP, IKEv2, and L2TP/IPSec.
SSTP is a secure socket tunneling protocol that can be used with a standard SSL certificate. Azure supports SSTP VPN connections. You can use an SSTP VPN connection to connect to virtual machines and services in your on-premises network from anywhere in the world.
IKEv2 is an IPSec-based VPN protocol that uses a key exchange method known as IKE, which stands for Internet Key Exchange. IKE uses a phase one/phase two model in order to create a secure VPN tunnel. In phase one, IKE uses the Diffie-Hellman key exchange algorithm to generate a shared secret key. In phase two, IKE uses IPSec to encrypt and authenticate the data that is exchanged between the VPN client and server.
IKEv2 is supported by Azure VPN gateways. When you create an Azure VPN gateway, you can specify whether you want to use IKEv2 or not. If you choose to use IKEv2, you will need to generate a shared secret key using the IKE daemon (Iked).
OpenVPN is a VPN protocol that uses SSL/TLS for key exchange. It is most often used in conjunction with a software package called OpenVPN Connect, which is platform-independent. Microsoft Azure supports the use of OpenVPN Connect and it can be used to connect to an Azure virtual network.
Azure Site-to-Site VPN
Azure supports three different site-to-site VPN protocols: IKEv2, SSTP, and PPTP. IKEv2 is the most recommended option because it’s supported on a wider range of devices and has better security. SSTP is a good option if you need to connect to an on-premises network through a VPN gateway that doesn’t support IKEv2. PPTP is only recommended if you’re using an Azure VPN gateway that doesn’t support any of the other protocols.
A policy-based VPN uses route-based policies to control traffic between an on-premises network and an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. Route-based VPNs are also known as interface-based VPNs. With a policy-based VPN, each packets is compared to a access control list (ACL) that you create to control traffic flow.
For example, suppose you have two virtual machines in a VNet: VM1 and VM2. You want all traffic from VM1 destined for VM2 to go through the VPN tunnel. You can create a route-based VPN with two gateways, each configured for one of the VMs, and then associate an ACL with each gateway that controls which traffic goes through the associated gateway’s tunnel. All traffic from VM1 destined for VM2 will be sent through the gateway associated with VM1, and all traffic from VM2 destined for VM1 will be sent through the gateway associated with VM2.
Any traffic not matched by the ACL for a particular gateway will not use that gateway’s tunnel; instead, it will take the shortest path available outside of the VPN connection. You can think of a policy-based VPN as making a temporary direct connection between your on-premises network and your Azure VNet. You can use this type of connection when you have preexisting ACLs that you want to continue using in Azure.
Route-Based VPNs are the recommended type of VPN gateway. A Route-Based VPN gateway uses routes in its routing table to determine which packets to send through the VPN tunnel and which to send through the existing network connection. This type of gateway uses policy based routing (PBR) with the Exclude or Include routes to send specific traffic through a VPN tunnel while sending all other traffic directly through the existing network connection. You can use PBR to configure a Site-to-Site VPN tunnel on a route-based VPN gateway that is configured for BGP. PBR is configured by creating user-defined routes in the route table that point to a virtual private gateway’s interface. Learn more about Route Based Gateways