Table of Contents
With the advent of the Public Cloud, organisations have shifted part of their application infrastructure into the Cloud hosted Data Centres for some compelling reason i.e., cost optimization, Flexibility to scale, High Availability etc., but some critical applications still remain on their on-premise data centres simply because some organisations are sceptical about the security of the data of their mission critical applications hosted in Public Cloud Infrastructure, hence want to retain the complete control over the data of such applications in their on-premise data centres with their security perimeter in place.
Hence, arises a need for a hybrid network architecture where some applications remain on the on-prem Data Centers while some applications shift to Cloud Hosted Data Center while still maintaining the connectivity between the two environments for communication.
What is Azure VPN Gateway?
One such option to connect an on-prem environment with Azure Virtual Network is using the VPN connection. A VPN (virtual private network) is a way to securely connect your two or more trusted private networks over an untrusted network such as the internet. All the traffic remains encrypted while traversing over the internet to prevent data hacking.
To facilitate such VPN connection between the Azure Cloud and the on-premise networks. Azure provides us with a dedicated service called Azure VPN gateway. These VPN gateways send or receive the encrypted traffic between Azure VNETs and the on-prem DCs over the internet.
A VPN Gateway can also be used to connect to Azure VNETs together forming encrypted tunnels over the Microsoft backbone network.
Hybrid Connectivity Options: Azure VPN Gateway
There are three types of VPN Connectivity options these VPN gateways provide to enable hybrid connectivity:
- Azure Point-to-Site VPN Connection: When a client installed on user machines directly forms a VPN Connection to the Azure Virtual Network Gateway to access resources deployed in Azure VNET.
- Azure Site-to-Site VPN Connection: This type forms a IPsec/IKE connectivity between cloud and on-prem and requires a dedicated device on-prem with a public IP assigned which will form a VPN connection with Azure VPN Gateway over the internet.
- Azure EXPRESSROUTE VPN Gateway: A dedicated connection from On-Prem to Azure.
VPN Gateway Deployment
A VPN Gateway is deployed within its own separate subnet defined inside the VNET. Gateway subnet can be created at the time of creating a VPN gateway or could be already created when you created a VNET. When you create a Gateway subnet behind the scenes Microsoft creates two fully managed VMs inside this subnet that constitute the Gateway.
- A gateway subnet must always be named as Gateway Subnet.
- No other resources should be deployed as a part of this subnet.
- Plan carefully on the size of the gateway subnet as it cannot be resized later.
VPN Types Supported
When you create a VPN gateway you are also required to provide a VPN Type. There are following two VPN types supported:
To determine what VPN type to select, please ensure you satisfy the requirements for the solution.
Few example considerations:
- For example, P2S VPN gateway don’t support Policy-Based VPNs so select RouteBased VPN type.
- Ensure the VPN device you use on-prem supports RouteBased VPN type.
VPN type cannot be changed once it is selected for a VPN Gateway.
Local Network Gateway
This is required to be created in Azure if you are deploying a Site-Site VPN Gateway. It is the representation of your on-prem network in Azure to which then the VPN Gateway will connect.
Choosing the correct VPN Gateway Type
Now when deciding to deploy an Azure VPN Gateway, careful planning is required for the following on a high-level:
- Throughput required from VPN Gateway
- Dynamic BGP Peering required or not
- Availability of Public IP address
- On- Prem VPN Device Compatibility
- VPN Gateway Type
- VPN Type
- Few client connections required, or a complete site connectivity required
Azure VPN Gateway has different SKU options available. The above factors also vary depending on the SKU type chosen. Hence, for the complete list of VPN Gateway SKUs please refer to Microsoft VPN Gateway SKU documentation.