Azure VPN Gateway

Azure VPN Gateway provides encrypted, cross-premises connectivity between your Azure virtual networks and on-premises infrastructure over the public internet. It is the primary service for extending your on-premises network into Azure using industry-standard IPsec/IKE VPN tunnels.

---

What Is a VPN Gateway?

A VPN Gateway is a specific type of virtual network gateway deployed into a dedicated GatewaySubnet in your VNet. It establishes encrypted tunnels using IPsec/IKE protocols, allowing secure communication between:

• On-premises networks and Azure (Site-to-Site)
• Individual devices and Azure (Point-to-Site)
• Two Azure VNets (VNet-to-VNet)

---

Connection Types

Site-to-Site (S2S)

Connects an on-premises network to an Azure VNet over an IPsec/IKE tunnel. Requires a VPN device or software gateway on the on-premises side.

On-premises network <--IPsec tunnel--> Azure VPN Gateway <--> Azure VNet

• Supports IKEv1 and IKEv2
• Requires a public IP on the on-premises VPN device
• Ideal for hybrid cloud scenarios

Point-to-Site (P2S)

Connects individual client devices (laptops, workstations) to an Azure VNet. No on-premises VPN device needed.

Remote user (laptop) <--VPN tunnel--> Azure VPN Gateway <--> Azure VNet

Supported protocols:

Protocol	Description
OpenVPN	SSL/TLS-based, works on all platforms (Windows, macOS, Linux, iOS, Android)
IKEv2	Standards-based, best for macOS
SSTP	SSL-based, Windows only

Authentication methods:

• Azure certificate — client certificates installed on devices
• Microsoft Entra ID — AAD-based authentication (OpenVPN only)
• RADIUS — integrate with existing RADIUS infrastructure

VNet-to-VNet

Connects two Azure VNets over an encrypted IPsec tunnel. Similar to VNet Peering but with encryption.

When to use VNet-to-VNet VPN instead of peering: When you need encryption in transit between VNets, or the VNets have overlapping address spaces (with NAT rules).

---

Gateway SKUs

SKU	Max S2S Tunnels	Max P2S Connections	Aggregate Throughput
VpnGw1	30	250	650 Mbps
VpnGw2	30	500	1 Gbps
VpnGw3	30	1,000	1.25 Gbps
VpnGw4	100	5,000	5 Gbps
VpnGw5	100	10,000	10 Gbps

Each SKU also has an AZ variant (e.g. VpnGw1AZ) that supports Availability Zones for higher resilience.

Note: Gateway deployment takes 30–45 minutes. Plan accordingly.

---

Active-Active Configuration

By default, a VPN Gateway is active-standby: one instance handles traffic and the other is on standby for failover.

In active-active mode, both instances actively handle VPN tunnels. Each instance has its own public IP, and you configure two tunnels from your on-premises VPN device.

Benefits:

• Higher availability — no downtime during planned maintenance or failover.
• Better throughput — traffic is distributed across both instances.
• Faster failover — typically under 10 seconds.

Active-active is recommended for production workloads.

---

BGP Support