Azure VPN gateways

Azure VPN gateways are basically your core routers and firewalls within your Azure environment.

An Azure gateway can serve different purposes:

  • Internet gateway
  • Site-to-site VPN gateway
  • Point-to-site VPN gateway
  • ExpressRoute gateway
  • VNet-to-VNet gateway
We won't be able to cover the deployments of point-to-site VPN gateways in this book but you can find a detailed guide in the Microsoft documentation at https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-howto-point-to-site-rm-ps/.

The following screenshot shows the Azure service you need to look for when you want to implement an Azure VPN gateway:

Every VNet can have at least one VPN gateway. VPN gateways are available in different service offerings with different features and available services.

The following table shows a short summary:

VPN gateway throughput

VPN gateway max IPSEC tunnels

Active - Active VPN

ExpressRoute gateway throughput

VPN gateway and ExpressRoute coexist

Zone redundant

Standard

100 Mbps

10

No

1000 Mbps

Yes

No

High Performance

200 Mbps

30

Yes

2000 Mbps

Yes

No

Ultra High Performance

200 Mbps

30

Yes

9000 Mbps

Yes

No

VpnGw1

650 Mbps

30

Yes

No

No

 No

VpnGw1AZ

650 Mbps

30

Yes

No

No

 Yes

VpnGw2

1 Gbps

30

Yes

No

No

 No

VpnGw2AZ

 Gbps 30 Yes No No Yes

VpnGw3

 1,25 Gbps 30 Yes No No No

VpnGw3AZ

 1,25 Gbps 30 Yes No No Yes

ErGw1AZ

 No No No 1000 Mbps Yes Yes with separated VPN gateway

ErGw2AZ

 No No No 2000 Mbps Yes Yes with separated VPN gateway

ErGw3AZ

 No No No 9000 Mbps Yes Yes with separated VPN gateway
Since Ignite 2018, Microsoft extended his offering around network gateways. The address customer needs regarding better SLAs on gateways, they started to offer Zone-redundant virtual network gateways for ExpressRoute and VPN. Those gateways are placed into different Azure data center with separated power supply, cooling and datacenter environments. That prevents those gateways from datacenter outages and failures. Those Gateways are marked with AZ within der SKU Friendly Name. 

The following diagram shows how the basic VPN gateway is connected to your Azure network:

With the standard or performance gateway it would look like the following diagram:

When you start the setup of a gateway, you need to decide what kind of gateway you want to deploy. The basic offering can be deployed via Azure GUI; for the other offerings, you need to do some PowerShell. The following screenshot shows the GUI version:

Depending on your WAN solution, you choose either VPN or ExpressRoute. For ExpressRoute, you need an MPLS solution in place. I will explain that later. For the VPN solution, you need to decide between a Route-based or Policy-based VPN, which means you need to decide if you want to enable dynamic routing with IPSEC IKEv2 or static IPSEC IKEv1.

The decision as to which VPN type you need must be done based on your on-premises VPN device. Not every device can speak Route-based VPN. Microsoft has published a list of supported devices. You can see them here at https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/.

There are also some more additional requirements you need to think of when choosing your VPN gateway in Azure. The following table shows you those provided by Microsoft:

Policy-based basic VPN gateway

Route-based basic VPN gateway

Route-based standard VPN gateway

Route-based high performance VPN gateway

Site-to-site connectivity (S2S)

Policy-based VPN configuration

Route-based VPN configuration

Route-based VPN configuration

Route-based VPN configuration

Point-to-site connectivity (P2S)

Not supported

Supported (can coexist with S2S)

Supported (can coexist with S2S)

Supported (can coexist with S2S)

Authentication method

Pre-shared key

Pre-shared key for S2S connectivity, certificates for P2S connectivity

Pre-shared key for S2S connectivity, certificates for P2S connectivity

Pre-shared key for S2S connectivity, certificates for P2S connectivity

Maximum number of S2S connections

1

10

10

30

Maximum number of P2S connections

Not supported

128

128

128

Active routing support

Not supported

Not supported

Supported

Supported

In summary, you can basically have the following gateway configurations:

  • The policy-based basic VPN Gateway with site-to-site VPN is shown in the following diagram:
Looking on the current WAN developments and most of the customer infrastructures, a policy-based VPN gateway should only be used if there is absolutely no other option. Most enterprise grade Firewalls are able to work with route-based VPN. Otherwise you can switch to a virtual network device in Azure. Behind the following link you will find a list of devices with information about their available VPN options. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices.
  • Route-based standard VPN gateway with ExpressRoute shown in the following diagram:
  • Route-based basic VPN Gateway with a Site 2 Site VPN and Point 2 Site VPN or a Route-based standard or performance VPN gateway with a Site 2 Site VPN and Point 2 Site VPN in shown in the following diagram:

  • Route-based standard or performance VPN gateway with Site to Site or ExpressRoute in shown in the following diagram:
  • Route-based standard or performance VPN gateway with a site-to-site VPN and ExpressRoute:

Later in the chapter, you will learn how to configure a VPN gateway with ExpressRoute and a basic VPN with a site-to-site VPN and how to upgrade that VPN to standard or performance. You will also learn what you need to do to implement a point-to-site VPN.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.225.95.60