Not sure which VPN type to use with Azure? In this article, we’ll cover the four different types of VPNs supported by Azure and help you choose the best one for your needs.
Checkout this video:
Azure VPN Gateway
Azure supports the following VPN types: Point-to-Site, Site-to-Site, VNet-to-VNet, and Multi-Site. Point-to-Site (P2S) creates a secure connection to an Azure virtual network from an individual client computer. P2S is a good choice when you need to connect to an Azure VNet from a remote location, such as from home or a conference. Site-to-Site (S2S) creates a secure, IPSec encrypted connection between an on-premises network and a virtual network. The on-premises network can be a single router or a multi-site network. VNet-to-VNet creates a secure, encrypted connection between two virtual networks. Multi-Site creates a secure, encrypted connection between an Azure virtual network and multiple on-premises sites.
Supported VPN types
There are three types of VPNs that Azure supports: Point-to-Site, Site-to-Site, and VNet-to-VNet. Each type of VPN has its own benefits and use cases.
Point-to-Site
Point-to-Site (P2S) VPNs are used when you have a small number of clients that need to connect to your VNet. P2S is much easier to set up than Site-to-Site because there is no need for a VPN device or an on-premises public IP address. The only downside to P2S is that it does not scale as well as Site-to-Site because each client needs its own individual connection.
Supported tunneling protocols: SSTP, IKEv2
Scenario 1: Individual user needs occasional access to VNet resources from various locations
Scenario 2: Accessing VNet resources from Azure Cloud Shell
Site to Site
A Site to Site (S2S) VPN gateway connection is a connection over IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. S2S connections can be used for cross premises and hybrid configurations. An on premises VPN device such as a Cisco ASA or SonicWALL and an Azure gateway are used to create the S2S connection. The on premises VPN device must have a public facing IP address assigned to it in order for Azure to create the S2S connection. The use of BGP is optional when configuring S2S connections and is supported by both policy based and route based gateways. If BGP isn’t used, then static routes will need to be configured both on premises at the customer router as well as within the Azure Virtual network gateway for all traffic destined for on premises subnets behind the customer firewall. All traffic destined for Azure will be sent over the tunnel without any static routes required within Azure. Traffic destined for other virtual networks within Azure can be sent without any static routes required since each virtual network within Azure has a implicit routing table that includes all other virtual networks within that same region. When creating S2S connections both gateways must reside in the same region, but can reside in different Availability Zones if desired for high availability purposes. By default, 500 tunnels can be created per gateway instance but this limit can be raised by opening a support ticket with Microsoft support so additional capacity can be added if needed later on without having to recreate the entire gateway instance and reconfigure all existing connections again from scratch.. Supported devices include but aren’t limited too: Cisco ASA 5585 -X, SonicWALL TZ600 , Palo Alto VM Series , Checkpoint , Fortinet FG300D & more . In general, S2S connections are idea when you have either multiple branch offices or many users who need frequent access to VNet resources from various locations . Static routes may still need configured with some scenarios depending upon how traffic will flow .
VNet -to -VNet
This type of connection is the same as an S2S connection except both VNets are in different regions (not just in different Availability Zones). Cross region connectivity was recently made generally available so it’s now possible connect two virtual networks located in two different regions using this type of gateway which was previously not possible at all without usingexpress route circuits which are much more expensive then using this type of gateway.. To create this type of connection each virtual network must have it’s own separate gateway instance deployed into it, then once created you configure each side with details about the remote side until finished and establish the connection.. The pricing model works out so your only charged per region not per leg like with expressroute so it’s generally much cheaper overall when trying connect two vnets located into two different azure regions vs using ER circuits.. Currently only PolicyBased gateways are supported with this type configuration so if you require RouteBased you’ll need look into using AZURE Bastion instead or some sort 3rd party solution like Aviatrix which offers this functionality currently .
Configuration steps
Configuring a VPN gateway can be tricky, so it’s important to know which types of VPNs are supported by Azure and which steps you’ll need to take to ensure a successful configuration.
Azure supports two types of VPNs: Point-to-Site (P2S) and Site-to-Site (S2S).
P2S VPNs are great for remote workers who need to connect to their on-premises resources, such as file servers or SQL databases. Azure also supports S2S VPNs, which can be used to connect your on-premises network to your Azure virtual network. S2S VPNs are often used by businesses that have multiple locations, or if you have a lot of data that needs to be shared between your on-premises network and your Azure virtual network.
To configure a P2S VPN, you’ll need to create a P2S connection profile and a point-to-site gateway. To configure an S2S VPN, you’ll need to create an S2S connection profile and an S2S gateway.
Click here for more information on configuring a Point-to-Site VPN in Azure.
Click here for more information on configuring a Site-to-Site VPN in Azure.
Azure Point-to-Site VPN
Azure Point-to-Site VPN enables you to connect to your Azure virtual network from anywhere, whether it’s from your home computer, your work laptop, or your mobile phone. You can connect to your Azure virtual network from anywhere in the world, as long as you have an internet connection.
Supported VPN types
Azure supports three major types of Point-to-Site VPNs:
-IKEv2 VPN: IKEv2 is supported for Windows 10, Windows 7, and macOS clients. For more information, refer to IKEv2 IPsec VPN on Windows.
-SSTP VPN: SSTP is supported for Windows 10, Windows 7, and macOS clients. For more information, refer to SSTP IPsec VPN on Windows.
OpenVPN: OpenVPN is an open source technology that uses the SSL/TLS protocol to provide a secure connection. It is supported on a variety of platforms including Android, iOS, Linux, macOS, and Windows.
Configuration steps
This article provides the configuration steps to set up an Azure point-to-site VPN.
VPN types that are supported by Azure:
1. SSTP VPN – Supports SSL encryption. It uses port 443 and can penetrate most firewalls.
2. IKEv2 VPN – Uses the latest security protocol and is supported on a wider range of devices.
3. OpenVPN – Offers high security with open source encryption technology.
4. L2TP/IPsec – A more secure option that is supported on most operating systems and devices.
To set up an Azure point-to-site VPN:
1. Log in to the Azure portal and navigate to your Virtual Network gateway.
2. Under Settings, select Point-to-site configuration.
3. Select Upload Certificate and browse to your client certificate file (including the private key and any intermediate certificates). Upload the file and click Save to complete the certificate upload.
4. Download the client configuration files by selecting Download ZIP under Client Configuration Files section, then unzip the file to get the client VPN profile configurations (e files with a .ovpn extension). Save these files to a location that you can easily access (such as your Desktop or Downloads folder).
5
Azure Site-to-Site VPN
Azure supports the following types of Site-to-Site VPNs: Point-to-Site, Policy-Based, Route-Based, and VNet-to-VNet. Point-to-Site VPNs are used to connect individual clients to an Azure virtual network. Policy-Based VPNs are used to connect an on-premises network to an Azure virtual network. Route-Based VPNs are used to connect an on-premises network to an Azure virtual network. VNet-to-VNet is used to connect two Azure virtual networks.
Supported VPN types
Azure supports the following site-to-site VPN protocols:
Point-to-Site Site-to-Site
IKEv2 IPsec IKEv2 IPsec
OpenVPN SSTP OpenVPN IKEv2 IPsec
IKEv1 IPsec IKEv1 IPsec (no BGP)
Configuration steps
1. To configure a Site-to-Site VPN connection using IPsec/IKE between an on-premises VPN device and an Azure VPN gateway, you need the following items:
-A compatible on-premises VPN device. See About Site-to-Site connections for a list of compatible devices.
-Shared key (pre-shared key) or certificate. For more information, see the “IPSec/IKE parameters” section later in this article.
-The public IP address for your Azure VPN gateway. This is the same public IP address that you use to access the Azure portal. You can also use a dynamic DNS host name instead of an IP address if your on premises Service Provider supports this type of connection and provides you with a host name. For more information, see What is a DNS host name? and Using a DNS host name with your S2S connection in this article.