Azure VPN Gateway Design
Azure VPN Gateway
VPN gateway is used to provides secure connectivity between Vnet or between Vnet to On-Premises and send the encrypted traffic between them. It uses the Public Internet for sending traffic between Vnet and On-Premises network and uses Microsoft network for sending traffic between Vnet in Azure if connectivity between Vnet is done via VPN gateway.
Each Virtual network can have only one VPN gateway, and with same VPN Gateway, multiple connection can be done, in which all VPN tunnels will share the same available gateway bandwidth.
In Order to configure VPN gateway, you need to configure Virtual Network Gateway and select the gateway type as ‘vpn’. The gateway type ‘vpn’ will specifies that the type of virtual network gateway created is a ‘VPN Gateway’.
A Virtual network can have two type of Virtual Network gateway: One VPN gateway and one ExpressRoute Gateway.
When we create a VPN gateway, Gateway VMs are installed to the gateway subnet and configured with setting that you specified. Once Gateway has been created, you can create an Ipsec/IKE tunnel connection between VPN Gateway and another VPN gateway (Vnet to Vnet ) or create a cross-premises Ipsec/IKE VPN tunnel connection between VPN gateway and on-premises VPN device (Site to Site ).
Deploying VPN gateways in Azure Availability Zones , provides resiliency , Scalability , and higher Availability to virtual network gateways. It also protect your on-premises network connectivity to Azure from Zone level failures.
Options to provide VPN connectivity
Below are three options that Azure provides for Connectivity.
- Site to Site VPN connection
- Point to Site VPN connection
- Vnet to Vnet Connection.
VPN Connection planning
In order provide the Connectivity type as discussed above, below table will help you to choose or decide best connectivity option for your Solutions.
When we create a Virtual network Gateway, we must specify the gateway SKU that we want to use. A proper SKU must be selected that satisfy our requirement based on types of workloads, throughputs, feature, and SLA.
Below table explains the Gateway SKU by tunnel, Connection and Throughput.
(*) Use Virtual WAN if you need more than 100 S2S tunnels.
The Resizing of VpnGw is allowed within same Generation, except resizing of the basic SKU. The Basic SKU is the legacy SKU that has limited features. When we want to move from basic KSU to another SKU , we must delete the basic SKU VPN gateway and create a new gateway with desired Generation and SKU Size Combination.
The Connection Limits are separate, example you can have 128 SSTP connection and 250 IKEv2 connection on a VpnGw1 SKU.
In order to understand the performance of different SKUs using different Algorithms, you should use publicly available tool like iPerf and CTSTraffic, in order to measure performance for Site to Site VPN connections.
Below table shows observed bandwidth and packets per second throughput per tunnel for different Gateway SKU. All testing was performed between gateways (endpoints) within Azure across different regions with 100 connections and under Standard Load conditions.
Site to Site VPN
A Site-to-Site VPN gateway provides Ipsec/IKE (IKEv1) VPN tunnel connection between Vnet to Vnet or between Vnet to On-premises. A S2S connection requires a VPN device located on-premises that has public IP address assigned to it.
Below figure describes the S2S VPN Connection between On-Premises and Vnet.
VPN gateway can be configured in active-standby mode using One public IP or in Active-active mode using two public IPs. Active-Active VPMN tunnel is recommended option, with data flowing through both tunnel at same time and provides higher throughput to customers.
You can create more than one VPN connection from your Virtual Network gateway device, connecting to multiple on-premises sites. In this design, you must use a Route based VPN Type (known as dynamic Gateway when working with Classic VNets). This type of connection is also called as Multi-Site Connection.
Point to Site VPN
This Connection is used to provide secure connection from an individual client Computer to Vnet. P2S Connection do not require public facing IP address or VPN Device. P2S connection can also be used with S2S connection through same VPN Gateway.
Below figure describes the P2S Connectivity
Vnet to Vnet Connection (Ipsec/IKE VPN tunnel)
With the help of VPN gateway, you can even provide connectivity between two VNets. VNets to VNets communication can also be combined with multi-site Configuration.
The VNets you connect can be:
- In the same or different regions
- In the same or different subscription
- In the same or different deployment models.
Below figure describes the how VNets to VNets communication can be done by VPN gateway.
How Site to Site and Express Route connection can Co-Exist
ExpressRoute is a direct, private connection from your WAN to Microsoft Services, including Azure. When you have Site-To Site Connection along with ExpressRoute Connection, it provides lots of benefits.
Site to Site VPN connection can be used as Secure failover path for ExpressRoute or you can use Site-to-Site VPN to connect those Sites that are not part of your Network, but that are connected through ExpressRoute.
Using this Design require two virtual Network gateways for same VNets, one is gateway type ‘vpn’ and another is gateway type ‘ExpressRoute’.
Below Figure describes how this connection can be done:
Use of BGP in VPN Routing
When BGP is used in Virtual network, it enables Azure VPN Gateway and your On-Premises VPN Device, to exchange routes between them. BGP also enable transit routing among multiple networks by propagating routes, a BGP gateway learns from one BGP peers to all other BGP peers.
BGP is an optional feature, which can be used in Azure Route Based VPN gateway. If Azure VPN gateway and On-Premises VPN device are not using BGP, Static routing must be done for connectivity.
Below are Several advantages of using BGP capabilities.
- It supports Automatic and flexible Prefix update
- It supports Multiple tunnels between a Vnet and on-Premises device with automatic failover based on BGP.
- It Supports transit routing between your On-Premises network and Multiple Azure VNets.
Below diagram explains a highly Available setup with Active BGP tunnel along with Failover
Below diagram shows a multi-hop topology with Multi paths that can transit between the two on-premises network through Azure VPN gateway within Microsoft Network.
BGP points to remember and Basic Standard to be followed.
- BGP is supported on all Azure Gateway SKU except basic gateway SKU.
- BGP is only supported on Route Based VPN gateway and not supported on Azure policy VPN gateway.
- You can use your own public ASNs or Private ASNs for On-Premises network and Azure VNets, but can’t use range reserved by Azure or IANA.
- ASNs reserved by Azure:
- Public ASNs: 8074, 8075,12076
- Private ASNs: 65515,65517,65518,65519,65520.
- ASNs reserved by IANA: 23456, 64496-64511, 65535-65551, 429496729
- By Default, VPN gateway allocates a Single IP address from gateway Subnets range for active-standby VPN gateways or two IP address for active-active Gateways.
- If your On-premises VPN routes uses the APIPA IP address (169.254.X.X) in this case, you must specify the Azure APIPA BGP IP address on your Azure VPN gateway.
- You must assign different ASN number while proving connectivity between On-Premises and Azure VNets. Azure VPN gateway have a default ASN of 65515 assigned, weather BGP is enabled or not. You can override this default ASN with different ASN while creating the VPN gateway or it can be changed after gateway is created.
- The gateway advertises following prefixes to your On-Premises BGP Device
- VNets Address prefixes
- Address prefixes for each local network gateway connected to Azure VPN gateway
- Route Learned from other BGP session connected to Azure VPN gateway except for default route or route that overlaps with any virtual network.
- Azure VPN supports up to 4000 prefixes, if the number increases BGP session is dropped.
- BGP can be used between cross-premises connection or connection between Virtual networks.
- BGP and non-BGP connection can also be used on same Azure VPN gateway.
- BGP transit routing is supported, with one exception that Azure VPN gateway don’t advertise default routes to other BGP peers. In order to enable transit routing across multiple Azure VPN gateways, BGP must be enabled on all intermediate connection between Virtual network.
- You can use BGP for S2S VPN in an Azure ExpressRoute and S2S VPN co-existence configuration.