1 VPN gateway
- Connect on-premises datacenters to Azure virtual networks through a site-to-site connection.
- Connect individual devices to Azure virtual networks through a point-to-site connection.
- Connect Azure virtual networks to other Azure virtual networks through a network-to-network connection
Type
- Route-based
IPSec tunnels are modeled as a network interface
IP routing (static routes or dynamic routing protocols) decide across which one of these tunnel interfaces to send each packet- Coexistence with an Azure ExpressRoute gateway
- Multisite connections
- Supports IKEv2
- Uses any-to-any (wildcard) traffic selectors
- dynamic routing protocols
- pre-shared key as the only method of authentication
- internet Key Exchange (IKE) in either version 1 or version 2 and Internet Protocol Security (IPSec)
- Policy-based
statically the IP address of packets that should be encrypted through each tunnel- Support for IKEv1 only
- static routing: source and destination of the tunneled networks are declared in the policy and don't need to be declared in routing tables
- ompatibility with legacy on-premises VPN devices
size
basic, VpnGw1, VpnGw2, VpnGw3
required
- Virtual network
- GatewaySubnet (/27)
- Public IP address
- Local network gateway (on-premises network's configuration:)
- Virtual network gateway (VPN or ExpressRoute gateway)
- connection: You can create multiple connections
On Premises
- A VPN device that supports policy-based or route-based VPN gateways
- A public-facing (internet-routable) IPv4 address
High availability
Active/standby
Active/active
ExpressRoute failover
Zone-redundant gateways
By default, VPN gateways are deployed as two instances in an active/standby configuration
- BGP routing protocol
- unique public IP address to each instance
VPN gateway as a secure failover path for ExpressRoute connections
local network gateway
names in each location reflect the target networks rather than the source network.