What VPN Types Are Supported By Azure?

Azure supports different types of VPN tunneling. You can use site-to-site VPNs to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.

What VPN Types Are Supported By Azure?Checkout this video:

VPN Gateway

There are four VPN types that are supported by Azure. These are point-to-site, site-to-site, VNet-to-VNet, and multi-site. Let’s take a look at each one.

Policy-Based VPNs

Policy-Based VPNs (Static Routing): A policy-based VPN is implemented using a special routing policy that identifies the traffic to be secured by the VPN. For information about creating a policy-based VPN, see Create a policy-based (static routing) gateway.

In Azure route-based gateways and VNet gateways (VPN gateways), BGP is supported only for dynamic routing—not static routing. Policy-based gateways support static routing. You can create static routes in your on-premises network router to send all traffic for specific IP address prefixes through your policy-based Azure VPN gateway.

Route-Based VPNs

Route-Based VPNs are the most common type of VPN configured with Azure. Route-Based VPNs uses policies (Border Gateway Protocol [BGP], Routing Information Protocol [RIP] or Static Routes) to dynamically learn and propagates the routes to the specified gateway devices. Policy based VPNs are supported on Check Point Security Gateways co-located with an Azure VPN Gateway or on-premises. New in preview starting July 2018, Check Point NGX R80.10 is also supported. Azure VPN Gateways provide two types of policy based VPNs: Static Routing and Dynamic Routing using BGP.

Static Routing: In a Static Routing Policy based VPN, the routes to be used for data forwarding are configured manually on both the on-premises VPN device and Azure VPN gateway. The routes learned by one side must be configured manually on the other side as well before any communication can occur between the two subnets/networks. BGP is not used with Static Routing Policies based VPNs.

Dynamic Routing (BGP): In a Dynamic Routing Policy based VPN, route information is exchanged automatically between the on-premises VPN device and Azure VPN Gateway using BGP. The routes learned by one side will be propagated automatically to the other side no matter how many new subnets/networks are added later on without requiring any changes or reconfiguration.

Site-to-Site VPNs

You can create a secure connection between your on-premises network and your Azure virtual network over an IPsec VPN tunnel. This type of VPN is most commonly used by organizations that have a large number of remote sites. Site-to-Site VPNs can be deployed using either policy-based or route-based VPNs.

IKEv2 Site-to-Site VPNs

IKEv2 site-to-site VPNs are supported by Azure. IKEv2 uses IPsec to provide confidentiality, integrity, and authentication between peers. IKEv2 automatically reestablishes the IKE and IPsec security associations (SAs) when there’s a network or router failure or Internet connection interruption.

For more information about IKEv2, see Internet Key Exchange version 2 (IKEv2).

SSTP Site-to-Site VPNs

SSTP is a TCP-based VPN protocol that uses SSL to establish a secure connection between two endpoints. SSTP can be used to create both site-to-site and point-to-point connections. Site-to-site connections are typically used to connect an organization’s on-premises network to Azure or to connect two on-premises networks together. Point-to-point connections are typically used between an organization’s on-premises network and a remote individual, such as a teleworker.

Point-to-Site VPNs

Point-to-Site VPNs are very popular because they are easy to set up and use. You can use a Point-to-Site VPN with any of the following types of connections:

SSTP Point-to-Site VPNs

SSTP (Secure Socket Tunneling Protocol) is a VPN tunneling protocol that offers a greater level of security than traditional PPTP. SSTP uses SSL to transfer data, which means that it can be used with certificates signed by a trusted CA. In addition, SSTP uses TCP port 443, which is the same port used by HTTPS. This makes it easier to pass traffic through firewalls and proxy servers that may block traditional VPN traffic.

The downside of using SSTP is that it is not as widely supported as other tunneling protocols. In addition, SSTP is only available in Windows Vista and later versions of Windows.

IKEv2 Point-to-Site VPNs

Azure supports a few different site-to-site VPN protocols. For IKEv2 Point-to-Site VPNs, Azure supports only EAP-TLS certificates. Certificate based authentication provides a more secure way to authenticate clients. When using certificate based authentication, each client must have a client certificate installed on their machine. The client certificate must be generated from a root certificate that is either self-signed or signed by a well known CA. Azure will generate the root certificate for you and install it in the Client Certificate store on the machine that you run the Point-to-Site VPN tool on. The client certificate can be generated from the same root certificate or from a different one. If you are using a different root certificate, you will need to install it in the Trusted Root Certification Authorities store on your client machine.

VNet-to-VNet VPNs

Azure supports three types of VPN connections. These are Point-to-Site VPN, Site-to-Site VPN, and VNet-to-VNet VPN. Point-to-Site VPN is the simplest type of VPN and is suitable for small deployments. Site-to-Site VPN is more complex and is suitable for larger deployments. VNet-to-VNet VPN is the most complex type of VPN and is suitable for very large deployments.

Policy-Based VNet-to-VNet VPNs

Prior to the Resource Manager deployment model, Azure supported only one deployment and management model, which is known as the Classic deployment model. The Classic deployment model is being deprecated and will no longer be supported as of March 1, 2018. The Resource Manager deployment model is the new and recommended mode going forward. When you migrate your deployments to the Resource Manager deployment model, you’ll be able to take advantage of several new capabilities, such as Azure PowerShell cmdlets, role-based access control (RBAC), and support for ARM templates.

Today, all VNets created in the Resource Manager deployment model use the Route-Based VPN gateway type by default. This type of gateway uses dynamic routing and supports Border Gateway Protocol (BGP) to dynamically learn and advertise routes. If you have deployments that were created using the Classic deployment model and are still using policy-based VPN gateways, you can convert them to use the Route-based gateway type by following these instructions. Note that this process is not reversible.

The following article provides an overview of the different types of VPNs that are supported by Azure:

VPN Types: Policy-Based vs Route-Based VPNs
In a policy-based VPN, traffic is filtered based on an administrator defined policy. A security policy defines what traffic is encrypted/allowed and from where/to where it can originate/be destined. The policies are configured as access control lists (ACLs).Policy Based VPNs are supported only on Azure Classic Virtual Network Gateways

In a route-based VPN, also known as a dynamic gateway in Azure Resource Manager mode or a route-based IPsec tunneling Gateway in Classic mode, all traffic passing through is encrypted by default with no user intervention required. Traffic filtering or other types of inspections are accomplished using Network Security Groups attached to subnets or individual network interfaces accessed through the gateway. Route Based VPNs are support on Azure Resource Manager based Virtual Network Gateways and not onclassic VPN Gateways

The following table compares these two types of gateways so that you can determine which type best meets your needs:

Policy Based Gateway Route Based Gateway
Selection You must select what traffic will go through the tunnel – this might mean more administration overhead if there are many changes Traffic passing through the tunnel is encrypted automatically – no user intervention required
Performance All traffic passing through is encrypted resulting potential performance degradation – ACLS also result in lower performance Performance degradation is minimal since only changed packets are reencrypted
Security All traffic passing through must be defined in an ACL – if something isn’t defined it won’t pass through even if it should Traffic security rules are applied using NSGs making it more granular

Route-Based VNet-to-VNet VPNs

The Route-Based VPN type creates a secure, cross-premises connection over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. You specify the VPN gateway addresses, the IKE parameters (pre-shared key, certificates, IKE version), and the subnets that will be used for this connection. Cross-premises connectivity is possible between virtual networks that are in the same region or in different regions. This article describes how you can create a Route-based virtual network gateway. For information about PolicyBased gateways, see PolicyBased Virtual Network Gateways.

Creating a Route-based gateway involves these steps:

1.Create local network gateways for all on premises and peered virtual networks.

2.Create a virtual network gateway for your VNet. At this point you specify the gateway type (Route-based), the VPN type (PolicyBased or RouteBased), location, size and other settings in order to create your gateway resource.

3.Configure point-to-site VPN or site-to-site VPN connections to your virtual network gateway by using the Azure portal, PowerShell, or Azure CLI

Leave a Comment