Azure VPN Gateway Deployment and Configuration Guide

To deploy an Azure VPN Gateway, you'll need to create a virtual network and a VPN gateway. This can be done through the Azure portal or using Azure CLI.

The Azure VPN Gateway supports multiple protocols, including IKEv1 and IKEv2, as well as OpenVPN.

When choosing a VPN gateway, consider the number of connections you need to support. The Basic SKU supports up to 10 connections, while the Standard SKU supports up to 30 connections.

The Azure VPN Gateway can be deployed in an active-active configuration, which provides high availability and redundancy.

You can deploy Azure VPN Gateway using different methods, but did you know that some of these methods are only available for VNets in the same subscription?

There are three main deployment models for Azure VPN Gateway: Resource Manager. This model is available through the Azure portal, PowerShell, and Azure CLI.

To deploy Azure VPN Gateway using the Resource Manager model, you can follow the tutorials on the Azure portal, PowerShell, or Azure CLI.

Azure VPN Gateway Deployment offers two main deployment models: Azure Resource Manager (ARM) and Classic.

ARM is the recommended deployment model for new deployments, as it provides a more efficient and scalable way to manage resources.

Classic is still supported for existing deployments, but it's not recommended for new deployments due to its limitations.

There are two main S2S deployment methods: Site-to-Site (S2S) and Point-to-Site (P2S).

S2S is the most common deployment method, which allows multiple sites to connect to Azure over a VPN.

P2S is a more flexible deployment method, which allows individual devices to connect to Azure over a VPN.

Azure VPN Gateway supports both S2S and P2S deployment methods.

The S2S deployment method requires a VPN device at each site, which is connected to the Azure VPN Gateway.

Azure provides a list of supported VPN devices that can be used for S2S deployments.

The P2S deployment method requires a VPN client on each device, which connects to the Azure VPN Gateway.

Azure provides a list of supported VPN clients that can be used for P2S deployments.

You can connect two virtual networks in Azure using VNet-to-VNet connections, which are similar to connecting a virtual network to an on-premises site location.

The deployment models and methods for VNet-to-VNet connections vary depending on the tools you use. In the Azure portal, you can find tutorials for Resource Manager deployment. PowerShell and Azure CLI also have tutorials available.

Resource Manager is one of the deployment models for VNet-to-VNet connections, and it's available in the Azure portal, PowerShell, and Azure CLI. However, it's worth noting that this deployment method is only available for VNets in the same subscription.

You can connect virtual networks in different regions, subscriptions, and deployment models using VNet-to-VNet connections. The connections use a VPN gateway to provide a secure tunnel using IPsec/IKE.

Here's a summary of the deployment models and methods for VNet-to-VNet connections:

Note that the "+" symbol denotes that this deployment method is only available for VNets in the same subscription.

If you're deploying an Azure VPN Gateway, you need to specify the gateway SKU that suits your needs. This determines the performance, features, and SLAs of your gateway.

There are several gateway SKUs to choose from, including Basic, VpnGw1, VpnGw2, and VpnGw3, among others. Each SKU has its own set of features and limitations.

The Basic SKU is suitable for small-scale deployments, with a maximum of 10 S2S VPN tunnels and 128 P2S SSTP connections. It also supports a maximum throughput of 100 Mbps.

The VpnGw1 SKU is a step up from the Basic SKU, with a maximum of 30 S2S VPN tunnels and 128 P2S SSTP connections. It also supports a maximum throughput of 650 Mbps and BGP.

To help you choose the right SKU, here's a comparison of the different SKUs:

Remember to choose a SKU that meets your performance and feature requirements. If you need to resize your gateway SKU, you can do so by selecting a new SKU from the dropdown list on the Configuration page.

Now that you've created an Azure VPN gateway, you can start exploring more advanced configurations to meet your specific needs.

You can configure more gateway settings, such as site-to-site VPN connections. Site-to-site VPN connections allow you to securely connect multiple offices or locations over the internet.

After setting up a site-to-site VPN connection, you can also establish point-to-site VPN connections. Point-to-site VPN connections enable remote users to connect to your network securely.

Consider your specific requirements and the type of connection that best suits your needs.

To create a successful VPN gateway connection, you need to configure multiple resources with specific settings. This requires understanding gateway types, gateway SKUs, VPN types, connection types, and gateway subnets.

For a smooth setup, familiarize yourself with individual resource settings and gateway SKUs by reading About VPN Gateway settings and About gateway SKUs. These articles will help you grasp the basics of gateway types, VPN types, and connection types.

A good starting point for configuration is to review the VPN Gateway topology and design article, which includes design diagrams and links to configuration articles.

To configure your P2S client, you'll need to select the right authentication method. Certificate authentication is a popular choice, but you can also use Microsoft Entra ID.

The tunnel type you choose will depend on your operating system. For Windows, IKEv2 and SSTP are options, while macOS and Linux users can use IKEv2.

You can configure your VPN client using the Azure portal or PowerShell. Both methods generate a zip file with the necessary configuration settings.

To connect to Azure, follow the steps outlined in the VPN client table in the Specify tunnel and authentication type section. This will guide you through configuring your VPN client software.

You'll need to generate client certificates for each client computer connecting to your VNet. You can use a self-signed root certificate or an enterprise certificate.

To add the VPN client address pool, go to your VPN gateway in the Azure portal and select Point-to-site configuration. Add the private IP address range you want to use, making sure it doesn't overlap with your on-premises location or VNet.

Adding a public IP address to your virtual network gateway is a straightforward process. You can do this by creating a new public IP address object and associating it with the gateway.

To create a new public IP address, you'll need to specify a name, SKU, and assignment method. In the example, we create a public IP address with the name VNet1GWpip2 and select Standard as the SKU. The assignment method is set to Static.

A public IP address is assigned to each public IP address object when the VPN gateway is created. This means that the IP address will only change when the gateway is deleted and re-created, not during resizing, resetting, or other internal maintenance/upgrades.

If you have an active-active mode gateway, you'll need to specify a third public IP address to configure point-to-site. In this case, you can create a new public IP address with the example value VNet1GWpip3.

Here's a summary of the public IP address settings:

After creating the public IP address, you can view it by navigating to your gateway in the portal and clicking on the Properties page. From there, you can click on the associated IP address link to view more information about the IP address object.

To ensure secure connections to your Azure VPN gateway, it's essential to understand the role of certificates in authentication. You can generate certificates, specifically root certificates, which are used by Azure to authenticate clients connecting over a point-to-site VPN connection.

A root certificate must be generated and extracted before configuring the point-to-site gateway settings. You can obtain a root certificate from an enterprise solution or generate a self-signed certificate using tools like Azure PowerShell, MakeCert, or OpenSSL.

To upload the root certificate public key information to Azure, export the certificate as a Base-64 encoded X.509 (.CER) file and open it with a text editor. Then, navigate to the Virtual network gateway -> Point-to-site configuration page and add the root certificate in the Root certificate section.

Here's a summary of the authentication types and tunnel types available for Azure VPN clients:

Note that you can revoke client certificates by adding the thumbprint to the revocation list. This allows you to selectively deny P2S connectivity based on individual client certificates.

To set up a secure connection to Azure, you need to specify the tunnel and authentication type. This can get complex, but you can select options that contain multiple tunnel types from the dropdown.

You must choose a tunnel type and authentication type that correspond to the VPN client software you want to use. This is crucial when you have various VPN clients connecting from different operating systems.

The tunnel type and authentication type must match the VPN client software you're using. For example, if you're using the native VPN client on Windows, you'll need to choose IKEv2 and SSTP as your tunnel types.

If you're using a different operating system or VPN client, you'll need to choose a different combination of tunnel types and authentication types. You can refer to the VPN client table to find the correct combination.

Here's a summary of the available tunnel types and authentication types:

OpenVPN client version 2.x

OpenVPN client version 3.xOpenVPNmacOSOpenVPN clientOpenVPNiOSOpenVPN clientOpenVPNLinuxAzure VPN Client

OpenVPN clientMicrosoft Entra IDOpenVPNWindowsAzure VPN clientOpenVPNmacOSAzure VPN ClientOpenVPNLinuxAzure VPN Client

If you're using the Basic SKU, you won't see the tunnel type or authentication type on the Point-to-site configuration page. This is because the Basic SKU doesn't support IKEv2 or RADIUS authentication.

Generating certificates is a crucial step in setting up a secure connection to a virtual network. You'll need to create a root certificate and client certificates to authenticate clients connecting to the virtual network.

A root certificate is used by Azure to authenticate clients, and it must be uploaded to Azure as a Base64 encoded X.509 (.CER) file. You can either use an enterprise certificate solution or generate a self-signed root certificate.

You can generate a self-signed root certificate using Azure PowerShell, MakeCert, or OpenSSL. This is recommended if you're not using an enterprise certificate solution, as it ensures compatibility with point-to-site connections.

To generate a client certificate, you'll need to use the root certificate and install it on each client computer. You can generate a unique certificate for each client or use the same certificate for multiple clients.

Here are the methods to generate client certificates:

Note that if you don't install a valid client certificate, authentication will fail when the client tries to connect to the virtual network.