Choosing the Right Azure VPN Gateway SKU for Your Needs

If you're looking to set up a secure and reliable connection to your Azure resources, the right VPN Gateway SKU is crucial. There are several options to choose from, each with its own set of features and limitations.

The Basic SKU is a good starting point for small-scale deployments, offering a single IP address and a maximum of 100 tunnels. However, it's not suitable for larger or more complex environments.

For more demanding workloads, the Standard SKU provides a higher level of performance and scalability, with support for up to 100 IP addresses and 1000 tunnels. This makes it a popular choice for larger organizations.

Ultimately, the right SKU for you will depend on your specific needs and requirements.

Azure VPN Gateway SKUs are categorized into two generations: Generation 1 and Generation 2. The Basic SKU is no longer permitted for new gateways, and you must use a Standard SKU public IP address starting December 1, 2023.

You can create a Basic SKU VPN gateway that uses a Basic SKU public IP address, but it has limitations. It doesn't support IPv6 and can only be configured using PowerShell or Azure CLI, and it also doesn't support RADIUS authentication.

The connection limits for VPN Gateway SKUs are as follows:

Note that the connection limits are separate, meaning you can have 128 SSTP connections and also 250 IKEv2 connections on a VpnGw1 SKU.

To determine the right SKU for your Azure VPN Gateway, consider your workload type. For production, critical workloads, we recommend all Generation1 and Generation2 SKUs, except Basic. This is because Basic has certain feature and performance limitations and shouldn't be used for production purposes.

If you're using the VPN Gateway for dev-test or proof of concept, the Basic SKU might be suitable. However, keep in mind that it has limitations, such as not supporting IPv6 and RADIUS authentication.

Here's a summary of the recommended SKUs by workload type:

The Basic SKU has certain feature and performance limitations and shouldn't be used for production purposes.

This SKU supports route-based VPN with 10 tunnels for S2S/connections, but no RADIUS authentication for P2S and no IKEv2 for P2S. It also supports policy-based VPN with 1 S2S/connection tunnel, but no P2S connections.

All other Generation1 and Generation2 SKUs, except the Basic SKU, support route-based VPN with up to 100 tunnels, P2S, BGP, active-active, custom IPsec/IKE policy, and ExpressRoute/VPN coexistence.

Here's a summary of the features supported by each SKU:

(*) You can configure "PolicyBasedTrafficSelectors" to connect a route-based VPN gateway to multiple on-premises policy-based firewall devices.

Pricing is a crucial factor to consider when choosing the right SKU for your virtual network gateway. You'll pay for two things: the hourly compute costs for the virtual network gateway, and the egress data transfer from the virtual network gateway.

The hourly compute cost is based on the gateway SKU you specify when creating a virtual network gateway. This cost is in addition to the data transfer that flows through the gateway, and it's the same for both active-active and active-passive setups.

Data transfer costs are calculated based on egress traffic from the source virtual network gateway. If you're sending traffic to your on-premises VPN device, it will be charged with the Internet egress data transfer rate.

There are also regional considerations to keep in mind. If you're sending traffic between virtual networks in different regions, the pricing is based on the region. On the other hand, if you're sending traffic only between virtual networks that are in the same region, there are no data costs.

Here's a summary of the data transfer costs:

When choosing a VPN gateway SKU, it's essential to consider the protocols it supports.

The Basic SKU has limitations, including no support for RADIUS authentication.

The Basic SKU also has performance limitations and shouldn't be used for production purposes.

On the other hand, all Generation1 and Generation2 SKUs except Basic support multiple protocols, including IKEv2 and SSTP.

IKEv2 is a secure and high-performance protocol that's ideal for demanding VPN applications.

IKEv2 is supported on all Generation1 and Generation2 SKUs except Basic.

SSTP is another popular protocol that offers flexibility and security.

SSTP is supported on all Generation1 and Generation2 SKUs except Basic.

The Basic SKU, however, has certain feature and performance limitations.

Here's a summary of the supported protocols by SKU:

Configuring a VPN Gateway connection requires careful attention to multiple resources with specific settings. You'll find detailed information on individual resources and settings in the About VPN Gateway settings and About gateway SKUs articles.

For a successful connection, it's essential to understand gateway types, gateway SKUs, VPN types, connection types, gateway subnets, and local network gateways. These resources are critical to creating a successful connection.

To visualize your VPN Gateway setup, check out the VPN Gateway topology and design article for design diagrams and links to configuration articles.

Configuring VPN requires careful consideration of multiple resources with specific settings. In some cases, these resources must be configured in a certain order.

The settings for each resource are critical to creating a successful connection. Understanding gateway types, gateway SKUs, VPN types, and connection types is essential.

For information on individual resources and settings, see About VPN Gateway settings and About gateway SKUs. These articles contain detailed information on gateway subnets, local network gateways, and various other resource settings.

Design diagrams and configuration articles can be found in the VPN Gateway topology and design article. This resource provides a visual representation of VPN Gateway configurations.

Monitoring and Logging is a crucial aspect of configuring and managing your Azure setup. Azure's monitoring and logging capabilities allow administrators to track Point-to-Site VPN connections, enabling proactive management and quick resolution of potential issues.

This feature helps you stay on top of your network's performance and security. With Azure's monitoring and logging, you can identify and address potential problems before they become major issues.

Here are some key benefits of Azure's monitoring and logging:

By leveraging these capabilities, you can ensure your network runs smoothly and securely.

Adding a subnet to your virtual network is a straightforward process. To start, navigate to the settings of your virtual network and click on "Subnets".

You'll then see a button to add a new subnet. Click on "Add Gateway Subnet" to begin the process.

The next step is to name your subnet, such as "GatewaySubnet". This will help you identify the subnet later on.

The address range for your subnet should be a valid CIDR block within the address space of your virtual network. This is an important consideration to ensure your subnet functions correctly.

To complete the process, click on "OK" to create the gateway subnet.

Planning and design is crucial when working with Azure VPN Gateway. You'll need to determine which connection configuration best fits your needs, considering options like point-to-site, site-to-site, and coexisting ExpressRoute/site-to-site connections.

These configurations have different instructions and resource configuration requirements. You can find design topologies and links to configuration instructions in the VPN Gateway topology and design article.

To decide the best connectivity option for your solution, refer to the planning table in the article. The table highlights key differences between point-to-site and site-to-site VPN connections, including supported services, typical bandwidths, and protocols supported.

Azure Supported Services include Cloud Services and Virtual Machines for both Point-to-Site and Site-to-Site connections.

Typical Bandwidths for Point-to-Site connections are based on the gateway SKU, while Site-to-Site connections typically have an aggregate bandwidth of less than 10 Gbps.

Protocols Supported by Point-to-Site connections include Secure Sockets Tunneling Protocol (SSTP), OpenVPN, and IPsec, whereas Site-to-Site connections support only IPsec.

Routing for Point-to-Site connections is RouteBased (dynamic), whereas Site-to-Site connections support both PolicyBased (static routing) and RouteBased (dynamic routing VPN).

Connection resiliency is active-passive or active-active for both Point-to-Site and Site-to-Site connections.

Site-to-Site connections are typically used for Dev, test, and lab scenarios and small to medium scale production workloads for cloud services and virtual machines.

The SLA and Pricing for both Point-to-Site and Site-to-Site connections are the same, and can be found in the VPN Gateway documentation and FAQ.

Here is a summary of the planning table:

Availability Zones offer a level of resiliency and scalability to virtual network gateways. This is achieved by physically and logically separating gateways within a region, protecting your on-premises network connectivity to Azure from zone-level failures.

Deploying gateways in Azure Availability Zones can bring higher availability to virtual network gateways.

To create a virtual network, you'll need to follow these steps. Go to the Azure portal and navigate to the "Virtual network gateways" section.

You'll see an "Add" button, which is where you'll create a new virtual network gateway. Click on it to begin the process.

When creating a new virtual network gateway, you'll need to provide some details. These include the gateway type, VPN type, SKU, and virtual network settings.

Make sure to select the same resource group that you created earlier. This will ensure everything is properly linked.

Here's a quick rundown of the details you'll need to provide:

Once you've filled in all the details, click "OK" to start the deployment process. Wait for it to complete before moving on to the next step.