Find out what types of VPNs are supported by Azure and how you can set them up to work with your Azure resources.
Checkout this video:
Introduction
Microsoft Azure supports different types of VPN Gateway to configure Site-to-Site VPN connection between your on-premises network and VNet.
The following table lists the types of VPN Gateway that are supported with Azure.
| VPN Type | Supported With Azure |
| ————- |:————-:|
| Point-to-Site | Yes |
| Site-to-Site | Yes |
| Multi-Site | Yes |
What is a VPN?
A VPN is a private network that uses a public network, such as the Internet, to connect remote sites or users together. VPNs use a variety of security protocols to secure the connection between the two networks. VPNs are supported by Azure and can be used to connect virtual networks together.
What is a Virtual Private Network?
A virtual private network (VPN) is a network that is constructed using public wires — usually the Internet — to connect to a private network, such as a company’s internal network. A VPN encrypts all of the traffic coming from your computer or mobile device and routes it through an intermediary server in a location of your choosing. That way, anyone trying to snoop on your traffic will only see the IP address and location of the VPN server, not your actual IP address and location. And because the traffic going through the VPN is encrypted, anyone intercepting it will not be able to read it.
What is a Site-to-Site VPN?
Site-to-Site VPNs connect on-premises sites to Azure over an IPSec connection. Site-to-Site (S2S) VPNs are usually deployed when there is more than one site that needs to be connected. To set up an S2S connection, both sides of the VPN connection need a VPN gateway. This can be a physical hardware device, or a virtual appliance. When using a hardware device, you will also need to specify the device vendor and model. For more information about supported devices, see About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway. If you want to use PowerShell scripts to set up your Site-to-Site VPN, see Using PowerShell to set up a Site-to-Site VPN connection to Azure.
What is a Point-to-Site VPN?
Point-to-Site (P2S) creates a secure connection to an Azure virtual network from an individual client computer. P2S is a feature of Azure Virtual Network. A P2S VPN gateway connection lets you create and manage a secure connection from your computer to your VNet.
With P2S VPN, admins can configure networking and security policies on the Azure VNet that the client is connecting to, such as allowing or denying inbound and outbound traffic, filtering traffic by IP address or network port, and configuring NAT rules. Admins can also specify custom DNS servers and generate diagnostic logs for P2S VPN gateway connections.
What VPN types are supported by Azure?
Azure supports different types of VPNs. The most common types are point-to-site VPNs and site-to-site VPNs. Point-to-site VPNs are usually used by remote workers who need to connect to a corporate network. Site-to-site VPNs are usually used to connect multiple locations or networks.
Policy-Based VPNs
Azure supports two types of VPNs: policy-based and route-based. A policy-based VPN uses static, pre-defined security policies to control traffic between sites. A route-based VPN uses dynamic routing protocols, such as BGP, to control traffic between sites. Policy-based VPNs are also known as static routing VPNs. Route-based VPNs are also known as dynamic routing VPNs.
For information about the differences between policy-based and route-based VPNs, see Azure VPN Gateway Documentation – Policy-Based vs Route-Based.
Route-Based VPNs
Azure supports two types of VPNs: route-based and policy-based. Policy-based VPNs were the first type of VPN supported on the platform and are based on the industry standard Border Gateway Protocol (BGP). Route-based VPNs are a newer type of VPN that uses IPsec encryption. Both types of VPNs can be implemented in either a gateway-to-gateway or site-to-site configuration.
Route-based VPNs are also known as dynamic VPNs because they can automatically adapt to changing network conditions. Policy-based VPNs, on the other hand, are static and require manual configuration changes to accommodate network changes.
Azure supports both IKEv1 and IKEv2 for creating route-based IPsec connections. IKEv2 is the recommended protocol because it is more secure and efficient than IKEv1.
Conclusion
Azure supports the following VPN types:
-Point-to-Site (P2S): A Point-to-Site (P2S) VPN connection lets you create a secure connection to your virtual network from an individual client computer. P2S is available for SSTP and IKEv2.
-Site-to-Site (S2S): A Site-to-Site (S2S) VPN gateway connection is a connection over IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. S2S connections can use one of two different tunneling protocols:
-Certificate Authentication
-Pre Shared Key