Azure VPN Gateway service can be used to send encrypted traffic between an Azure virtual network and on-premises locations over the public Internet. You can also use VPN Gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. VPN Gateway uses a specific type of Azure virtual network gateway called a VPN gateway. Multiple connections can be created to the same VPN gateway. When you create multiple connections, all VPN tunnels share the available gateway bandwidth.
Note
Azure VPN Gateway is one of the services that make up the Hybrid Connectivity category in Azure. Other services in this category include ExpressRoute and Virtual WAN. Each service has its own unique features and use cases. For more information on this service category, see Hybrid Connectivity.
Why use VPN Gateway?
Here are some of the key scenarios for VPN Gateway:
Send encrypted traffic between an Azure virtual network and on-premises locations over the public Internet using one of the following types of connections:
Site-to-site connection: A cross-premises IPsec/IKE VPN tunnel connection between the VPN gateway and an on-premises VPN device.
Point-to-site connection: VPN over OpenVPN, IKEv2, or SSTP. This type of connection lets you connect to your virtual network from a remote location, such as from a conference or from home.
Send encrypted traffic between Azure virtual networks using the following types of connections:
VNet-to-VNet: An IPsec/IKE VPN tunnel connection between the VPN gateway and another Azure VPN gateway that uses a VNet-to-VNet connection type. This connection type is designed specifically for VNet-to-VNet connections.
Site-to-site connection: An IPsec/IKE VPN tunnel connection between the VPN gateway and another Azure VPN gateway. This type of connection, when used in the VNet-to-VNet architecture, uses the Site-to-site (IPsec) connection type, which allows cross-premises connections to the gateway in addition connections between VPN gateways.
Configure a site-to-site VPN as a secure failover path for ExpressRoute using:
- ExpressRoute + VPN Gateway: A combination of ExpressRoute + VPN Gateway connections (coexisting connections).
Use site-to-site VPNs to connect to sites that aren't connected through ExpressRoute using:
- ExpressRoute + VPN Gateway: A combination of ExpressRoute + VPN Gateway connections (coexisting connections).
Planning and design
Because you can create multiple connection configurations using VPN Gateway, you need to determine which configuration best fits your needs. Point-to-site, site-to-site, and coexisting ExpressRoute/site-to-site connections all have different instructions and resource configuration requirements.
See the VPN Gateway topology and design article for design topologies and links to configuration instructions. The following sections of the article highlight some of the design topologies that are most often used.
- Site-to-site VPN connections
- Point-to-site VPN connections
- VNet-to-VNet VPN connections
Planning table
The following table can help you decide the best connectivity option for your solution.
| Point-to-Site | Site-to-Site | |
|---|---|---|
| Azure Supported Services | Cloud Services and Virtual Machines | Cloud Services and Virtual Machines |
| Typical Bandwidths | Based on the gateway SKU | Typically < 10 Gbps aggregate |
| Protocols Supported | Secure Sockets Tunneling Protocol (SSTP), OpenVPN, and IPsec | IPsec |
| Routing | RouteBased (dynamic) | We support PolicyBased (static routing) and RouteBased (dynamic routing VPN) |
| Connection resiliency | active-passive or active-active | active-passive or active-active |
| Typical use case | Secure access to Azure virtual networks for remote users | Dev, test, and lab scenarios and small to medium scale production workloads for cloud services and virtual machines |
| SLA | SLA | SLA |
| Pricing | Pricing | Pricing |
| Technical Documentation | VPN Gateway | VPN Gateway |
| FAQ | VPN Gateway FAQ | VPN Gateway FAQ |
Availability Zones
VPN gateways can be deployed in Azure Availability Zones. Availability zone deployments bring resiliency, scalability, and higher availability to virtual network gateways. Deploying gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures. See About zone-redundant virtual network gateways in Azure Availability Zones.
Configuring VPN Gateway
A VPN gateway connection relies on multiple resources that are configured with specific settings. In some cases, resources must be configured in a certain order. The settings that you chose for each resource are critical to creating a successful connection.
For information about individual resources and settings for VPN Gateway, see About VPN Gateway settings and About gateway SKUs.
For design diagrams and links to configuration articles, see the VPN Gateway topology and design article.
Gateway SKUs
When you create a virtual network gateway, you specify the gateway SKU that you want to use. Select the SKU that satisfies your requirements based on the types of workloads, throughputs, features, and SLAs. For more information about gateway SKUs, including supported features, performance tables, configuration steps, and production vs. dev-test workloads, see About gateway SKUs.
| VPN Gateway Generation | SKU | S2S/VNet-to-VNet Tunnels | P2S SSTP Connections | P2S IKEv2/OpenVPN Connections | Aggregate Throughput Benchmark | BGP | Zone-redundant | Supported Number of VMs in the Virtual Network |
|---|---|---|---|---|---|---|---|---|
| Generation1 | Basic | Max. 10 | Max. 128 | Not Supported | 100 Mbps | Not Supported | No | 200 |
| Generation1 | VpnGw1 | Max. 30 | Max. 128 | Max. 250 | 650 Mbps | Supported | No | 450 |
| Generation1 | VpnGw2 | Max. 30 | Max. 128 | Max. 500 | 1 Gbps | Supported | No | 1300 |
| Generation1 | VpnGw3 | Max. 30 | Max. 128 | Max. 1000 | 1.25 Gbps | Supported | No | 4000 |
| Generation1 | VpnGw1AZ | Max. 30 | Max. 128 | Max. 250 | 650 Mbps | Supported | Yes | 1000 |
| Generation1 | VpnGw2AZ | Max. 30 | Max. 128 | Max. 500 | 1 Gbps | Supported | Yes | 2000 |
| Generation1 | VpnGw3AZ | Max. 30 | Max. 128 | Max. 1000 | 1.25 Gbps | Supported | Yes | 5000 |
| Generation2 | VpnGw2 | Max. 30 | Max. 128 | Max. 500 | 1.25 Gbps | Supported | No | 685 |
| Generation2 | VpnGw3 | Max. 30 | Max. 128 | Max. 1000 | 2.5 Gbps | Supported | No | 2240 |
| Generation2 | VpnGw4 | Max. 100* | Max. 128 | Max. 5000 | 5 Gbps | Supported | No | 5300 |
| Generation2 | VpnGw5 | Max. 100* | Max. 128 | Max. 10000 | 10 Gbps | Supported | No | 6700 |
| Generation2 | VpnGw2AZ | Max. 30 | Max. 128 | Max. 500 | 1.25 Gbps | Supported | Yes | 2000 |
| Generation2 | VpnGw3AZ | Max. 30 | Max. 128 | Max. 1000 | 2.5 Gbps | Supported | Yes | 3300 |
| Generation2 | VpnGw4AZ | Max. 100* | Max. 128 | Max. 5000 | 5 Gbps | Supported | Yes | 4400 |
| Generation2 | VpnGw5AZ | Max. 100* | Max. 128 | Max. 10000 | 10 Gbps | Supported | Yes | 9000 |
(*) If you need more than 100 S2S VPN tunnels, use Virtual WAN instead of VPN Gateway.
Pricing
You pay for two things: the hourly compute costs for the virtual network gateway, and the egress data transfer from the virtual network gateway. Pricing information can be found on the Pricing page. For legacy gateway SKU pricing, see the ExpressRoute pricing page and scroll to the Virtual Network Gateways section.
Virtual network gateway compute costs
Each virtual network gateway has an hourly compute cost. The price is based on the gateway SKU that you specify when you create a virtual network gateway. The cost is for the gateway itself and is in addition to the data transfer that flows through the gateway. Cost of an active-active setup is the same as active-passive. For more information about gateway SKUs for VPN Gateway, see Gateway SKUs.
Data transfer costs
Data transfer costs are calculated based on egress traffic from the source virtual network gateway.
- If you're sending traffic to your on-premises VPN device, the charges areas per the Internet egress data transfer rate.
- If you're sending traffic between virtual networks in different regions, the pricing is based on the region.
- If you're sending traffic only between virtual networks that are in the same region, there are no data costs. Traffic between VNets in the same region is free.
What's new in VPN Gateway?
Azure VPN Gateway is updated regularly. To stay current with the latest announcements, see the What's new? article. The article highlights the following points of interest:
- Recent releases
- Previews underway with known limitations (if applicable)
- Known issues
- Deprecated functionality (if applicable)
You can also subscribe to the RSS feed and view the latest VPN Gateway feature updates on the Azure Updates page.
FAQ
For frequently asked questions about VPN gateway, see the VPN Gateway FAQ.
Next steps
- Tutorial: Create and manage a VPN Gateway.
- Learn module: Introduction to Azure VPN Gateway.
- Learn module: Connect your on-premises network to Azure with VPN Gateway.
- Subscription and service limits.
