What is VPN Gateway?
VPN Gateway is a specific type of virtual network gateway that sends encrypted traffic between an Azure VNet and an on-premises location across the public internet. Each VNet can have only one VPN Gateway, but the gateway can maintain multiple connections simultaneously.
Connection Types
| Type | Connects | Use Case |
|---|---|---|
| Site-to-Site (S2S) | On-premises network ↔ Azure VNet | Branch offices, data centres |
| Point-to-Site (P2S) | Individual device ↔ Azure VNet | Remote workers, developers |
| VNet-to-VNet | Azure VNet ↔ Azure VNet | Connecting VNets across regions/subscriptions |
| Multi-Site | Multiple on-premises ↔ Azure VNet | Multiple branch offices to one VNet |
Site-to-Site VPN
S2S creates a persistent encrypted tunnel between your on-premises network and Azure. Requires a VPN device on-premises with a publicly routable IP address.
Requirements
- On-premises: a compatible VPN device (router/firewall) with static public IP
- Azure: VPN Gateway in GatewaySubnet + Local Network Gateway (represents on-premises)
- Non-overlapping address spaces
- Shared pre-shared key for authentication
# 1. Create VPN Gateway (takes 30-45 minutes)
az network vnet-gateway create \
--name myVpnGateway \
--resource-group myRG \
--vnet myVNet \
--gateway-type Vpn \
--vpn-type RouteBased \
--sku VpnGw1 \
--public-ip-address myGatewayPublicIP
# 2. Create Local Network Gateway (represents on-premises)
az network local-gateway create \
--name myLocalGateway \
--resource-group myRG \
--gateway-ip-address 203.0.113.10 \
--local-address-prefixes 192.168.0.0/24 \
--location centralindia
# 3. Create the connection
az network vpn-connection create \
--name myS2SConnection \
--resource-group myRG \
--vnet-gateway1 myVpnGateway \
--local-gateway2 myLocalGateway \
--shared-key MySecretKey123!Point-to-Site VPN
P2S allows individual computers to connect to Azure VNet from anywhere — no on-premises VPN device needed. Each user installs a VPN client on their device.
Authentication Options
- Certificate authentication — Root and client certificates (most common)
- Azure AD authentication — Uses Azure Active Directory credentials
- RADIUS authentication — Integrates with on-premises RADIUS server
VPN Protocols
- OpenVPN — Works on Windows, Mac, Linux, iOS, Android
- SSTP — Windows only, uses HTTPS port 443
- IKEv2 — Windows and Mac
VNet-to-VNet VPN
Connects two Azure VNets via encrypted tunnels. Both VNets need their own VPN Gateway. Traffic is encrypted — unlike VNet Peering (no encryption, lower latency). Use VNet Peering instead unless you specifically need encryption or are connecting across Azure Government/China clouds.
VPN Gateway SKUs
| SKU | Throughput | S2S Tunnels | P2S Connections | BGP |
|---|---|---|---|---|
| Basic | 100 Mbps | 10 | 128 | No |
| VpnGw1 | 650 Mbps | 30 | 250 | Yes |
| VpnGw2 | 1 Gbps | 30 | 500 | Yes |
| VpnGw3 | 1.25 Gbps | 30 | 1,000 | Yes |
| VpnGw4 | 5 Gbps | 100 | 5,000 | Yes |
| VpnGw5 | 10 Gbps | 100 | 10,000 | Yes |
Active-Active vs Active-Passive
| Active-Passive (default) | Active-Active | |
|---|---|---|
| Instances | 2 (one active, one standby) | 2 (both active) |
| Failover | 10-15 seconds | Near-instant |
| Throughput | Single instance | Both instances |
| Public IPs | 1 | 2 |
| Best for | Cost-sensitive | Production HA |
BGP Support
BGP (Border Gateway Protocol) enables dynamic routing between Azure and on-premises networks. Instead of manually configuring static routes, BGP automatically exchanges routing information — essential for complex network topologies and multiple on-premises sites.
VPN Gateway vs ExpressRoute
| Factor | VPN Gateway | ExpressRoute |
|---|---|---|
| Connection | Over public internet (encrypted) | Private dedicated circuit |
| Bandwidth | Up to 10 Gbps | Up to 100 Gbps |
| Latency | Variable (internet) | Consistent, low |
| SLA | 99.95% (active-active) | 99.95% |
| Setup time | Minutes to hours | Weeks (requires provider) |
| Cost | Lower | Higher |
| Best for | Smaller workloads, remote access | Enterprise, high bandwidth, compliance |