Azure Virtual Private Networks
- VPNs are typically deployed to connect two or more trusted private networks to one another over an untrusted network (typically the public internet).
- Traffic is encrypted while traveling over the untrusted network to prevent eavesdropping or other attacks.
- A virtual private network (VPN) uses an encrypted tunnel within another network.
- VPNs can enable networks to safely and securely share sensitive information.
VPN gateways
- A VPN gateway is a type of virtual network gateway.
- Azure VPN Gateway instances are deployed in a dedicated subnet of the virtual network
- Enable the following connectivity:
- Connect on-premises datacenters to virtual networks through a site-to-site connection.
- Connect individual devices to virtual networks through a point-to-site connection.
- Connect virtual networks to other virtual networks through a network-to-network connection.
- You can deploy only one VPN gateway in each virtual network. However, you can use one gateway to connect to multiple locations, which includes other virtual networks or on-premises datacenters.
Types of VPN gateways
- When you deploy a VPN gateway, you specify the VPN type: either policy-based or route-based.
- The main difference between these two types of VPNs is how traffic to be encrypted is specified.
- In Azure, both types of VPN gateways use a pre-shared key as the only method of authentication.
Policy-based VPN gateways
- Specify statically the IP address of packets that should be encrypted through each tunnel. - This type of device evaluates every data packet against those sets of IP addresses to choose the tunnel where that packet is going to be sent through.
Route-based gateways,
- IPSec tunnels are modeled as a network interface or virtual tunnel interface.
- IP routing (either static routes or dynamic routing protocols) decides which one of these tunnel interfaces to use when sending each packet.
- Route-based VPNs are the preferred connection method for on-premises devices. They're more resilient to topology changes such as the creation of new subnets.
High-availability scenarios
Active/standby
- By default, VPN gateways are deployed as two instances in an active/standby configuration, even if you only see one VPN gateway resource in Azure.
- When planned maintenance or unplanned disruption affects the active instance, the standby instance automatically assumes responsibility for connections without any user intervention.
- Connections are interrupted during this failover, but they're typically restored within a few seconds for planned maintenance and within 90 seconds for unplanned disruptions.
Active/active
- With the introduction of support for the BGP routing protocol, you can also deploy VPN gateways in an active/active configuration.
- In this configuration, you assign a unique public IP address to each instance.
- You then create separate tunnels from the on-premises device to each IP address.
- You can extend the high availability by deploying an additional VPN device on-premises.
ExpressRoute failover
- Configure a VPN gateway as a secure failover path for ExpressRoute connections.
- ExpressRoute circuits have resiliency built in, but they aren't immune to physical problems that affect the cables delivering connectivity
Zone-redundant gateways
- In regions that support availability zones, VPN gateways and ExpressRoute gateways can be deployed in a zone-redundant configuration.
- This configuration brings resiliency, scalability, and higher availability to virtual network gateways.
- Deploying gateways in Azure availability zones protects your on-premises network connectivity to Azure from zone-level failures