Azure Fundamentals (AZ-900)

Last Updated: 12/28/2022

Azure Virtual Private Networks

  • VPNs are typically deployed to connect two or more trusted private networks to one another over an untrusted network (typically the public internet).
  • Traffic is encrypted while traveling over the untrusted network to prevent eavesdropping or other attacks.
  • A virtual private network (VPN) uses an encrypted tunnel within another network.
  • VPNs can enable networks to safely and securely share sensitive information.

VPN gateways

  • A VPN gateway is a type of virtual network gateway.
  • Azure VPN Gateway instances are deployed in a dedicated subnet of the virtual network
  • Enable the following connectivity:
    • Connect on-premises datacenters to virtual networks through a site-to-site connection.
    • Connect individual devices to virtual networks through a point-to-site connection.
    • Connect virtual networks to other virtual networks through a network-to-network connection.
  • You can deploy only one VPN gateway in each virtual network. However, you can use one gateway to connect to multiple locations, which includes other virtual networks or on-premises datacenters.

Types of VPN gateways

  • When you deploy a VPN gateway, you specify the VPN type: either policy-based or route-based.
  • The main difference between these two types of VPNs is how traffic to be encrypted is specified.
  • In Azure, both types of VPN gateways use a pre-shared key as the only method of authentication.

Policy-based VPN gateways

  • Specify statically the IP address of packets that should be encrypted through each tunnel. - This type of device evaluates every data packet against those sets of IP addresses to choose the tunnel where that packet is going to be sent through.

Route-based gateways,

  • IPSec tunnels are modeled as a network interface or virtual tunnel interface.
  • IP routing (either static routes or dynamic routing protocols) decides which one of these tunnel interfaces to use when sending each packet.
  • Route-based VPNs are the preferred connection method for on-premises devices. They're more resilient to topology changes such as the creation of new subnets.

High-availability scenarios

Active/standby

  • By default, VPN gateways are deployed as two instances in an active/standby configuration, even if you only see one VPN gateway resource in Azure.
  • When planned maintenance or unplanned disruption affects the active instance, the standby instance automatically assumes responsibility for connections without any user intervention.
  • Connections are interrupted during this failover, but they're typically restored within a few seconds for planned maintenance and within 90 seconds for unplanned disruptions.

Active/active

  • With the introduction of support for the BGP routing protocol, you can also deploy VPN gateways in an active/active configuration.
  • In this configuration, you assign a unique public IP address to each instance.
  • You then create separate tunnels from the on-premises device to each IP address.
  • You can extend the high availability by deploying an additional VPN device on-premises.

ExpressRoute failover

  • Configure a VPN gateway as a secure failover path for ExpressRoute connections.
  • ExpressRoute circuits have resiliency built in, but they aren't immune to physical problems that affect the cables delivering connectivity

Zone-redundant gateways

  • In regions that support availability zones, VPN gateways and ExpressRoute gateways can be deployed in a zone-redundant configuration.
  • This configuration brings resiliency, scalability, and higher availability to virtual network gateways.
  • Deploying gateways in Azure availability zones protects your on-premises network connectivity to Azure from zone-level failures
Previous
Next