0% found this document useful (0 votes)

541 views1,078 pages

Azure VPN Gateway

VPN Gateway allows creating encrypted connections between an Azure virtual network and on-premises networks, or between Azure virtual networks. It uses virtual network gateways that are composed of Azure-managed VMs. When creating a VPN Gateway, you select a gateway type and SKU, and can then configure different types of connections like site-to-site, point-to-site, or VNet-to-VNet. Key settings include the gateway subnet, local network gateways, and protocols used for each connection.

Uploaded by

José Adail Maia

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

541 views1,078 pages

Azure VPN Gateway

Uploaded by

José Adail Maia

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 1078

Tell us about your PDF experience.

VPN Gateway documentation

Learn how to configure, create, and manage an Azure VPN gateway. Create encrypted
cross-premises connections to your virtual network from on-premises locations, or
create encrypted connections between VNets.

About VPN Gateway

ｅ OVERVIEW

What is VPN Gateway?

ｐ CONCEPT

VPN Gateway FAQ

About VPN Gateway connections and topology

About zone-redundant gateways

About BGP and VPN Gateway

ｄ TRAINING

Introduction to Azure VPN Gateway

Connect your on-premises network to Azure with VPN Gateway

Get started

ｇ TUTORIAL

Create and manage a VPN gateway

Point-to-site VPNs

ｐ CONCEPT

About point-to-site VPNs

About point-to-site VPN routing

ｃ HOW-TO GUIDE

Certificate authentication

RADIUS authentication

Azure AD authentication

Multiple authentication types

Site-to-site VPNs

ｇ TUTORIAL

Create a site-to-site configuration

ｃ HOW-TO GUIDE

Configure BGP

Configure forced tunneling

Configure active-active gateways

VPN devices

ｐ CONCEPT

VPN devices for site-to-site connections

ｃ HOW-TO GUIDE

Configure VPN devices

Download device configuration scripts

Manage

ｐ CONCEPT

About configuration settings

Gateway SKUs

ｃ HOW-TO GUIDE

Verify a VPN gateway

Delete a VPN gateway

Modify a local network gateway

Learn about VPN Gateway architecture

Ｙ ARCHITECTURE

Virtual network peering and VPN gateways

ｐ CONCEPT

Troubleshoot a hybrid VPN connection

Security and monitoring

ｐ CONCEPT

Security controls

ｃ HOW-TO GUIDE

Monitoring and alerts

Reference

ｉ REFERENCE

Azure CLI

Azure PowerShell

REST
What is Azure VPN Gateway?
Article • 08/11/2023

Azure VPN Gateway is a service that uses a specific type of virtual network gateway to send
encrypted traffic between an Azure virtual network and on-premises locations over the public
Internet. You can also use VPN Gateway to send encrypted traffic between Azure virtual networks
over the Microsoft network. Multiple connections can be created to the same VPN gateway.
When you create multiple connections, all VPN tunnels share the available gateway bandwidth.

About VPN gateways

A VPN gateway is a type of virtual network gateway. A virtual network gateway is composed of
two or more Azure-managed VMs that are automatically configured and deployed to a specific
subnet you create called the GatewaySubnet. The gateway VMs contain routing tables and run
specific gateway services.

One of the settings that you specify when creating a virtual network gateway is the "gateway
type". The gateway type determines how the virtual network gateway will be used and the
actions that the gateway takes. A virtual network can have two virtual network gateways; one
VPN gateway and one ExpressRoute gateway. The gateway type 'Vpn' specifies that the type of
virtual network gateway created is a VPN gateway. This distinguishes it from an ExpressRoute
gateway, which uses a different gateway type. For more information, see Gateway types.

When you create a VPN gateway, gateway VMs are deployed to the gateway subnet and
configured with the settings that you specified. This process can take 45 minutes or more to
complete, depending on the gateway SKU that you selected. After you create a VPN gateway,
you can configure connections. For example, you can create an IPsec/IKE VPN tunnel connection
between that VPN gateway and another VPN gateway (VNet-to-VNet), or create a cross-premises
IPsec/IKE VPN tunnel connection between the VPN gateway and an on-premises VPN device
(Site-to-Site). You can also create a Point-to-Site VPN connection (VPN over OpenVPN, IKEv2, or
SSTP), which lets you connect to your virtual network from a remote location, such as from a
conference or from home.

Configuring VPN Gateway

A VPN gateway connection relies on multiple resources that are configured with specific settings.
Most of the resources can be configured separately, although some resources must be
configured in a certain order.

Connectivity
Because you can create multiple connection configurations using VPN Gateway, you need to
determine which configuration best fits your needs. Point-to-Site, Site-to-Site, and coexisting
ExpressRoute/Site-to-Site connections all have different instructions and configuration
requirements. For connection diagrams and corresponding links to configuration steps, see VPN
Gateway design.

Site-to-Site VPN connections

Point-to-Site VPN connections
VNet-to-VNet VPN connections

Planning table
The following table can help you decide the best connectivity option for your solution. Note that
ExpressRoute isn't a part of VPN Gateway, but is included in the table.

Point-to-Site Site-to-Site ExpressRoute

Azure Supported Cloud Services and Cloud Services and Virtual Services list
Services Virtual Machines Machines

Typical Based on the Typically < 10 Gbps 50 Mbps, 100 Mbps, 200 Mbps,
Bandwidths gateway SKU aggregate 500 Mbps, 1 Gbps, 2 Gbps, 5
Gbps, 10 Gbps, 100 Gbps

Protocols Secure Sockets IPsec Direct connection over VLANs,

Supported Tunneling Protocol NSP's VPN technologies (MPLS,
(SSTP), OpenVPN VPLS,...)
and IPsec

Routing RouteBased We support PolicyBased BGP

(dynamic) (static routing) and
RouteBased (dynamic
routing VPN)

Connection active-passive active-passive or active- active-active

resiliency active

Typical use case Secure access to Dev / test / lab scenarios Access to all Azure services
Azure virtual and small to medium scale (validated list), Enterprise-class
networks for remote production workloads for and mission critical workloads,
users cloud services and virtual Backup, Big Data, Azure as a DR
machines site

SLA SLA SLA SLA

Pricing Pricing Pricing Pricing

Technical VPN Gateway VPN Gateway ExpressRoute

Documentation

FAQ VPN Gateway FAQ VPN Gateway FAQ ExpressRoute FAQ

Settings
The settings that you chose for each resource are critical to creating a successful connection. For
information about individual resources and settings for VPN Gateway, see About VPN Gateway
settings. The article contains information to help you understand gateway types, gateway SKUs,
VPN types, connection types, gateway subnets, local network gateways, and various other
resource settings that you may want to consider.

Deployment tools
You can start out creating and configuring resources using one configuration tool, such as the
Azure portal. You can later decide to switch to another tool, such as PowerShell, to configure
additional resources, or modify existing resources when applicable. Currently, you can't configure
every resource and resource setting in the Azure portal. The instructions in the articles for each
connection topology specify when a specific configuration tool is needed.

Gateway SKUs
When you create a virtual network gateway, you specify the gateway SKU that you want to use.
Select the SKU that satisfies your requirements based on the types of workloads, throughputs,
features, and SLAs.

For more information about gateway SKUs, including supported features, production and
dev-test, and configuration steps, see the VPN Gateway Settings - Gateway SKUs article.
For Legacy SKU information, see Working with Legacy SKUs.
The Basic SKU doesn't support IPv6.

Gateway SKUs by tunnel, connection, and throughput

VPN SKU S2S/VNet- P2S P2S Aggregate BGP Zone-

Gateway to-VNet SSTP IKEv2/OpenVPN Throughput redundant
Generation Tunnels Connections Connections Benchmark

Generation1 Basic Max. 10 Max. 128 Not Supported 100 Mbps Not No
Supported

Generation1 VpnGw1 Max. 30 Max. 128 Max. 250 650 Mbps Supported No

Generation1 VpnGw2 Max. 30 Max. 128 Max. 500 1 Gbps Supported No

Generation1 VpnGw3 Max. 30 Max. 128 Max. 1000 1.25 Gbps Supported No

Generation1 VpnGw1AZ Max. 30 Max. 128 Max. 250 650 Mbps Supported Yes

Generation1 VpnGw2AZ Max. 30 Max. 128 Max. 500 1 Gbps Supported Yes

Generation1 VpnGw3AZ Max. 30 Max. 128 Max. 1000 1.25 Gbps Supported Yes

Generation2 VpnGw2 Max. 30 Max. 128 Max. 500 1.25 Gbps Supported No
VPN SKU S2S/VNet- P2S P2S Aggregate BGP Zone-
Gateway to-VNet SSTP IKEv2/OpenVPN Throughput redundant
Generation Tunnels Connections Connections Benchmark

Generation2 VpnGw3 Max. 30 Max. 128 Max. 1000 2.5 Gbps Supported No

Generation2 VpnGw4 Max. 100* Max. 128 Max. 5000 5 Gbps Supported No

Generation2 VpnGw5 Max. 100* Max. 128 Max. 10000 10 Gbps Supported No

Generation2 VpnGw2AZ Max. 30 Max. 128 Max. 500 1.25 Gbps Supported Yes

Generation2 VpnGw3AZ Max. 30 Max. 128 Max. 1000 2.5 Gbps Supported Yes

Generation2 VpnGw4AZ Max. 100* Max. 128 Max. 5000 5 Gbps Supported Yes

Generation2 VpnGw5AZ Max. 100* Max. 128 Max. 10000 10 Gbps Supported Yes

(*) Use Virtual WAN if you need more than 100 S2S VPN tunnels.

The resizing of VpnGw SKUs is allowed within the same generation, except resizing of the
Basic SKU. The Basic SKU is a legacy SKU and has feature limitations. In order to move from
Basic to another SKU, you must delete the Basic SKU VPN gateway and create a new
gateway with the desired Generation and SKU size combination. (see Working with Legacy
SKUs).

These connection limits are separate. For example, you can have 128 SSTP connections and
also 250 IKEv2 connections on a VpnGw1 SKU.

Pricing information can be found on the Pricing page.

SLA (Service Level Agreement) information can be found on the SLA page.

If you have a lot of P2S connections, it can negatively impact your S2S connections. The
Aggregate Throughput Benchmarks were tested by maximizing a combination of S2S and
P2S connections. A single P2S or S2S connection can have a much lower throughput.

Note that all benchmarks aren't guaranteed due to Internet traffic conditions and your
application behaviors

To help our customers understand the relative performance of SKUs using different algorithms,
we used publicly available iPerf and CTSTraffic tools to measure performances for site-to-site
connections. The table below lists the results of performance tests for VpnGw SKUs. As you can
see, the best performance is obtained when we used GCMAES256 algorithm for both IPsec
Encryption and Integrity. We got average performance when using AES256 for IPsec Encryption
and SHA256 for Integrity. When we used DES3 for IPsec Encryption and SHA256 for Integrity we
got lowest performance.

A VPN tunnel connects to a VPN gateway instance. Each instance throughput is mentioned in the
above throughput table and is available aggregated across all tunnels connecting to that
instance.
The table below shows the observed bandwidth and packets per second throughput per tunnel
for the different gateway SKUs. All testing was performed between gateways (endpoints) within
Azure across different regions with 100 connections and under standard load conditions.

Generation SKU Algorithms Throughput Packets per second per tunnel

used observed per tunnel observed

Generation1 VpnGw1 GCMAES256 650 Mbps 62,000

AES256 & SHA256 500 Mbps 47,000
DES3 & SHA256 130 Mbps 12,000

Generation1 VpnGw2 GCMAES256 1.2 Gbps 100,000

AES256 & SHA256 650 Mbps 61,000
DES3 & SHA256 140 Mbps 13,000

Generation1 VpnGw3 GCMAES256 1.25 Gbps 120,000

AES256 & SHA256 700 Mbps 66,000
DES3 & SHA256 140 Mbps 13,000

Generation1 VpnGw1AZ GCMAES256 650 Mbps 62,000

AES256 & SHA256 500 Mbps 47,000
DES3 & SHA256 130 Mbps 12,000

Generation1 VpnGw2AZ GCMAES256 1.2 Gbps 110,000

AES256 & SHA256 650 Mbps 61,000
DES3 & SHA256 140 Mbps 13,000

Generation1 VpnGw3AZ GCMAES256 1.25 Gbps 120,000

AES256 & SHA256 700 Mbps 66,000
DES3 & SHA256 140 Mbps 13,000

Generation2 VpnGw2 GCMAES256 1.25 Gbps 120,000

AES256 & SHA256 550 Mbps 52,000
DES3 & SHA256 130 Mbps 12,000

Generation2 VpnGw3 GCMAES256 1.5 Gbps 140,000

AES256 & SHA256 700 Mbps 66,000
DES3 & SHA256 140 Mbps 13,000

Generation2 VpnGw4 GCMAES256 2.3 Gbps 220,000

AES256 & SHA256 700 Mbps 66,000
DES3 & SHA256 140 Mbps 13,000

Generation2 VpnGw5 GCMAES256 2.3 Gbps 220,000

AES256 & SHA256 700 Mbps 66,000
DES3 & SHA256 140 Mbps 13,000

Generation2 VpnGw2AZ GCMAES256 1.25 Gbps 120,000

AES256 & SHA256 550 Mbps 52,000
DES3 & SHA256 130 Mbps 12,000

Generation2 VpnGw3AZ GCMAES256 1.5 Gbps 140,000

AES256 & SHA256 700 Mbps 66,000
DES3 & SHA256 140 Mbps 13,000
Generation SKU Algorithms Throughput Packets per second per tunnel
used observed per tunnel observed

Generation2 VpnGw4AZ GCMAES256 2.3 Gbps 220,000

AES256 & SHA256 700 Mbps 66,000
DES3 & SHA256 140 Mbps 13,000

Generation2 VpnGw5AZ GCMAES256 2.3 Gbps 220,000

AES256 & SHA256 700 Mbps 66,000
DES3 & SHA256 140 Mbps 13,000

Availability Zones
VPN gateways can be deployed in Azure Availability Zones. This brings resiliency, scalability, and
higher availability to virtual network gateways. Deploying gateways in Azure Availability Zones
physically and logically separates gateways within a region, while protecting your on-premises
network connectivity to Azure from zone-level failures. See About zone-redundant virtual
network gateways in Azure Availability Zones.

Pricing
You pay for two things: the hourly compute costs for the virtual network gateway, and the egress
data transfer from the virtual network gateway. Pricing information can be found on the Pricing
page. For legacy gateway SKU pricing, see the ExpressRoute pricing page and scroll to the
Virtual Network Gateways section.

Virtual network gateway compute costs

Each virtual network gateway has an hourly compute cost. The price is based on the gateway SKU
that you specify when you create a virtual network gateway. The cost is for the gateway itself and
is in addition to the data transfer that flows through the gateway. Cost of an active-active setup is
the same as active-passive.

Data transfer costs

Data transfer costs are calculated based on egress traffic from the source virtual network
gateway.

If you're sending traffic to your on-premises VPN device, it will be charged with the Internet
egress data transfer rate.
If you're sending traffic between virtual networks in different regions, the pricing is based
on the region.
If you're sending traffic only between virtual networks that are in the same region, there are
no data costs. Traffic between VNets in the same region is free.

For more information about gateway SKUs for VPN Gateway, see Gateway SKUs.

FAQ
For frequently asked questions about VPN gateway, see the VPN Gateway FAQ.

What's new?
Subscribe to the RSS feed and view the latest VPN Gateway feature updates on the Azure
Updates page.

Next steps
Tutorial: Create and manage a VPN Gateway.
Learn module: Introduction to Azure VPN Gateway.
Learn module: Connect your on-premises network to Azure with VPN Gateway.
Subscription and service limits.
Tutorial: Create and manage a VPN
gateway using the Azure portal
Article • 07/14/2023

This tutorial helps you create and manage a virtual network gateway (VPN gateway)
using the Azure portal. The VPN gateway is just one part of a connection architecture to
help you securely access resources within a VNet.

The left side of the diagram shows the virtual network and the VPN gateway that
you create using the steps in this article.
You can later add different types of connections, as shown on the right side of the
diagram. For example, you can create Site-to-Site and Point-to-site connections.
See VPN Gateway design to view different design architectures that you can build.

If you want to learn more about the configuration settings used in this tutorial, see
About VPN Gateway configuration settings. For more information about VPN Gateway,
see What is VPN Gateway?

In this tutorial, you learn how to:

＂ Create a virtual network

＂ Create a VPN gateway
＂ View the gateway public IP address
＂ Resize a VPN gateway (resize SKU)
＂ Reset a VPN gateway

Prerequisites
An Azure account with an active subscription. If you don't have one, create one for
free .
Create a virtual network
Create a VNet using the following values:

Resource group: TestRG1

Name: VNet1
Region: (US) East US
IPv4 address space: 10.1.0.0/16
Subnet name: FrontEnd
Subnet address space: 10.1.0.0/24

1. Sign in to the Azure portal .

2. In Search resources, service, and docs (G+/), type virtual network. Select Virtual
network from the Marketplace results to open the Virtual network page.

3. On the Virtual network page, select Create. This opens the Create virtual network
page.

4. On the Basics tab, configure the VNet settings for Project details and Instance
details. You'll see a green check mark when the values you enter are validated. The
values shown in the example can be adjusted according to the settings that you
require.


Subscription: Verify that the subscription listed is the correct one. You can
change subscriptions by using the drop-down.
Resource group: Select an existing resource group, or select Create new to
create a new one. For more information about resource groups, see Azure
Resource Manager overview.
Name: Enter the name for your virtual network.
Region: Select the location for your VNet. The location determines where the
resources that you deploy to this VNet will live.

5. Select Security to advance to the Security tab. For this exercise, leave the default
values for all the services on this page.

6. Select IP Addresses to advance to the IP Addresses tab. On the IP Addresses tab,

configure the settings.

IPv4 address space: By default, an address space is automatically created. You

can select the address space and adjust it to reflect your own values. You can
also add a different address space and remove the default that was
automatically created. For example, you can specify the starting address as
10.1.0.0 and specify the address space size as /16, then Add that address
space.
+ Add subnet: If you use the default address space, a default subnet is
created automatically. If you change the address space, add a new subnet
within that address space. Select + Add subnet to open the Add subnet
window. Configure the following settings, then select Add at the bottom of
the page to add the values.
Subnet name: Example: FrontEnd.
Subnet address range: The address range for this subnet. For example,
10.1.0.0 and /24.

7. Review the IP addresses page and remove any address spaces or subnets that you
don't need.

8. Select Review + create to validate the virtual network settings.

9. After the settings have been validated, select Create to create the virtual network.

Create a VPN gateway

In this step, you create the virtual network gateway (VPN gateway) for your VNet.
Creating a gateway can often take 45 minutes or more, depending on the selected
gateway SKU.

Create a virtual network gateway using the following values:

Name: VNet1GW
Region: East US
Gateway type: VPN
VPN type: Route-based
SKU: VpnGw2
Generation: Generation 2
Virtual network: VNet1
Gateway subnet address range: 10.1.255.0/27
Public IP address: Create new
Public IP address name: VNet1GWpip

For this exercise, we won't be selecting a zone redundant SKU. If you want to learn
about zone-redundant SKUs, see About zone-redundant VNet gateways.

1. In Search resources, services, and docs (G+/) type virtual network gateway.
Locate Virtual network gateway in the Marketplace search results and select it to
open the Create virtual network gateway page.


2. On the Basics tab, fill in the values for Project details and Instance details.

Subscription: Select the subscription you want to use from the dropdown.
Resource Group: This setting is autofilled when you select your virtual
network on this page.
Name: Name your gateway. Naming your gateway not the same as naming a
gateway subnet. It's the name of the gateway object you're creating.
Region: Select the region in which you want to create this resource. The
region for the gateway must be the same as the virtual network.
Gateway type: Select VPN. VPN gateways use the virtual network gateway
type VPN.
VPN type: Select the VPN type that is specified for your configuration. Most
configurations require a Route-based VPN type.
SKU: Select the gateway SKU you want to use from the dropdown. The SKUs
listed in the dropdown depend on the VPN type you select. Make sure to
select a SKU that supports the features you want to use. For example, if you
select an 'AZ' SKU such as 'VPNGw2AZ', you're selecting an availability zone
SKU, which has different settings than shown in this example. For more
information, see Zone redundant virtual network gateway in Azure availability
zones. For more information about gateway SKUs, see Gateway SKUs.
Generation: Select the generation you want to use. We recommend using a
Generation2 SKU. For more information, see Gateway SKUs.
Virtual network: From the dropdown, select the virtual network to which you
want to add this gateway. If you can't see the VNet for which you want to
create a gateway, make sure you selected the correct subscription and region
in the previous settings.
Gateway subnet address range: This field only appears if your VNet doesn't
have a gateway subnet. It's best to specify /27 or larger (/26,/25 etc.). This
allows enough IP addresses for future changes, such as adding an
ExpressRoute gateway. We don't recommend creating a range any smaller
than /28. If you already have a gateway subnet, you can view GatewaySubnet
details by navigating to your virtual network. Select Subnets to view the
range. If you want to change the range, you can delete and recreate the
GatewaySubnet.

3. Specify in the values for Public IP address. These settings specify the public IP
address object that gets associated to the VPN gateway. The public IP address is
assigned to this object when the VPN gateway is created. The only time the
primary public IP address changes is when the gateway is deleted and re-created.
It doesn't change across resizing, resetting, or other internal
maintenance/upgrades of your VPN gateway.


Public IP address type: For this exercise, if you have the option to choose the
address type, select Standard.
Public IP address: Leave Create new selected.
Public IP address name: In the text box, type a name for your public IP
address instance.
Public IP address SKU: Setting is autoselected.
Assignment: The assignment is typically autoselected and can be either
Dynamic or Static.
Enable active-active mode: Select Disabled. Only enable this setting if you're
creating an active-active gateway configuration.
Configure BGP: Select Disabled, unless your configuration specifically
requires this setting. If you do require this setting, the default ASN is 65515,
although this value can be changed.

4. Select Review + create to run validation.

5. Once validation passes, select Create to deploy the VPN gateway.

A gateway can take 45 minutes or more to fully create and deploy. You can see the
deployment status on the Overview page for your gateway. After the gateway is
created, you can view the IP address that has been assigned to it by looking at the
virtual network in the portal. The gateway appears as a connected device.

） Important

View the public IP address

You can view the gateway public IP address on the Overview page for your gateway.
The public IP address is used when you configure a site-to-site connection to your VPN
gateway.

To see additional information about the public IP address object, select the name/IP
address link next to Public IP address.

Resize a gateway SKU

There are specific rules regarding resizing vs. changing a gateway SKU. In this section,
we'll resize the SKU. For more information, see Gateway settings - resizing and changing
SKUs.

1. Go to the Configuration page for your virtual network gateway.

2. On the right side of the page, click the dropdown arrow to show the available SKUs
list.

3. Select the SKU from the dropdown. The list only includes SKUs you can resize your
SKU to. If you don't see the SKU you want to use, instead of resizing, you have to
change a SKU.

Reset a gateway
1. In the portal, go to the virtual network gateway that you want to reset.
2. On the Virtual network gateway page, in the left pane, scroll down to the Support
+ Troubleshooting section and select Reset.
3. On the Reset page, click Reset. Once the command is issued, the current active
instance of the Azure VPN gateway is rebooted immediately. Resetting the
gateway will cause a gap in VPN connectivity, and may limit future root cause
analysis of the issue.

Clean up resources
If you're not going to continue to use this application or go to the next tutorial, delete
these resources using the following steps:

1. Enter the name of your resource group in the Search box at the top of the portal
and select it from the search results.

2. Select Delete resource group.

3. Enter your resource group for TYPE THE RESOURCE GROUP NAME and select
Delete.

Next steps
Once you've created a VPN gateway, you can configure additional gateway settings and
connections. The following articles help you create a few of the most common
configurations:

Site-to-Site VPN connections

Point-to-Site VPN connections

Tutorial: Create a site-to-site VPN
connection in the Azure portal
Article • 08/10/2023

This tutorial shows you how to use the Azure portal to create a site-to-site VPN gateway
connection between your on-premises network and a virtual network (VNet). You can
also create this configuration using Azure PowerShell or Azure CLI.

In this tutorial, you learn how to:

＂ Create a virtual network

＂ Create a VPN gateway
＂ Create a local network gateway
＂ Create a VPN connection
＂ Verify the connection
＂ Connect to a virtual machine

Prerequisites
An Azure account with an active subscription. If you don't have one, create one for
free .
Make sure you have a compatible VPN device and someone who is able to
configure it. For more information about compatible VPN devices and device
configuration, see About VPN Devices.
Verify that you have an externally facing public IPv4 address for your VPN device.
If you're unfamiliar with the IP address ranges located in your on-premises network
configuration, you need to coordinate with someone who can provide those
details for you. When you create this configuration, you must specify the IP
address range prefixes that Azure will route to your on-premises location. None of
the subnets of your on-premises network can over lap with the virtual network
subnets that you want to connect to.

Create a virtual network

In this section, you'll create a virtual network (VNet) using the following values:

Resource group: TestRG1

Name: VNet1
Region: (US) East US
IPv4 address space: 10.1.0.0/16
Subnet name: FrontEnd
Subnet address space: 10.1.0.0/24

７ Note

When using a virtual network as part of a cross-premises architecture, be sure to

coordinate with your on-premises network administrator to carve out an IP address
range that you can use specifically for this virtual network. If a duplicate address
range exists on both sides of the VPN connection, traffic will route in an
unexpected way. Additionally, if you want to connect this virtual network to another
virtual network, the address space cannot overlap with the other virtual network.
Plan your network configuration accordingly.

1. Sign in to the Azure portal .

2. In Search resources, service, and docs (G+/) at the top of the portal page, type
virtual network. Select Virtual network from the Marketplace results to open the
Virtual network page.

3. On the Virtual network page, select Create. This opens the Create virtual network
page.

5. Select Next or Security to advance to the Security tab. For this exercise, leave the
default values for all the services on this page.

6. Select IP Addresses to advance to the IP Addresses tab. On the IP Addresses tab,

configure the settings.

IPv4 address space: By default, an address space is automatically created. You

7. Review the IP addresses page and remove any address spaces or subnets that you
don't need.

8. Select Review + create to validate the virtual network settings.

9. After the settings have been validated, select Create to create the virtual network.

Create a VPN gateway

In this step, you create the virtual network gateway for your VNet. Creating a gateway
can often take 45 minutes or more, depending on the selected gateway SKU.

About the gateway subnet

When you create the gateway subnet, you specify the number of IP addresses that the
subnet contains. The number of IP addresses needed depends on the VPN gateway
configuration that you want to create. Some configurations require more IP addresses
than others. It's best to specify /27 or larger (/26,/25 etc.) for your gateway subnet.

If you see an error that specifies that the address space overlaps with a subnet, or that
the subnet isn't contained within the address space for your virtual network, check your
VNet address range. You may not have enough IP addresses available in the address
range you created for your virtual network. For example, if your default subnet
encompasses the entire address range, there are no IP addresses left to create
additional subnets. You can either adjust your subnets within the existing address space
to free up IP addresses, or specify an additional address range and create the gateway
subnet there.

Create the gateway

Create a virtual network gateway (VPN gateway) using the following values:

2. On the Basics tab, fill in the values for Project details and Instance details.


Subscription: Select the subscription you want to use from the dropdown.
Resource Group: This setting is autofilled when you select your virtual
network on this page.
Name: Name your gateway. Naming your gateway not the same as naming a
gateway subnet. It's the name of the gateway object you're creating.
Region: Select the region in which you want to create this resource. The
region for the gateway must be the same as the virtual network.
Gateway type: Select VPN. VPN gateways use the virtual network gateway
type VPN.
VPN type: Select the VPN type that is specified for your configuration. Most
configurations require a Route-based VPN type.
SKU: Select the gateway SKU you want to use from the dropdown. The SKUs
listed in the dropdown depend on the VPN type you select. Make sure to
select a SKU that supports the features you want to use. For example, if you
select an 'AZ' SKU such as 'VPNGw2AZ', you're selecting an availability zone
SKU, which has different settings than shown in this example. For more
information, see Zone redundant virtual network gateway in Azure availability
zones. For more information about gateway SKUs, see Gateway SKUs.
Generation: Select the generation you want to use. We recommend using a
Generation2 SKU. For more information, see Gateway SKUs.
Virtual network: From the dropdown, select the virtual network to which you
want to add this gateway. If you can't see the VNet for which you want to
create a gateway, make sure you selected the correct subscription and region
in the previous settings.
Gateway subnet address range: This field only appears if your VNet doesn't
have a gateway subnet. It's best to specify /27 or larger (/26,/25 etc.). This
allows enough IP addresses for future changes, such as adding an
ExpressRoute gateway. If you already have a gateway subnet, you can view
GatewaySubnet details by navigating to your virtual network. Select Subnets
to view the range. If you want to change the range, you can delete and
recreate the GatewaySubnet.

4. Select Review + create to run validation.

5. Once validation passes, select Create to deploy the VPN gateway.

You can see the deployment status on the Overview page for your gateway. A gateway
can take up to 45 minutes to fully create and deploy. After the gateway is created, you
can view the IP address that has been assigned to it by looking at the virtual network in
the portal. The gateway appears as a connected device.

） Important

View the public IP address

You can view the gateway public IP address on the Overview page for your gateway.

To see additional information about the public IP address object, select the name/IP
address link next to Public IP address.
Create a local network gateway
The local network gateway is a specific object that represents your on-premises location
(the site) for routing purposes. You give the site a name by which Azure can refer to it,
then specify the IP address of the on-premises VPN device to which you'll create a
connection. You also specify the IP address prefixes that will be routed through the VPN
gateway to the VPN device. The address prefixes you specify are the prefixes located on
your on-premises network. If your on-premises network changes or you need to change
the public IP address for the VPN device, you can easily update the values later.

Create a local network gateway using the following values:

Name: Site1
Resource Group: TestRG1
Location: East US

1. From the Azure portal , in Search resources, services, and docs (G+/) type local
network gateway. Locate local network gateway under Marketplace in the search
results and select it. This opens the Create local network gateway page.

2. On the Create local network gateway page, on the Basics tab, specifiy the values
for your local network gateway.


Subscription: Verify that the correct subscription is showing.

Resource Group: Select the resource group that you want to use. You can
either create a new resource group, or select one that you've already created.
Region: Select the region that this object will be created in. You may want to
select the same location that your VNet resides in, but you aren't required to
do so.
Name: Specify a name for your local network gateway object.
Endpoint: Select the endpoint type for the on-premises VPN device - IP
address or FQDN (Fully Qualified Domain Name).
IP address: If you have a static public IP address allocated from your
Internet service provider for your VPN device, select the IP address option
and fill in the IP address as shown in the example. This is the public IP
address of the VPN device that you want Azure VPN gateway to connect
to. If you don't have the IP address right now, you can use the values
shown in the example, but you'll need to go back and replace your
placeholder IP address with the public IP address of your VPN device.
Otherwise, Azure won't be able to connect.
FQDN: If you have a dynamic public IP address that could change after
certain period of time, often determined by your Internet service provider,
you can use a constant DNS name with a Dynamic DNS service to point to
your current public IP address of your VPN device. Your Azure VPN
gateway resolves the FQDN to determine the public IP address to connect
to.
Address Space refers to the address ranges for the network that this local
network represents. You can add multiple address space ranges. Make sure
that the ranges you specify here don't overlap with ranges of other networks
that you want to connect to. Azure routes the address range that you specify
to the on-premises VPN device IP address. Use your own values here if you
want to connect to your on-premises site, not the values shown in the example.

７ Note

Azure VPN supports only one IPv4 address for each FQDN. If the domain
name resolves to multiple IP addresses, Azure VPN Gateway will use the
first IP address returned by the DNS servers. To eliminate the uncertainty,
we recommend that your FQDN always resolve to a single IPv4 address.
IPv6 is not supported.
Azure VPN Gateway maintains a DNS cache refreshed every 5 minutes.
The gateway tries to resolve the FQDNs for disconnected tunnels only.
Resetting the gateway will also trigger FQDN resolution.

3. On the Advanced tab, you can configure BGP settings if needed.

4. When you have finished specifying the values, select Review + create at the
bottom of the page to validate the page.

5. Select Create to create the local network gateway object.

Configure your VPN device

Site-to-site connections to an on-premises network require a VPN device. In this step,
you configure your VPN device. When configuring your VPN device, you need the
following values:

A shared key. This is the same shared key that you specify when creating your site-
to-site VPN connection. In our examples, we use a basic shared key. We
recommend that you generate a more complex key to use.
The public IP address of your virtual network gateway. You can view the public IP
address by using the Azure portal, PowerShell, or CLI. To find the public IP address
of your VPN gateway using the Azure portal, go to Virtual network gateways, then
select the name of your gateway.

To download VPN device configuration scripts:

Depending on the VPN device that you have, you may be able to download a VPN
device configuration script. For more information, see Download VPN device
configuration scripts.

See the following links for additional configuration information:

For information about compatible VPN devices, see VPN Devices.

Before configuring your VPN device, check for any Known device compatibility
issues for the VPN device that you want to use.

For links to device configuration settings, see Validated VPN Devices. The device
configuration links are provided on a best-effort basis. It's always best to check
with your device manufacturer for the latest configuration information. The list
shows the versions we've tested. If your OS isn't on that list, it's still possible that
the version is compatible. Check with your device manufacturer to verify that OS
version for your VPN device is compatible.

For an overview of VPN device configuration, see Overview of 3rd party VPN
device configurations.

For information about editing device configuration samples, see Editing samples.

For cryptographic requirements, see About cryptographic requirements and Azure

VPN gateways.

For information about IPsec/IKE parameters, see About VPN devices and IPsec/IKE
parameters for site-to-site VPN gateway connections. This link shows information
about IKE version, Diffie-Hellman Group, Authentication method, encryption and
hashing algorithms, SA lifetime, PFS, and DPD, in addition to other parameter
information that you need to complete your configuration.

For IPsec/IKE policy configuration steps, see Configure IPsec/IKE policy for S2S VPN
or VNet-to-VNet connections.

To connect multiple policy-based VPN devices, see Connect Azure VPN gateways
to multiple on-premises policy-based VPN devices using PowerShell.
Create VPN connections
Create a site-to-site VPN connection between your virtual network gateway and your
on-premises VPN device.

Create a connection using the following values:

Local network gateway name: Site1

Connection name: VNet1toSite1
Shared key: For this example, we use abc123. But, you can use whatever is
compatible with your VPN hardware. The important thing is that the values match
on both sides of the connection.

1. Go to your virtual network. On your VNet page, select Connected devices on the
left. Locate your VPN gateway and click to open it.

2. On the page for the gateway, select Connections.

3. At the top of the Connections page, select +Add to open the Create connection
page.

4. On the Create connection Basics page, configure the values for your connection.
For Project details, select the subscription and the Resource group where
your resources are located.

For Instance details, configure the following settings:

Connection type: Select Site-to-site (IPSec).
Name: Name your connection.
Region: Select the region for this connection.

5. Select Settings to navigate to the settings page.

Virtual network gateway: Select the virtual network gateway from the
dropdown.
Local network gateway: Select the local network gateway from the
dropdown.
Shared Key: the value here must match the value that you're using for your
local on-premises VPN device.
Select IKEv2.
Leave Use Azure Private IP Address deselected.
Leave Enable BGP deselected.
Leave FastPath deselected.
IPse/IKE policy: Default.
Use policy based traffic selector: Disable.
DPD timeout in seconds: 45
Connection Mode: leave as Default. This setting is used to specify which
gateway can initiate the connection. For more information, see VPN Gateway
settings - connection modes.

6. For NAT Rules Associations, leave both Ingress and Egress as 0 selected.

7. Select Review + create to validate your connection settings.

8. Select Create to create the connection.

9. Once the deployment is complete, you can view the connection in the
Connections page of the virtual network gateway. The Status goes from Unknown
to Connecting, and then to Succeeded.

To configure additional connection settings (optional)

You can configure additional settings for your connection, if necessary. Otherwise, skip
this section and leave the defaults in place. For more information, see Configure custom
IPsec/IKE connection policies.

1. Go to your virtual network gateway and select Connections to open the

Connections page.

2. Select the name of the connection you want to configure to open the Connection
page.

3. On the Connection page left side, select Configuration to open the Configuration
page. Make any necessary changes, then Save.

In the following screenshot, we've enabled all the settings to show you the
configuration settings available in the portal. Click the screenshot to see the
expanded view. When you configure your connections, only configure the settings
that you require. Otherwise, leave the default settings in place.


Verify the VPN connection

In the Azure portal, you can view the connection status of a VPN gateway by navigating
to the connection. The following steps show one way to navigate to your connection
and verify.

1. In the Azure portal menu, select All resources or search for and select All
resources from any page.
2. Select to your virtual network gateway.
3. On the blade for your virtual network gateway, click Connections. You can see the
status of each connection.
4. Click the name of the connection that you want to verify to open Essentials. In
Essentials, you can view more information about your connection. The Status is
'Succeeded' and 'Connected' when you have made a successful connection.

Connect to a virtual machine

You can connect to a VM that's deployed to your VNet by creating a Remote Desktop
Connection to your VM. The best way to initially verify that you can connect to your VM
is to connect by using its private IP address, rather than computer name. That way,
you're testing to see if you can connect, not whether name resolution is configured
properly.

1. Locate the private IP address. You can find the private IP address of a VM by either
looking at the properties for the VM in the Azure portal, or by using PowerShell.
Azure portal - Locate your virtual machine in the Azure portal. View the
properties for the VM. The private IP address is listed.

PowerShell - Use the example to view a list of VMs and private IP addresses
from your resource groups. You don't need to modify this example before
using it.

Azure PowerShell

$VMs = Get-AzVM
$Nics = Get-AzNetworkInterface | Where-Object VirtualMachine -ne
$null

foreach ($Nic in $Nics) {

$VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
$Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty
PrivateIpAddress
$Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty
PrivateIpAllocationMethod
Write-Output "$($VM.Name): $Prv,$Alloc"
}

2. Verify that you're connected to your VNet.

3. Open Remote Desktop Connection by typing "RDP" or "Remote Desktop

Connection" in the search box on the taskbar, then select Remote Desktop
Connection. You can also open Remote Desktop Connection using the 'mstsc'
command in PowerShell.

4. In Remote Desktop Connection, enter the private IP address of the VM. You can
select "Show Options" to adjust additional settings, then connect.

Troubleshoot a connection

If you're having trouble connecting to a virtual machine over your VPN connection,
check the following:

Verify that your VPN connection is successful.

Verify that you're connecting to the private IP address for the VM.

If you can connect to the VM using the private IP address, but not the computer
name, verify that you have configured DNS properly. For more information about
how name resolution works for VMs, see Name Resolution for VMs.

For more information about RDP connections, see Troubleshoot Remote Desktop
connections to a VM.
Optional steps

Resize a gateway SKU

There are specific rules regarding resizing vs. changing a gateway SKU. In this section,
we'll resize the SKU. For more information, see Gateway settings - resizing and changing
SKUs.

1. Go to the Configuration page for your virtual network gateway.

2. On the right side of the page, click the dropdown arrow to show the available SKUs
list.

3. Select the SKU from the dropdown. The list only includes SKUs you can resize your
SKU to. If you don't see the SKU you want to use, instead of resizing, you have to
change a SKU.

Reset a gateway
Resetting an Azure VPN gateway is helpful if you lose cross-premises VPN connectivity
on one or more site-to-site VPN tunnels. In this situation, your on-premises VPN devices
are all working correctly, but aren't able to establish IPsec tunnels with the Azure VPN
gateways.

1. In the portal, go to the virtual network gateway that you want to reset.
2. On the Virtual network gateway page, in the left pane, scroll down to Reset.
3. On the Reset page, click Reset. Once the command is issued, the current active
instance of the Azure VPN gateway is rebooted immediately. Resetting the
gateway will cause a gap in VPN connectivity, and may limit future root cause
analysis of the issue.

Add another connection

You can create a connection to multiple on-premises sites from the same VPN gateway.
If you want to configure multiple connections, the address spaces can’t overlap between
any of the connections.

1. To add an additional connection, go to the VPN gateway, then select Connections

to open the Connections page.
2. Select +Add to add your connection. Adjust the connection type to reflect either
VNet-to-VNet (if connecting to another VNet gateway), or Site-to-site.
3. If you're connecting using Site-to-site and you haven't already created a local
network gateway for the site you want to connect to, you can create a new one.
4. Specify the shared key that you want to use, then select OK to create the
connection.

Additional configuration considerations

S2S configurations can be customized in a variety of ways. For more information, see the
following articles:

For information about BGP, see the BGP Overview and How to configure BGP.
For information about forced tunneling, see About forced tunneling.
For information about Highly Available Active-Active connections, see Highly
Available cross-premises and VNet-to-VNet connectivity.
For information about how to limit network traffic to resources in a virtual network,
see Network Security.
For information about how Azure routes traffic between Azure, on-premises, and
Internet resources, see Virtual network traffic routing.

Clean up resources
If you're not going to continue to use this application or go to the next tutorial, delete
these resources using the following steps:

1. Enter the name of your resource group in the Search box at the top of the portal
and select it from the search results.
2. Select Delete resource group.
3. Enter your resource group for TYPE THE RESOURCE GROUP NAME and select
Delete.

Next steps
Once you've configured a S2S connection, you can add a P2S connection to the same
gateway.

Point-to-Site VPN connections

Tutorial: Protect your VPN gateway with
Azure DDoS Protection
Article • 06/06/2023

This article helps you create an Azure VPN Gateway with a DDoS protected virtual
network. Azure DDoS Protection enables enhanced DDoS mitigation capabilities such as
adaptive tuning, attack alert notifications, and monitoring to protect your VPN gateway
from large scale DDoS attacks.

） Important

Azure DDoS Protection incurs a cost when you use the Network Protection SKU.
Overages charges only apply if more than 100 public IPs are protected in the
tenant. Ensure you delete the resources in this tutorial if you aren't using the
resources in the future. For information about pricing, see Azure DDoS Protection
Pricing . For more information about Azure DDoS protection, see What is Azure
DDoS Protection?.

In this tutorial, you learn how to:

＂ Create a DDoS protection plan

＂ Create a virtual network
＂ Enable DDoS protection on the virtual network
＂ Create a VPN gateway
＂ View the gateway public IP address
＂ Resize a VPN gateway (resize SKU)
＂ Reset a VPN gateway

The following diagram shows the virtual network and the VPN gateway created as part
of this tutorial.

Prerequisites
An Azure account with an active subscription. If you don't have one, create one for
free .

Create a virtual network

Create a VNet using the following values:

Resource group: TestRG1

Name: VNet1
Region: (US) East US
IPv4 address space: 10.1.0.0/16
Subnet name: FrontEnd
Subnet address space: 10.1.0.0/24

1. Sign in to the Azure portal .

2. In Search resources, service, and docs (G+/), type virtual network. Select Virtual
network from the Marketplace results to open the Virtual network page.

3. On the Virtual network page, select Create. This opens the Create virtual network
page.

5. Select Security to advance to the Security tab. For this exercise, leave the default
values.

Azure Bastion: Disable

Azure Firewall: Disable
Azure DDoS Network Protection: Disable

6. Select IP Addresses to advance to the IP Addresses tab. On the IP Addresses tab,

configure the settings.

IPv4 address space: By default, an address space is automatically created. You

can select the address space and adjust it to reflect your own values. You can
also add more address spaces by selecting the box below the existing
address space and specifying the values for the additional address space. For
example, you can change the IPv4 address field to 10.1.0.0/16 from the
default values that are automatically populated.
+ Add subnet: If you use the default address space, a default subnet is
created automatically. If you change the address space, you need to add a
subnet. Select + Add subnet to open the Add subnet window. Configure the
following settings, then select Add at the bottom of the page to add the
values.
Subnet name: Example: FrontEnd.
Subnet address range: The address range for this subnet. For example,
10.1.0.0/24.

7. Select Review + create to validate the virtual network settings.

8. After the settings have been validated, select Create to create the virtual network.

Create a DDoS protection plan

1. In the search box at the top of the portal, enter DDoS protection. Select DDoS
protection plans in the search results and then select + Create.

2. In the Basics tab of Create a DDoS protection plan page, enter or select the
following information:

Setting Value

Project details

Subscription Select your Azure subscription.

Resource group Select TestRG1.

Instance details

Name Enter myDDoSProtectionPlan.

Region Select East US.

3. Select Review + create and then select Create to deploy the DDoS protection plan.

Enable DDoS protection

Azure DDoS Network Protection is enabled at the virtual network where the resource
you want to protect reside.

1. In the search box at the top of the portal, enter Virtual network. Select Virtual
networks in the search results.
2. Select VNet1.

3. Select DDoS protection in Settings.

4. Select Enable.

5. In the pull-down box in DDoS protection plan, select myDDoSProtectionPlan.

6. Select Save.

Create a VPN gateway

In this step, you create the virtual network gateway (VPN gateway) for your VNet.
Creating a gateway can often take 45 minutes or more, depending on the selected
gateway SKU.

Create a virtual network gateway using the following values:

2. On the Basics tab, fill in the values for Project details and Instance details.


Subscription: Select the subscription you want to use from the dropdown.
Resource Group: This setting is autofilled when you select your virtual
network on this page.
Name: Name your gateway. Naming your gateway not the same as naming a
gateway subnet. It's the name of the gateway object you're creating.
Region: Select the region in which you want to create this resource. The
region for the gateway must be the same as the virtual network.
Gateway type: Select VPN. VPN gateways use the virtual network gateway
type VPN.
VPN type: Select the VPN type that is specified for your configuration. Most
configurations require a Route-based VPN type.
SKU: Select the gateway SKU you want to use from the dropdown. The SKUs
listed in the dropdown depend on the VPN type you select. Make sure to
select a SKU that supports the features you want to use. For example, if you
select an 'AZ' SKU such as 'VPNGw2AZ', you're selecting an availability zone
SKU, which has different settings than shown in this example. For more
information, see Zone redundant virtual network gateway in Azure availability
zones. For more information about gateway SKUs, see Gateway SKUs.
Generation: Select the generation you want to use. For more information, see
Gateway SKUs.
Virtual network: From the dropdown, select the virtual network to which you
want to add this gateway. If you can't see the VNet for which you want to
create a gateway, make sure you selected the correct subscription and region
in the previous settings.
Gateway subnet address range: This field only appears if your VNet doesn't
have a gateway subnet. It's best to specify /27 or larger (/26,/25 etc.). This
allows enough IP addresses for future changes, such as adding an
ExpressRoute gateway. We don't recommend creating a range any smaller
than /28. If you already have a gateway subnet, you can view GatewaySubnet
details by navigating to your virtual network. Select Subnets to view the
range. If you want to change the range, you can delete and recreate the
GatewaySubnet.

Public IP address type: You can choose either Basic or Standard.

Public IP address: Leave Create new selected.
Public IP address name: In the text box, type a name for your public IP
address instance.
Public IP address SKU: This field is controlled by the Public IP Address Type
value.
Assignment: This setting is based on the Public IP Address Type value.
Enable active-active mode: Only select Enable active-active mode if you're
creating an active-active gateway configuration. Otherwise, leave this setting
Disabled.
Leave Configure BGP as Disabled, unless your configuration specifically
requires this setting. If you do require this setting, the default ASN is 65515,
although this value can be changed.

4. Select Review + create to run validation.

5. Once validation passes, select Create to deploy the VPN gateway.

A gateway can take 45 minutes or more to fully create and deploy. You can see the
deployment status on the Overview page for your gateway. After the gateway is created,
you can view the IP address that has been assigned to it by looking at the virtual
network in the portal. The gateway appears as a connected device.

） Important

View the public IP address

You can view the gateway public IP address on the Overview page for your gateway.


To see additional information about the public IP address object, select the name/IP
address link next to Public IP address.

Resize a gateway SKU

There are specific rules regarding resizing vs. changing a gateway SKU. In this section,
we'll resize the SKU. For more information, see Gateway settings - resizing and changing
SKUs.

1. Go to the Configuration page for your virtual network gateway.

2. On the right side of the page, click the dropdown arrow to show the available
gateway SKUs.

3. Select the SKU from the dropdown.

Clean up resources
If you're not going to continue to use this application or go to the next tutorial, delete
these resources using the following steps:

1. Enter the name of your resource group in the Search box at the top of the portal
and select it from the search results.
2. Select Delete resource group.

3. Enter your resource group for TYPE THE RESOURCE GROUP NAME and select
Delete.

Next steps
Once you have a VPN gateway, you can configure connections. The following articles
will help you create a few of the most common configurations:

Site-to-Site VPN connections

Point-to-Site VPN connections

Enable remote work by using Azure
networking services
Article • 04/10/2023

This article presents the different options available for organizations to establish remote
access for their users. It also covers ways to supplement their existing solutions with
extra capacity during periods of peak utilization.

Network architects are faced with the following challenges:

Address an increase in network utilization.

Provide reliable and secure connectivity to more employees of their company and
customers.

Provide connectivity to remote locations across the globe.

Not all networks (for example, private WAN and corporate core networks) experience
congestion from peak loads of remote workers. The bottlenecks are commonly reported
only in home broadband networks and in VPN gateways of on-premises networks of
corporations.

Network planners can help ease bottlenecks and alleviate network congestion by
keeping in mind that different traffic types need different network treatment priorities.
Some traffic requires smart load redirection or redistribution.

For example, real-time telemedicine traffic of doctor/patient interaction has a high

importance and is sensitive to delay or jitter. Replication of traffic between storage
solutions isn't delay sensitive. Telemedicine traffic must be routed via the most optimal
network path with a high quality of service, whereas it's acceptable to use a suboptimal
route for traffic between storage solutions.

Elasticity and high availability in the Microsoft

network
Azure is designed to withstand sudden changes in resource utilization and to keep
systems running during periods of peak utilization.

Microsoft maintains and operates one of the world's largest networks. The Microsoft
network has been designed for high availability to withstand various types of failures,
from failure of a single network element to failure of an entire region.
The Microsoft network is also designed to handle various types of network traffic. This
traffic can include delay-sensitive multimedia traffic for Skype and Teams, content
delivery networks, real-time big data analysis, Azure Storage, Bing, and Xbox. For
optimal performance, Microsoft's network directs traffic intended for its resources or
passing through them to be routed as close as possible to the traffic's point of origin.

７ Note

Using the Azure networking features described in this article takes advantage of the
traffic attraction behavior of the Microsoft global network to provide a better
networking experience for customers. The traffic attraction behavior of the
Microsoft network helps offload traffic as soon as possible from the first-mile and
last-mile networks that might experience congestion during periods of peak
utilization.

Enable employees to work remotely

Azure VPN Gateway supports both point-to-site (P2S) and site-to-site (S2S) VPN
connections. By using Azure VPN Gateway, you can scale your employees' connections
to securely access both your Azure-deployed resources and your on-premises resources.
For more information, see Remote work using Azure VPN Gateway point-to-site.

If you're using Secure Socket Tunneling Protocol (SSTP), the number of concurrent
connections is limited to 128. To get a higher number of connections, we suggest
transitioning to OpenVPN or IKEv2. For more information, see Transition to OpenVPN
protocol or IKEv2 from SSTP.

To access your resources deployed in Azure, remote developers can use Azure Bastion
instead of a VPN connection. That solution can provide secure shell access (RDP or SSH)
without requiring public IP addresses on the VMs that are being accessed. For more
information, see Enable remote work by using Azure Bastion.

You can use Azure Virtual WAN to:

Aggregate large-scale VPN connections.

Support any-to-any connections between resources in different on-premises

global locations and in different regional hub-and-spoke virtual networks.

Optimize utilization of multiple home broadband networks.

For more information, see Azure Virtual WAN and supporting remote work.
Another way to support a remote workforce is to deploy a virtual desktop infrastructure
(VDI) hosted in your Azure virtual network, secured with Azure Firewall. For example,
Azure Virtual Desktop is a desktop and app virtualization service that runs in Azure. With
Virtual Desktop, you can set up a scalable and flexible environment in your Azure
subscription without the need to run any extra gateway servers. You're responsible only
for the Virtual Desktop virtual machines in your virtual network. For more information,
see Azure Firewall remote work support.

Azure also has a rich set of ecosystem partners. Their network virtual appliances (NVAs)
on Azure can also help scale VPN connectivity. For more information, see NVA
considerations for remote work.

Extend employee connections to access

globally distributed resources
The following Azure solutions can help enable employees to access your globally
distributed resources. Your resources could be in any of the Azure regions, in on-
premises networks, or even in other public or private clouds.

Azure virtual network peering: You can connect virtual networks together by using
virtual network peering. Virtual network peering is useful if your resources are in
more than one Azure region or if you need to connect multiple virtual networks to
support remote workers. For more information, see Virtual network peering.

Azure VPN-based solution: For remote employees connected to Azure, you can
provide them with access to your on-premises networks by establishing a S2S VPN
connection. This connection is between your on-premises networks and Azure VPN
Gateway. For more information, see Create a site-to-site connection.

Azure ExpressRoute: By using ExpressRoute private peering, you can enable

private connectivity between your Azure deployments and on-premises
infrastructure or your infrastructure in a colocation facility. ExpressRoute, via
Microsoft peering, also permits accessing public endpoints at Microsoft from your
on-premises network.

ExpressRoute connections don't go over the public internet. They offer secure
connectivity, reliability, and higher throughput, with lower and more consistent
latencies than typical connections over the internet. For more information, see
ExpressRoute overview.

Using an existing network provider that's already part of the ExpressRoute partner
ecosystem can help reduce the time to get large-bandwidth connections to
Microsoft. By using ExpressRoute Direct, you can directly connect your on-
premises network to the Microsoft backbone. ExpressRoute Direct offers two line-
rate options: dual 10 Gbps or 100 Gbps.

Azure Virtual WAN: Azure Virtual WAN allows seamless interoperability between
your VPN connections and ExpressRoute circuits. As mentioned earlier, Azure
Virtual WAN also supports any-to-any connections between resources in different
on-premises global locations and in different regional hub-and-spoke virtual
networks.

Scale customer connectivity to front-end

resources
During times when more people go online, many corporate websites experience
increased customer traffic. Azure Application Gateway can help manage this increased
front-end workload. For more information, see Application Gateway high-traffic support.

Microsoft support for multicloud traffic

For your deployments in other public clouds, Microsoft can provide global connectivity.
Azure Virtual WAN, VPN Gateway, or ExpressRoute can help in this regard. To extend
connectivity from Azure to other clouds, you can configure S2S VPN between the two
clouds. You can also establish connectivity from Azure to other public clouds by using
ExpressRoute.

Oracle Cloud is part of the ExpressRoute partner ecosystem. You can set up a direct
interconnection between Azure and Oracle Cloud Infrastructure.

Most service providers that are part of the ExpressRoute partner ecosystem also offer
private connectivity to other public clouds. By using these service providers, you can
establish private connectivity between your deployments in Azure and other clouds via
ExpressRoute.

Next steps
The following articles discuss how you can use Azure networking features to scale users
to work remotely:

Article Description
Article Description

Remote work using Azure VPN Review available options to set up remote access for users or
Gateway point-to-site to supplement their existing solutions with extra capacity for
your organization.

Azure Virtual WAN and Use Azure Virtual WAN to address the remote connectivity
supporting remote work needs of your organization.

Application Gateway high-traffic Use Azure Application Gateway with web application firewall
support (WAF) for a scalable and secure way to manage traffic to your
web applications.

Working remotely: NVA Review guidance about using NVAs in Azure to provide
considerations for remote work remote access solutions.

Transition to OpenVPN protocol Overcome the limit of 128 concurrent connections for SSTP by
or IKEv2 from SSTP transitioning to OpenVPN protocol or IKEv2.

Enable remote work by using Provide RDP/SSH connectivity to virtual machines within the
Azure Bastion Azure virtual network, directly in the Azure portal, without the
use of a public IP address.

Using Azure ExpressRoute to Use ExpressRoute for hybrid connectivity to enable users in
create hybrid connectivity to your organization to work remotely.
support remote users

Azure Firewall remote work Help protect your Azure virtual network resources by using
support Azure Firewall.
Remote work using Azure VPN Gateway
Point-to-site
Article • 02/13/2023

７ Note

This article describes how you can leverage Azure VPN Gateway, Azure, Microsoft
network, and the Azure partner ecosystem to work remotely and mitigate network
issues that you are facing because of COVID-19 crisis.

This article describes the options that are available to organizations to set up remote
access for their users or to supplement their existing solutions with additional capacity
during the COVID-19 epidemic.

The Azure point-to-site solution is cloud-based and can be provisioned quickly to cater
for the increased demand of users to work from home. It can scale up easily and turned
off just as easily and quickly when the increased capacity is not needed anymore.

About Point-to-Site VPN

A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to
your virtual network from an individual client computer. A P2S connection is established
by starting it from the client computer. This solution is useful for telecommuters who
want to connect to Azure VNets or on-premises data centers from a remote location,
such as from home or a conference. This article describes how to enable users to work
remotely based on various scenarios.

The table below shows the client operating systems and the authentication options that
are available to them. It would be helpful to select the authentication method based on
the client OS that is already in use. For example, select OpenVPN with Certificate-based
authentication if you have a mixture of client operating systems that need to connect.
Also, please note that point-to-site VPN is only supported on route-based VPN
gateways.
Scenario 1 - Users need access to resources in
Azure only
In this scenario, the remote users only need to access to resources that are in Azure.

At a high level, the following steps are needed to enable users to connect to Azure
resources securely:

1. Create a virtual network gateway (if one does not exist).

2. Configure point-to-site VPN on the gateway.

For certificate authentication, follow this link.
For OpenVPN, follow this link.
For Azure AD authentication, follow this link.
For troubleshooting point-to-site connections, follow this link.

3. Download and distribute the VPN client configuration.

4. Distribute the certificates (if certificate authentication is selected) to the clients.

5. Connect to Azure VPN.

Scenario 2 - Users need access to resources in

Azure and/or on-prem resources
In this scenario, the remote users need to access to resources that are in Azure and in
the on premises data center(s).

At a high level, the following steps are needed to enable users to connect to Azure
resources securely:

1. Create a virtual network gateway (if one does not exist).

2. Configure point-to-site VPN on the gateway (see Scenario 1).
3. Configure a site-to-site tunnel on the Azure virtual network gateway with BGP
enabled.
4. Configure the on-premises device to connect to Azure virtual network gateway.
5. Download the point-to-site profile from the Azure portal and distribute to clients
To learn how to set up a site-to-site VPN tunnel, see this link.

FAQ for native Azure certificate authentication

How many VPN client endpoints can I have in my point-

to-site configuration?
It depends on the gateway SKU. For more information on the number of connections
supported, see Gateway SKUs.

What client operating systems can I use with point-to-

site?
The following client operating systems are supported:

Windows Server 2008 R2 (64-bit only)

Can I traverse proxies and firewalls using point-to-site

capability?
Azure supports three types of Point-to-site VPN options:

Secure Socket Tunneling Protocol (SSTP). SSTP is a Microsoft proprietary SSL-

based solution that can penetrate firewalls since most firewalls open the outbound
TCP port that 443 SSL uses.

OpenVPN. OpenVPN is a SSL-based solution that can penetrate firewalls since

most firewalls open the outbound TCP port that 443 SSL uses.
IKEv2 VPN. IKEv2 VPN is a standards-based IPsec VPN solution that uses outbound
UDP ports 500 and 4500 and IP protocol no. 50. Firewalls don't always open these
ports, so there's a possibility of IKEv2 VPN not being able to traverse proxies and
firewalls.

If I restart a client computer configured for point-to-site,

will the VPN automatically reconnect?
Auto-reconnect is a function of the client being used. Windows supports auto-reconnect
by configuring the Always On VPN client feature.

Does point-to-site support DDNS on the VPN clients?

DDNS is currently not supported in point-to-site VPNs.

Can I have Site-to-Site and point-to-site configurations

Can I configure a point-to-site client to connect to

multiple virtual network gateways at the same time?
Depending on the VPN Client software used, you may be able to connect to multiple
Virtual Network Gateways provided the virtual networks being connected to don't have
conflicting address spaces between them or the network from with the client is
connecting from. While the Azure VPN Client supports many VPN connections, only one
connection can be Connected at any given time.

Can I configure a point-to-site client to connect to

multiple virtual networks at the same time?
Yes, point-to-site client connections to a virtual network gateway that is deployed in a
VNet that is peered with other VNets may have access to other peered VNets. point-to-
site clients will be able to connect to peered VNets as long as the peered VNets are
using the UseRemoteGateway / AllowGatewayTransit features. For more information, see
About point-to-site routing.

How much throughput can I expect through Site-to-Site

or point-to-site connections?
It's difficult to maintain the exact throughput of the VPN tunnels. IPsec and SSTP are
crypto-heavy VPN protocols. Throughput is also limited by the latency and bandwidth
between your premises and the Internet. For a VPN Gateway with only IKEv2 point-to-
site VPN connections, the total throughput that you can expect depends on the
Gateway SKU. For more information on throughput, see Gateway SKUs.

Can I use any software VPN client for point-to-site that

supports SSTP and/or IKEv2?
No. You can only use the native VPN client on Windows for SSTP, and the native VPN
client on Mac for IKEv2. However, you can use the OpenVPN client on all platforms to
connect over OpenVPN protocol. Refer to the list of supported client operating systems.

Can I change the authentication type for a point-to-site

connection?
Yes. In the portal, navigate to the VPN gateway -> Point-to-site configuration page. For
Authentication type, select the authentication types that you want to use. Note that
after you make a change to an authentication type, current clients may not be able to
connect until a new VPN client configuration profile has been generated, downloaded,
and applied to each VPN client.

Does Azure support IKEv2 VPN with Windows?

IKEv2 is supported on Windows 10 and Server 2016. However, in order to use IKEv2 in
certain OS versions, you must install updates and set a registry key value locally. OS
versions prior to Windows 10 aren't supported and can only use SSTP or OpenVPN®
Protocol.

７ Note

Windows OS builds newer than Windows 10 Version 1709 and Windows Server
2016 Version 1607 do not require these steps.
To prepare Windows 10 or Server 2016 for IKEv2:

1. Install the update based on your OS version:

OS version Date Number/Link

Windows Server 2016

January 17, 2018 KB4057142
Windows 10 Version 1607

Windows 10 Version 1703 January 17, 2018 KB4057144

Windows 10 Version 1709 March 22, 2018 KB4089848

2. Set the registry key value. Create or set

“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\
IKEv2\DisableCertReqPayload” REG_DWORD key in the registry to 1.

What is the IKEv2 traffic selector limit for point-to-site

connections?
Windows 10 version 2004 (released September 2021) increased the traffic selector limit
to 255. Versions of Windows earlier than this have a traffic selector limit of 25.

The traffic selectors limit in Windows determines the maximum number of address
spaces in your virtual network and the maximum sum of your local networks, VNet-to-
VNet connections, and peered VNets connected to the gateway. Windows based point-
to-site clients will fail to connect via IKEv2 if they surpass this limit.

What happens when I configure both SSTP and IKEv2 for

P2S VPN connections?
When you configure both SSTP and IKEv2 in a mixed environment (consisting of
Windows and Mac devices), the Windows VPN client will always try IKEv2 tunnel first,
but will fall back to SSTP if the IKEv2 connection isn't successful. MacOSX will only
connect via IKEv2.

When you have both SSTP and IKEv2 enabled on the Gateway, the point-to-site address
pool will be statically split between the two, so clients using different protocols will be
assigned IP addresses from either sub-range. Note that the maximum amount of SSTP
clients is always 128 even if the address range is larger than /24 resulting in a bigger
amount of addresses available for IKEv2 clients. For smaller ranges, the pool will be
equally halved. Traffic Selectors used by the gateway may not include the Point to Site
address range CIDR, but the two sub-range CIDRs.

Other than Windows and Mac, which other platforms

does Azure support for P2S VPN?
Azure supports Windows, Mac, and Linux for P2S VPN.

I already have an Azure VPN Gateway deployed. Can I

enable RADIUS and/or IKEv2 VPN on it?
Yes, if the gateway SKU that you're using supports RADIUS and/or IKEv2, you can enable
these features on gateways that you've already deployed by using PowerShell or the
Azure portal. The Basic SKU doesn't support RADIUS or IKEv2.

How do I remove the configuration of a P2S connection?

A P2S configuration can be removed using Azure CLI and PowerShell using the following
commands:

Azure PowerShell

$gw=Get-AzVirtualNetworkGateway -name <gateway-name>`

$gw.VPNClientConfiguration = $null`

Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw`

Azure CLI

az network vnet-gateway update --name <gateway-name> --resource-group

<resource-group name> --remove "vpnClientConfiguration"

What should I do if I'm getting a certificate mismatch

when connecting using certificate authentication?
Uncheck "Verify the server's identity by validating the certificate" or add the server
FQDN along with the certificate when creating a profile manually. You can do this by
running rasphone from a command prompt and picking the profile from the drop-down
list.

Can I use my own internal PKI root CA to generate

certificates for Point-to-Site connectivity?
Yes. Previously, only self-signed root certificates could be used. You can still upload 20
root certificates.

Can I use certificates from Azure Key Vault?

No.
What tools can I use to create certificates?
You can use your Enterprise PKI solution (your internal PKI), Azure PowerShell, MakeCert,
and OpenSSL.

Are there instructions for certificate settings and

parameters?
Internal PKI/Enterprise PKI solution: See the steps to Generate certificates.

Azure PowerShell: See the Azure PowerShell article for steps.

MakeCert: See the MakeCert article for steps.

OpenSSL:

When exporting certificates, be sure to convert the root certificate to Base64.

For the client certificate:

When creating the private key, specify the length as 4096.
When creating the certificate, for the -extensions parameter, specify usr_cert.

FAQ for RADIUS authentication

How many VPN client endpoints can I have in my point-

to-site configuration?
It depends on the gateway SKU. For more information on the number of connections
supported, see Gateway SKUs.

What client operating systems can I use with point-to-

site?
The following client operating systems are supported:

Windows Server 2008 R2 (64-bit only)

Can I traverse proxies and firewalls using point-to-site

capability?
Azure supports three types of Point-to-site VPN options:

Secure Socket Tunneling Protocol (SSTP). SSTP is a Microsoft proprietary SSL-

based solution that can penetrate firewalls since most firewalls open the outbound
TCP port that 443 SSL uses.

OpenVPN. OpenVPN is a SSL-based solution that can penetrate firewalls since

most firewalls open the outbound TCP port that 443 SSL uses.

IKEv2 VPN. IKEv2 VPN is a standards-based IPsec VPN solution that uses outbound
UDP ports 500 and 4500 and IP protocol no. 50. Firewalls don't always open these
ports, so there's a possibility of IKEv2 VPN not being able to traverse proxies and
firewalls.

If I restart a client computer configured for point-to-site,

will the VPN automatically reconnect?
Auto-reconnect is a function of the client being used. Windows supports auto-reconnect
by configuring the Always On VPN client feature.

Does point-to-site support DDNS on the VPN clients?

DDNS is currently not supported in point-to-site VPNs.

Can I have Site-to-Site and point-to-site configurations

coexist for the same virtual network?
Yes. For the Resource Manager deployment model, you must have a RouteBased VPN
type for your gateway. For the classic deployment model, you need a dynamic gateway.
We don't support point-to-site for static routing VPN gateways or PolicyBased VPN
gateways.
Can I configure a point-to-site client to connect to
multiple virtual network gateways at the same time?
Depending on the VPN Client software used, you may be able to connect to multiple
Virtual Network Gateways provided the virtual networks being connected to don't have
conflicting address spaces between them or the network from with the client is
connecting from. While the Azure VPN Client supports many VPN connections, only one
connection can be Connected at any given time.

Can I configure a point-to-site client to connect to

How much throughput can I expect through Site-to-Site

Can I use any software VPN client for point-to-site that

Can I change the authentication type for a point-to-site

Does Azure support IKEv2 VPN with Windows?

７ Note

Windows OS builds newer than Windows 10 Version 1709 and Windows Server
2016 Version 1607 do not require these steps.

To prepare Windows 10 or Server 2016 for IKEv2:

1. Install the update based on your OS version:

OS version Date Number/Link

Windows Server 2016

January 17, 2018 KB4057142
Windows 10 Version 1607

Windows 10 Version 1703 January 17, 2018 KB4057144

Windows 10 Version 1709 March 22, 2018 KB4089848

2. Set the registry key value. Create or set

“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\
IKEv2\DisableCertReqPayload” REG_DWORD key in the registry to 1.

What is the IKEv2 traffic selector limit for point-to-site

connections?
Windows 10 version 2004 (released September 2021) increased the traffic selector limit
to 255. Versions of Windows earlier than this have a traffic selector limit of 25.

What happens when I configure both SSTP and IKEv2 for

Other than Windows and Mac, which other platforms

does Azure support for P2S VPN?
Azure supports Windows, Mac, and Linux for P2S VPN.

I already have an Azure VPN Gateway deployed. Can I

How do I remove the configuration of a P2S connection?

A P2S configuration can be removed using Azure CLI and PowerShell using the following
commands:

Azure PowerShell

Azure PowerShell
$gw=Get-AzVirtualNetworkGateway -name <gateway-name>`

$gw.VPNClientConfiguration = $null`

Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw`

Azure CLI

az network vnet-gateway update --name <gateway-name> --resource-group

<resource-group name> --remove "vpnClientConfiguration"

Is RADIUS authentication supported on all Azure VPN

Gateway SKUs?
RADIUS authentication is supported for all SKUs except the Basic SKU.

For legacy SKUs, RADIUS authentication is supported on Standard and High

Performance SKUs. It isn't supported on the Basic Gateway SKU.

Is RADIUS authentication supported for the classic

deployment model?
No. RADIUS authentication isn't supported for the classic deployment model.

What is the timeout period for RADIUS requests sent to

the RADIUS server?
RADIUS requests are set to timeout after 30 seconds. User defined timeout values aren't
supported today.

Are 3rd-party RADIUS servers supported?

Yes, 3rd-party RADIUS servers are supported.

What are the connectivity requirements to ensure that

the Azure gateway is able to reach an on-premises
RADIUS server?
A site-to-site VPN connection to the on-premises site, with the proper routes
configured, is required.

Can traffic to an on-premises RADIUS server (from the

Azure VPN gateway) be routed over an ExpressRoute
connection?
No. It can only be routed over a site-to-site connection.

Is there a change in the number of SSTP connections

supported with RADIUS authentication? What is the
maximum number of SSTP and IKEv2 connections
supported?
There is no change in the maximum number of SSTP connections supported on a
gateway with RADIUS authentication. It remains 128 for SSTP, but depends on the
gateway SKU for IKEv2. For more information on the number of connections supported,
see Gateway SKUs.

What is the difference between doing certificate

authentication using a RADIUS server vs. using Azure
native certificate authentication (by uploading a trusted
certificate to Azure)?
In RADIUS certificate authentication, the authentication request is forwarded to a
RADIUS server that handles the actual certificate validation. This option is useful if you
want to integrate with a certificate authentication infrastructure that you already have
through RADIUS.

When using Azure for certificate authentication, the Azure VPN gateway performs the
validation of the certificate. You need to upload your certificate public key to the
gateway. You can also specify list of revoked certificates that shouldn’t be allowed to
connect.

Does RADIUS authentication work with both IKEv2, and

SSTP VPN?
Yes, RADIUS authentication is supported for both IKEv2, and SSTP VPN.
Does RADIUS authentication work with the OpenVPN
client?
RADIUS authentication is supported for the OpenVPN protocol.

Next Steps
Configure a P2S connection - Azure AD authentication

Configure a P2S connection - RADIUS authentication

Configure a P2S connection - Azure native certificate authentication

"OpenVPN" is a trademark of OpenVPN Inc.

Working remotely: Network Virtual
Appliance (NVA) considerations for
remote work
Article • 05/05/2023

Some Azure customers utilize third-party Network Virtual Appliances (NVAs) from Azure
Marketplace to provide critical services such as Point-to-site VPN for their employees
who are working from home during the COVID-19 epidemic. This article outlines some
high-level guidance to take into consideration when leveraging NVAs in Azure to
provide remote access solutions.

NVA performance considerations

All major NVA vendors in Azure Marketplace should have recommendations on the VM
Size and number of instances to use when deploying their solutions. While nearly all
NVA vendors will let you choose any size that is available to you in a given Region, it's
very important that you follow the vendors recommendations for Azure VM instance
sizes, as these recommendations are the VM sizes the vendor has done performance
testing with in Azure.

Consider the following

Capacity and number of concurrent users - This number is particularly important
for Point-to-Site VPN users as each connected user will create one encrypted
(IPSec or SSL VPN) tunnel.
Aggregate throughput - What is the aggregate bandwidth you will need to
accommodate the number of users you need to which you will need to provide
remote access.
The VM size you will need - You should always use VM sizes recommended by the
NVA vendor. For point-to-site VPN, if you will have a lot concurrent user
connections, you should be using larger VM sizes such as Dv2 and DSv2 series
VMs. These VMs tend to have more vCPUs and can handle more concurrent VPN
sessions. In addition to having more virtual cores, larger VM sizes in Azure have
more aggregate bandwidth capacity than smaller VM sizes.

Important: Each vendor utilizes resources differently. If it's not clear what
instance sizes you should use to accommodate your estimated user load, you
should contact the software vendor directly and ask them for a
recommendation.

Number of instances - If you expect to have a large number of users and

connections, there are limits to what scaling up your NVA instance sizes can
achieve. Consider deploying multiple VM instances.
IPSec VPN vs SSL VPN - In general IPSec VPN implementations perform better
than SSL VPN implementations.
Licensing - Make sure that the software licenses you have purchased for the NVA
solution will cover the sudden growth you may experience during the COVID-19
epidemic. Many NVA licensing programs limit the number of connections or
bandwidth the solution is capable of.
Accelerated Networking - Consider an NVA solution that has support for
Accelerated Networking. Accelerated networking enables single root I/O
virtualization (SR-IOV) to a VM, greatly improving its networking performance. This
high-performance path bypasses the host from the data path, reducing latency,
jitter, and CPU utilization for use with the most demanding network workloads on
supported VM types. Accelerated networking is supported on most general
purpose and compute-optimized instance sizes with two or more vCPUs.

Monitoring resources
Each NVA solution has its own tools and resources for monitoring the performance of
their NVA. Consult your vendors documentation to make sure you understand the
performance limitations and can detect when your NVA is near or reaching capacity. In
addition to this you can look at Azure Monitor Network Insights and see basic
performance information about your Network Virtual Appliances such as:

CPU Utilization
Network In
Network Out
Inbound Flows
Outbound Flows

Next Steps
Most major NVA partners have posted guidance around scaling for sudden, unexpected
growth during COVID-19. Here are a few useful links to partner resources.

Barracuda Enable Work from home while securing your data during COVID-19
Check Point Secure Remote Workforce During Coronavirus

Cisco AnyConnect Implementation and Performance/Scaling Reference for COVID-19

Preparation

Citrix COVID-19 Response Support Center

F5 Guidance to Address the Dramatic Increase in Remote Workers

Fortinet COVID-19 Updates for Customers and Partners

Palo Alto Networks COVID-19 Response Center

Kemp Enable Remote Work and Always-On App Experience for Business Continuity
VPN Gateway FAQ
Article • 07/28/2023

Connecting to virtual networks

Can I connect virtual networks in different Azure regions?

Yes. There's no region constraint. One virtual network can connect to another virtual
network in the same region, or in a different Azure region.

Can I connect virtual networks in different subscriptions?

Yes.

Can I specify private DNS servers in my VNet when

configuring a VPN gateway?
If you specified a DNS server or servers when you created your VNet, VPN Gateway will
use the DNS servers that you specified. If you specify a DNS server, verify that your DNS
server can resolve the domain names needed for Azure.

Can I connect to multiple sites from a single virtual

network?
You can connect to multiple sites by using Windows PowerShell and the Azure REST
APIs. See the Multi-Site and VNet-to-VNet Connectivity FAQ section.

Is there an additional cost for setting up a VPN gateway

as active-active?
No. However, costs for any additional public IPs will be charged accordingly. See IP
Address Pricing .

What are my cross-premises connection options?

The following cross-premises virtual network gateway connections are supported:
Site-to-site: VPN connection over IPsec (IKE v1 and IKE v2). This type of connection
requires a VPN device or RRAS. For more information, see Site-to-site.
Point-to-site: VPN connection over SSTP (Secure Socket Tunneling Protocol) or IKE
v2. This connection doesn't require a VPN device. For more information, see Point-
to-site.
VNet-to-VNet: This type of connection is the same as a site-to-site configuration.
VNet to VNet is a VPN connection over IPsec (IKE v1 and IKE v2). It doesn't require
a VPN device. For more information, see VNet-to-VNet.
Multi-Site: This is a variation of a site-to-site configuration that allows you to
connect multiple on-premises sites to a virtual network. For more information, see
Multi-Site.
ExpressRoute: ExpressRoute is a private connection to Azure from your WAN, not a
VPN connection over the public Internet. For more information, see the
ExpressRoute Technical Overview and the ExpressRoute FAQ.

For more information about VPN Gateway connections, see About VPN Gateway.

What is the difference between a site-to-site connection

and point-to-site?
Site-to-site (IPsec/IKE VPN tunnel) configurations are between your on-premises
location and Azure. This means that you can connect from any of your computers
located on your premises to any virtual machine or role instance within your virtual
network, depending on how you choose to configure routing and permissions. It's a
great option for an always-available cross-premises connection and is well suited for
hybrid configurations. This type of connection relies on an IPsec VPN appliance
(hardware device or soft appliance), which must be deployed at the edge of your
network. To create this type of connection, you must have an externally facing IPv4
address.

Point-to-site (VPN over SSTP) configurations let you connect from a single computer
from anywhere to anything located in your virtual network. It uses the Windows in-box
VPN client. As part of the point-to-site configuration, you install a certificate and a VPN
client configuration package, which contains the settings that allow your computer to
connect to any virtual machine or role instance within the virtual network. It's great
when you want to connect to a virtual network, but aren't located on-premises. It's also
a good option when you don't have access to VPN hardware or an externally facing IPv4
address, both of which are required for a site-to-site connection.

You can configure your virtual network to use both site-to-site and point-to-site
concurrently, as long as you create your site-to-site connection using a route-based
VPN type for your gateway. Route-based VPN types are called dynamic gateways in the
classic deployment model.

Privacy

Does the VPN service store or process customer data?

No.

Virtual network gateways

Is a VPN gateway a virtual network gateway?

A VPN gateway is a type of virtual network gateway. A VPN gateway sends encrypted
traffic between your virtual network and your on-premises location across a public
connection. You can also use a VPN gateway to send traffic between virtual networks.
When you create a VPN gateway, you use the -GatewayType value 'Vpn'. For more
information, see About VPN Gateway configuration settings.

What is a policy-based (static-routing) gateway?

Policy-based gateways implement policy-based VPNs. Policy-based VPNs encrypt and
direct packets through IPsec tunnels based on the combinations of address prefixes
between your on-premises network and the Azure VNet. The policy (or Traffic Selector)
is usually defined as an access list in the VPN configuration.

What is a route-based (dynamic-routing) gateway?

Route-based gateways implement the route-based VPNs. Route-based VPNs use
"routes" in the IP forwarding or routing table to direct packets into their corresponding
tunnel interfaces. The tunnel interfaces then encrypt or decrypt the packets in and out of
the tunnels. The policy or traffic selectors for route-based VPNs are configured as any-
to-any (or wild cards).

Can I specify my own policy-based traffic selectors?

Yes, traffic selectors can be defined via the trafficSelectorPolicies attribute on a
connection via the New-AzIpsecTrafficSelectorPolicy PowerShell command. For the
specified traffic selector to take effect, ensure the Use Policy Based Traffic Selectors
option is enabled.

The custom configured traffic selectors will be proposed only when an Azure VPN
gateway initiates the connection. A VPN gateway will accept any traffic selectors
proposed by a remote gateway (on-premises VPN device). This behavior is consistent
between all connection modes (Default, InitiatorOnly, and ResponderOnly).

Can I update my policy-based VPN gateway to route-

based?
No. A gateway type can't be changed from policy-based to route-based, or from route-
based to policy-based. To change a gateway type, the gateway must be deleted and
recreated. This process takes about 60 minutes. When you create the new gateway, you
can't retain the IP address of the original gateway.

1. Delete any connections associated with the gateway.

2. Delete the gateway using one of the following articles:

Azure portal
Azure PowerShell
Azure PowerShell - classic

3. Create a new gateway using the gateway type that you want, and then complete
the VPN setup. For steps, see the Site-to-site tutorial.

Do I need a 'GatewaySubnet'?
Yes. The gateway subnet contains the IP addresses that the virtual network gateway
services use. You need to create a gateway subnet for your VNet in order to configure a
virtual network gateway. All gateway subnets must be named 'GatewaySubnet' to work
properly. Don't name your gateway subnet something else. And don't deploy VMs or
anything else to the gateway subnet.

When you create the gateway subnet, you specify the number of IP addresses that the
subnet contains. The IP addresses in the gateway subnet are allocated to the gateway
service. Some configurations require more IP addresses to be allocated to the gateway
services than do others. You want to make sure your gateway subnet contains enough IP
addresses to accommodate future growth and possible additional new connection
configurations. So, while you can create a gateway subnet as small as /29, we
recommend that you create a gateway subnet of /27 or larger (/27, /26, /25 etc.). Look
at the requirements for the configuration that you want to create and verify that the
gateway subnet you have will meet those requirements.

Can I deploy Virtual Machines or role instances to my

gateway subnet?
No.

Can I get my VPN gateway IP address before I create it?

Azure Standard SKU public IP resources must use a static allocation method. Therefore,
you'll have the public IP address for your VPN gateway as soon as you create the
Standard SKU public IP resource you intend to use for it.

Can I request a static public IP address for my VPN

gateway?
We recommend that you use a Standard SKU public IP address for your VPN gateway.
Standard SKU public IP address resources use a static allocation method. While we do
support dynamic IP address assignment for certain gateway SKUs (gateway SKUS that
do not have an AZ in the name), we recommend that you use a Standard SKU public IP
address going forward for all virtual network gateways.

For non-zone-redundant and non-zonal gateways (gateway SKUs that do not have AZ in
the name), dynamic IP address assignment is supported, but is being phased out. When
you use a dynamic IP address, the IP address doesn't change after it has been assigned
to your VPN gateway. The only time the VPN gateway IP address changes is when the
gateway is deleted and then re-created. The VPN gateway public IP address doesn't
change when you resize, reset, or complete other internal maintenance and upgrades of
your VPN gateway.

How does the retirement of Basic SKU public IP addresses

affect my VPN gateways?
We are taking action to ensure the continued operation of deployed VPN gateways that
utilize Basic SKU public IP addresses. If you already have VPN gateways with Basic SKU
public IP addresses, there is no need for you to take any action.

However, it's important to note that Basic SKU public IP addresses are being phased out.
We highly recommend using Standard SKU public IP addresses when creating new VPN
gateways. Further details on the retirement of Basic SKU public IP addresses can be
found here .

How does my VPN tunnel get authenticated?

Azure VPN uses PSK (Pre-Shared Key) authentication. We generate a pre-shared key
(PSK) when we create the VPN tunnel. You can change the autogenerated PSK to your
own with the Set Pre-Shared Key PowerShell cmdlet or REST API.

Can I use the Set Pre-Shared Key API to configure my

policy-based (static routing) gateway VPN?
Yes, the Set Pre-Shared Key API and PowerShell cmdlet can be used to configure both
Azure policy-based (static) VPNs and route-based (dynamic) routing VPNs.

Can I use other authentication options?

We're limited to using pre-shared keys (PSK) for authentication.

How do I specify which traffic goes through the VPN

gateway?

Resource Manager deployment model

PowerShell: use "AddressPrefix" to specify traffic for the local network gateway.
Azure portal: navigate to the Local network gateway > Configuration > Address
space.

Classic deployment model

Azure portal: navigate to the classic virtual network > VPN connections > Site-to-
site VPN connections > Local site name > Local site > Client address space.

Can I use NAT-T on my VPN connections?

Yes, NAT traversal (NAT-T) is supported. Azure VPN Gateway will NOT perform any NAT-
like functionality on the inner packets to/from the IPsec tunnels. In this configuration,
ensure the on-premises device initiates the IPSec tunnel.
Can I set up my own VPN server in Azure and use it to
connect to my on-premises network?
Yes, you can deploy your own VPN gateways or servers in Azure either from the Azure
Marketplace or creating your own VPN routers. You must configure user-defined routes
in your virtual network to ensure traffic is routed properly between your on-premises
networks and your virtual network subnets.

Why are certain ports opened on my virtual network

gateway?
They're required for Azure infrastructure communication. They're protected (locked
down) by Azure certificates. Without proper certificates, external entities, including the
customers of those gateways, won't be able to cause any effect on those endpoints.

A virtual network gateway is fundamentally a multi-homed device with one NIC tapping
into the customer private network, and one NIC facing the public network. Azure
infrastructure entities can't tap into customer private networks for compliance reasons,
so they need to utilize public endpoints for infrastructure communication. The public
endpoints are periodically scanned by Azure security audit.

More information about gateway types, requirements,

and throughput
For more information, see About VPN Gateway configuration settings.

Site-to-site connections and VPN devices

What should I consider when selecting a VPN device?

We've validated a set of standard site-to-site VPN devices in partnership with device
vendors. A list of known compatible VPN devices, their corresponding configuration
instructions or samples, and device specs can be found in the About VPN devices article.
All devices in the device families listed as known compatible should work with Virtual
Network. To help configure your VPN device, refer to the device configuration sample or
link that corresponds to appropriate device family.

Where can I find VPN device configuration settings?

To download VPN device configuration scripts:

Depending on the VPN device that you have, you may be able to download a VPN
device configuration script. For more information, see Download VPN device
configuration scripts.

See the following links for additional configuration information:

For information about compatible VPN devices, see VPN Devices.

Before configuring your VPN device, check for any Known device compatibility
issues for the VPN device that you want to use.

For links to device configuration settings, see Validated VPN Devices. The device
configuration links are provided on a best-effort basis. It's always best to check
with your device manufacturer for the latest configuration information. The list
shows the versions we have tested. If your OS is not on that list, it is still possible
that the version is compatible. Check with your device manufacturer to verify that
OS version for your VPN device is compatible.

For an overview of VPN device configuration, see VPN device configuration

overview.

For information about editing device configuration samples, see Editing samples.

For cryptographic requirements, see About cryptographic requirements and Azure

VPN gateways.

For information about IPsec/IKE parameters, see About VPN devices and IPsec/IKE
parameters for Site-to-Site VPN gateway connections. This link shows information
about IKE version, Diffie-Hellman Group, Authentication method, encryption and
hashing algorithms, SA lifetime, PFS, and DPD, in addition to other parameter
information that you need to complete your configuration.

For IPsec/IKE policy configuration steps, see Configure IPsec/IKE policy for S2S VPN
or VNet-to-VNet connections.

To connect multiple policy-based VPN devices, see Connect Azure VPN gateways
to multiple on-premises policy-based VPN devices using PowerShell.

How do I edit VPN device configuration samples?

For information about editing device configuration samples, see Editing samples.
Where do I find IPsec and IKE parameters?
For IPsec/IKE parameters, see Parameters.

Why does my policy-based VPN tunnel go down when

traffic is idle?
This is expected behavior for policy-based (also known as static routing) VPN gateways.
When the traffic over the tunnel is idle for more than 5 minutes, the tunnel will be torn
down. When traffic starts flowing in either direction, the tunnel will be reestablished
immediately.

Can I use software VPNs to connect to Azure?

We support Windows Server 2012 Routing and Remote Access (RRAS) servers for site-
to-site cross-premises configuration.

Other software VPN solutions should work with our gateway as long as they conform to
industry standard IPsec implementations. Contact the vendor of the software for
configuration and support instructions.

Can I connect to a VPN gateway via point-to-site when

located at a Site that has an active site-to-site
connection?
Yes, but the Public IP address(es) of the point-to-site client need to be different than the
Public IP address(es) used by the site-to-site VPN device, or else the point-to-site
connection won't work. point-to-site connections with IKEv2 can't be initiated from the
same Public IP address(es) where a site-to-site VPN connection is configured on the
same Azure VPN gateway.

Point-to-site - Certificate authentication

This section applies to the Resource Manager deployment model.

How many VPN client endpoints can I have in my point-

to-site configuration?
It depends on the gateway SKU. For more information on the number of connections
supported, see Gateway SKUs.

What client operating systems can I use with point-to-

site?
The following client operating systems are supported:

Windows Server 2008 R2 (64-bit only)

Can I traverse proxies and firewalls using point-to-site

capability?
Azure supports three types of Point-to-site VPN options:

Secure Socket Tunneling Protocol (SSTP). SSTP is a Microsoft proprietary SSL-

based solution that can penetrate firewalls since most firewalls open the outbound
TCP port that 443 SSL uses.

OpenVPN. OpenVPN is a SSL-based solution that can penetrate firewalls since

most firewalls open the outbound TCP port that 443 SSL uses.

If I restart a client computer configured for point-to-site,

will the VPN automatically reconnect?
Auto-reconnect is a function of the client being used. Windows supports auto-reconnect
by configuring the Always On VPN client feature.

Does point-to-site support DDNS on the VPN clients?

DDNS is currently not supported in point-to-site VPNs.

Can I have Site-to-Site and point-to-site configurations

Can I configure a point-to-site client to connect to

How much throughput can I expect through Site-to-Site

Can I use any software VPN client for point-to-site that

Can I change the authentication type for a point-to-site

Does Azure support IKEv2 VPN with Windows?

７ Note

Windows OS builds newer than Windows 10 Version 1709 and Windows Server
2016 Version 1607 do not require these steps.

To prepare Windows 10 or Server 2016 for IKEv2:

1. Install the update based on your OS version:

OS version Date Number/Link

Windows Server 2016 January 17, 2018 KB4057142

Windows 10 Version 1607

Windows 10 Version 1703 January 17, 2018 KB4057144

OS version Date Number/Link

Windows 10 Version 1709 March 22, 2018 KB4089848

2. Set the registry key value. Create or set

“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\
IKEv2\DisableCertReqPayload” REG_DWORD key in the registry to 1.

What is the IKEv2 traffic selector limit for point-to-site

connections?
Windows 10 version 2004 (released September 2021) increased the traffic selector limit
to 255. Versions of Windows earlier than this have a traffic selector limit of 25.

What happens when I configure both SSTP and IKEv2 for

Other than Windows and Mac, which other platforms

does Azure support for P2S VPN?
Azure supports Windows, Mac, and Linux for P2S VPN.
I already have an Azure VPN Gateway deployed. Can I
enable RADIUS and/or IKEv2 VPN on it?
Yes, if the gateway SKU that you're using supports RADIUS and/or IKEv2, you can enable
these features on gateways that you've already deployed by using PowerShell or the
Azure portal. The Basic SKU doesn't support RADIUS or IKEv2.

How do I remove the configuration of a P2S connection?

A P2S configuration can be removed using Azure CLI and PowerShell using the following
commands:

Azure PowerShell

$gw=Get-AzVirtualNetworkGateway -name <gateway-name>`

$gw.VPNClientConfiguration = $null`
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw`

Azure CLI

az network vnet-gateway update --name <gateway-name> --resource-group

<resource-group name> --remove "vpnClientConfiguration"

What should I do if I'm getting a certificate mismatch

Bypassing server identity validation isn't recommended in general, but with Azure
certificate authentication, the same certificate is being used for server validation in the
VPN tunneling protocol (IKEv2/SSTP) and the EAP protocol. Since the server certificate
and FQDN is already validated by the VPN tunneling protocol, it's redundant to validate
the same again in EAP.
Can I use my own internal PKI root CA to generate
certificates for Point-to-Site connectivity?
Yes. Previously, only self-signed root certificates could be used. You can still upload 20
root certificates.

Can I use certificates from Azure Key Vault?

No.

What tools can I use to create certificates?

You can use your Enterprise PKI solution (your internal PKI), Azure PowerShell, MakeCert,
and OpenSSL.

Are there instructions for certificate settings and

parameters?
Internal PKI/Enterprise PKI solution: See the steps to Generate certificates.
Azure PowerShell: See the Azure PowerShell article for steps.

MakeCert: See the MakeCert article for steps.

OpenSSL:

When exporting certificates, be sure to convert the root certificate to Base64.

For the client certificate:

When creating the private key, specify the length as 4096.
When creating the certificate, for the -extensions parameter, specify usr_cert.

Point-to-site - RADIUS authentication

This section applies to the Resource Manager deployment model.

How many VPN client endpoints can I have in my point-

to-site configuration?
It depends on the gateway SKU. For more information on the number of connections
supported, see Gateway SKUs.

What client operating systems can I use with point-to-

site?
The following client operating systems are supported:

Windows Server 2008 R2 (64-bit only)

Windows 8.1 (32-bit and 64-bit)
Windows Server 2012 (64-bit only)
Windows Server 2012 R2 (64-bit only)
Windows Server 2016 (64-bit only)
Windows Server 2019 (64-bit only)
Windows Server 2022 (64-bit only)
Windows 10
Windows 11
macOS version 10.11 or above
Linux (StrongSwan)
iOS
Can I traverse proxies and firewalls using point-to-site
capability?
Azure supports three types of Point-to-site VPN options:

Secure Socket Tunneling Protocol (SSTP). SSTP is a Microsoft proprietary SSL-

based solution that can penetrate firewalls since most firewalls open the outbound
TCP port that 443 SSL uses.

OpenVPN. OpenVPN is a SSL-based solution that can penetrate firewalls since

most firewalls open the outbound TCP port that 443 SSL uses.

If I restart a client computer configured for point-to-site,

will the VPN automatically reconnect?
Auto-reconnect is a function of the client being used. Windows supports auto-reconnect
by configuring the Always On VPN client feature.

Does point-to-site support DDNS on the VPN clients?

DDNS is currently not supported in point-to-site VPNs.

Can I have Site-to-Site and point-to-site configurations

Can I configure a point-to-site client to connect to

How much throughput can I expect through Site-to-Site

Can I use any software VPN client for point-to-site that

Can I change the authentication type for a point-to-site

Does Azure support IKEv2 VPN with Windows?

７ Note

Windows OS builds newer than Windows 10 Version 1709 and Windows Server
2016 Version 1607 do not require these steps.

To prepare Windows 10 or Server 2016 for IKEv2:

1. Install the update based on your OS version:

OS version Date Number/Link

Windows Server 2016 January 17, 2018 KB4057142

Windows 10 Version 1607

Windows 10 Version 1703 January 17, 2018 KB4057144

Windows 10 Version 1709 March 22, 2018 KB4089848

2. Set the registry key value. Create or set

“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\
IKEv2\DisableCertReqPayload” REG_DWORD key in the registry to 1.

What is the IKEv2 traffic selector limit for point-to-site

connections?
Windows 10 version 2004 (released September 2021) increased the traffic selector limit
to 255. Versions of Windows earlier than this have a traffic selector limit of 25.

What happens when I configure both SSTP and IKEv2 for

Other than Windows and Mac, which other platforms

does Azure support for P2S VPN?
Azure supports Windows, Mac, and Linux for P2S VPN.

I already have an Azure VPN Gateway deployed. Can I

How do I remove the configuration of a P2S connection?

A P2S configuration can be removed using Azure CLI and PowerShell using the following
commands:

Azure PowerShell

$gw=Get-AzVirtualNetworkGateway -name <gateway-name>`

$gw.VPNClientConfiguration = $null`
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw`

Azure CLI
Azure CLI

az network vnet-gateway update --name <gateway-name> --resource-group

<resource-group name> --remove "vpnClientConfiguration"

Is RADIUS authentication supported on all Azure VPN

Gateway SKUs?
RADIUS authentication is supported for all SKUs except the Basic SKU.

For legacy SKUs, RADIUS authentication is supported on Standard and High

Performance SKUs. It isn't supported on the Basic Gateway SKU.

Is RADIUS authentication supported for the classic

deployment model?
No. RADIUS authentication isn't supported for the classic deployment model.

What is the timeout period for RADIUS requests sent to

the RADIUS server?
RADIUS requests are set to timeout after 30 seconds. User defined timeout values aren't
supported today.

Are 3rd-party RADIUS servers supported?

Yes, 3rd-party RADIUS servers are supported.

What are the connectivity requirements to ensure that

the Azure gateway is able to reach an on-premises
RADIUS server?
A site-to-site VPN connection to the on-premises site, with the proper routes
configured, is required.

Can traffic to an on-premises RADIUS server (from the

Azure VPN gateway) be routed over an ExpressRoute
connection?
No. It can only be routed over a site-to-site connection.

Is there a change in the number of SSTP connections

What is the difference between doing certificate

Does RADIUS authentication work with both IKEv2, and

SSTP VPN?
Yes, RADIUS authentication is supported for both IKEv2, and SSTP VPN.

Does RADIUS authentication work with the OpenVPN

client?
RADIUS authentication is supported for the OpenVPN protocol.

VNet-to-VNet and Multi-Site connections

The VNet-to-VNet FAQ applies to VPN gateway connections. For information about
VNet peering, see Virtual network peering.

Does Azure charge for traffic between VNets?

VNet-to-VNet traffic within the same region is free for both directions when you use a
VPN gateway connection. Cross-region VNet-to-VNet egress traffic is charged with the
outbound inter-VNet data transfer rates based on the source regions. For more
information, see VPN Gateway pricing page . If you're connecting your VNets by using
VNet peering instead of a VPN gateway, see Virtual network pricing .

Does VNet-to-VNet traffic travel across the internet?

No. VNet-to-VNet traffic travels across the Microsoft Azure backbone, not the internet.

Can I establish a VNet-to-VNet connection across Azure

Active Directory tenants?
Yes, VNet-to-VNet connections that use Azure VPN gateways work across Azure AD
tenants.

Is VNet-to-VNet traffic secure?

Yes, it's protected by IPsec/IKE encryption.

Do I need a VPN device to connect VNets together?

No. Connecting multiple Azure virtual networks together doesn't require a VPN device
unless cross-premises connectivity is required.

Do my VNets need to be in the same region?

No. The virtual networks can be in the same or different Azure regions (locations).

If the VNets aren't in the same subscription, do the

subscriptions need to be associated with the same Active
Directory tenant?
No.
Can I use VNet-to-VNet to connect virtual networks in
separate Azure instances?
No. VNet-to-VNet supports connecting virtual networks within the same Azure instance.
For example, you can’t create a connection between global Azure and
Chinese/German/US government Azure instances. Consider using a Site-to-Site VPN
connection for these scenarios.

Can I use VNet-to-VNet along with multi-site

connections?
Yes. Virtual network connectivity can be used simultaneously with multi-site VPNs.

How many on-premises sites and virtual networks can

one virtual network connect to?
See the Gateway requirements table.

Can I use VNet-to-VNet to connect VMs or cloud services

outside of a VNet?
No. VNet-to-VNet supports connecting virtual networks. It doesn't support connecting
virtual machines or cloud services that aren't in a virtual network.

Can a cloud service or a load-balancing endpoint span

VNets?
No. A cloud service or a load-balancing endpoint can't span across virtual networks,
even if they're connected together.

Can I use a PolicyBased VPN type for VNet-to-VNet or

Multi-Site connections?
No. VNet-to-VNet and Multi-Site connections require Azure VPN gateways with
RouteBased (previously called dynamic routing) VPN types.

Can I connect a VNet with a RouteBased VPN Type to

another VNet with a PolicyBased VPN type?
No, both virtual networks MUST use route-based (previously called dynamic routing)
VPNs.

Do VPN tunnels share bandwidth?

Yes. All VPN tunnels of the virtual network share the available bandwidth on the Azure
VPN gateway and the same VPN gateway uptime SLA in Azure.

Are redundant tunnels supported?

Redundant tunnels between a pair of virtual networks are supported when one virtual
network gateway is configured as active-active.

Can I have overlapping address spaces for VNet-to-VNet

configurations?
No. You can't have overlapping IP address ranges.

Can there be overlapping address spaces among

connected virtual networks and on-premises local sites?
No. You can't have overlapping IP address ranges.

How do I enable routing between my site-to-site VPN

connection and my ExpressRoute?
If you want to enable routing between your branch connected to ExpressRoute and your
branch connected to a site-to-site VPN connection, you'll need to set up Azure Route
Server.

Can I use Azure VPN gateway to transit traffic between

my on-premises sites or to another virtual network?
Resource Manager deployment model
Yes. See the BGP section for more information.

Classic deployment model

Transit traffic via Azure VPN gateway is possible using the classic deployment model, but
relies on statically defined address spaces in the network configuration file. BGP isn't yet
supported with Azure Virtual Networks and VPN gateways using the classic deployment
model. Without BGP, manually defining transit address spaces is very error prone, and
not recommended.

Does Azure generate the same IPsec/IKE pre-shared key

for all my VPN connections for the same virtual network?
No, Azure by default generates different pre-shared keys for different VPN connections.
However, you can use the Set VPN Gateway Key REST API or PowerShell cmdlet to set
the key value you prefer. The key MUST only contain printable ASCII characters except
space, hyphen (-) or tilde (~).

Do I get more bandwidth with more site-to-site VPNs

than for a single virtual network?
No, all VPN tunnels, including point-to-site VPNs, share the same Azure VPN gateway
and the available bandwidth.

Can I configure multiple tunnels between my virtual

network and my on-premises site using multi-site VPN?
Yes, but you must configure BGP on both tunnels to the same location.

Does Azure VPN Gateway honor AS Path prepending to

influence routing decisions between multiple connections
to my on-premises sites?
Yes, Azure VPN gateway will honor AS Path prepending to help make routing decisions
when BGP is enabled. A shorter AS Path will be preferred in BGP path selection.

Can I use the RoutingWeight property when creating a

new VPN VirtualNetworkGateway connection?
No, such setting is reserved for ExpressRoute gateway connections. If you want to
influence routing decisions between multiple connections, you need to use AS Path
prepending.

Can I use point-to-site VPNs with my virtual network with

multiple VPN tunnels?
Yes, point-to-site (P2S) VPNs can be used with the VPN gateways connecting to multiple
on-premises sites and other virtual networks.

Can I connect a virtual network with IPsec VPNs to my

ExpressRoute circuit?
Yes, this is supported. For more information, see Configure ExpressRoute and site-to-site
VPN connections that coexist.

IPsec/IKE policy

Is Custom IPsec/IKE policy supported on all Azure VPN

Gateway SKUs?
Custom IPsec/IKE policy is supported on all Azure SKUs except the Basic SKU.

How many policies can I specify on a connection?

You can only specify one policy combination for a given connection.

Can I specify a partial policy on a connection? (for

example, only IKE algorithms, but not IPsec)
No, you must specify all algorithms and parameters for both IKE (Main Mode) and IPsec
(Quick Mode). Partial policy specification isn't allowed.

What are the algorithms and key strengths supported in

the custom policy?
The following table lists the supported cryptographic algorithms and key strengths that
you can configure. You must select one option for every field.

IPsec/IKEv2 Options

IKEv2 GCMAES256, GCMAES128, AES256, AES192, AES128, DES3, DES

Encryption

IKEv2 Integrity GCMAES256, GCMAES128, SHA384, SHA256, SHA1, MD5

DH Group DHGroup24, ECP384, ECP256, DHGroup14, DHGroup2048, DHGroup2,

IPsec/IKEv2 Options

DHGroup1, None

IPsec GCMAES256, GCMAES192, GCMAES128, AES256, AES192, AES128, DES3, DES,

Encryption None

IPsec Integrity GCMAES256, GCMAES192, GCMAES128, SHA256, SHA1, MD5

PFS Group PFS24, ECP384, ECP256, PFS2048, PFS2, PFS1, None

QM SA Lifetime (Optional: default values are used if not specified)

Seconds (integer; min. 300/default 27000 seconds)
KBytes (integer; min. 1024/default 102400000 KBytes)

Traffic Selector UsePolicyBasedTrafficSelectors** ($True/$False; Optional, default $False if not

specified)

DPD timeout Seconds (integer: min. 9/max. 3600; default 45 seconds)

Your on-premises VPN device configuration must match or contain the following
algorithms and parameters that you specify on the Azure IPsec/IKE policy:
IKE encryption algorithm (Main Mode / Phase 1)
IKE integrity algorithm (Main Mode / Phase 1)
DH Group (Main Mode / Phase 1)
IPsec encryption algorithm (Quick Mode / Phase 2)
IPsec integrity algorithm (Quick Mode / Phase 2)
PFS Group (Quick Mode / Phase 2)
Traffic Selector (if UsePolicyBasedTrafficSelectors is used)
The SA lifetimes are local specifications only, and don't need to match.

If GCMAES is used as for IPsec Encryption algorithm, you must select the same
GCMAES algorithm and key length for IPsec Integrity; for example, using
GCMAES128 for both.

In the Algorithms and keys table:

IKE corresponds to Main Mode or Phase 1.
IPsec corresponds to Quick Mode or Phase 2.
DH Group specifies the Diffie-Hellmen Group used in Main Mode or Phase 1.
PFS Group specified the Diffie-Hellmen Group used in Quick Mode or Phase 2.

IKE Main Mode SA lifetime is fixed at 28,800 seconds on the Azure VPN gateways.

'UsePolicyBasedTrafficSelectors' is an optional parameter on the connection. If you

set UsePolicyBasedTrafficSelectors to $True on a connection, it will configure the
Azure VPN gateway to connect to policy-based VPN firewall on premises. If you
enable PolicyBasedTrafficSelectors, you need to ensure your VPN device has the
matching traffic selectors defined with all combinations of your on-premises
network (local network gateway) prefixes to/from the Azure virtual network
prefixes, instead of any-to-any.

For example, if your on-premises network prefixes are 10.1.0.0/16 and 10.2.0.0/16,
and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you need
to specify the following traffic selectors:
10.1.0.0/16 <====> 192.168.0.0/16
10.1.0.0/16 <====> 172.16.0.0/16
10.2.0.0/16 <====> 192.168.0.0/16
10.2.0.0/16 <====> 172.16.0.0/16

For more information regarding policy-based traffic selectors, see Connect

multiple on-premises policy-based VPN devices.

DPD timeout - The default value is 45 seconds on Azure VPN gateways. Setting the
timeout to shorter periods will cause IKE to rekey more aggressively, causing the
connection to appear to be disconnected in some instances. This may not be
desirable if your on-premises locations are farther away from the Azure region
where the VPN gateway resides, or the physical link condition could incur packet
loss. The general recommendation is to set the timeout between 30 to 45 seconds.

For more information, see Connect multiple on-premises policy-based VPN devices.

Which Diffie-Hellman Groups are supported?

The following table lists the corresponding Diffie-Hellman groups supported by the
custom policy:

Diffie-Hellman Group DHGroup PFSGroup Key length

1 DHGroup1 PFS1 768-bit MODP

2 DHGroup2 PFS2 1024-bit MODP

14 DHGroup14 PFS2048 2048-bit MODP

DHGroup2048

19 ECP256 ECP256 256-bit ECP

20 ECP384 ECP384 384-bit ECP

24 DHGroup24 PFS24 2048-bit MODP

Refer to RFC3526 and RFC5114 for more details.

Does the custom policy replace the default IPsec/IKE

policy sets for Azure VPN gateways?
Yes, once a custom policy is specified on a connection, Azure VPN gateway will only use
the policy on the connection, both as IKE initiator and IKE responder.

If I remove a custom IPsec/IKE policy, does the

connection become unprotected?
No, the connection will still be protected by IPsec/IKE. Once you remove the custom
policy from a connection, the Azure VPN gateway reverts back to the default list of
IPsec/IKE proposals and restart the IKE handshake again with your on-premises VPN
device.

Would adding or updating an IPsec/IKE policy disrupt my

VPN connection?
Yes, it could cause a small disruption (a few seconds) as the Azure VPN gateway tears
down the existing connection and restarts the IKE handshake to re-establish the IPsec
tunnel with the new cryptographic algorithms and parameters. Ensure your on-premises
VPN device is also configured with the matching algorithms and key strengths to
minimize the disruption.

Can I use different policies on different connections?

Yes. Custom policy is applied on a per-connection basis. You can create and apply
different IPsec/IKE policies on different connections. You can also choose to apply
custom policies on a subset of connections. The remaining ones use the Azure default
IPsec/IKE policy sets.

Can I use the custom policy on VNet-to-VNet connection

as well?
Yes, you can apply custom policy on both IPsec cross-premises connections or VNet-to-
VNet connections.
Do I need to specify the same policy on both VNet-to-
VNet connection resources?
Yes. A VNet-to-VNet tunnel consists of two connection resources in Azure, one for each
direction. Make sure both connection resources have the same policy, otherwise the
VNet-to-VNet connection won't establish.

What is the default DPD timeout value? Can I specify a

different DPD timeout?
The default DPD timeout is 45 seconds. You can specify a different DPD timeout value
on each IPsec or VNet-to-VNet connection, from 9 seconds to 3600 seconds.

７ Note

The default value is 45 seconds on Azure VPN gateways. Setting the timeout to
shorter periods will cause IKE to rekey more aggressively, causing the connection to
appear to be disconnected in some instances. This may not be desirable if your on-
premises locations are farther away from the Azure region where the VPN gateway
resides, or when the physical link condition could incur packet loss. The general
recommendation is to set the timeout between 30 and 45 seconds.

Does custom IPsec/IKE policy work on ExpressRoute

connection?
No. IPsec/IKE policy only works on S2S VPN and VNet-to-VNet connections via the
Azure VPN gateways.

How do I create connections with IKEv1 or IKEv2 protocol

type?
IKEv1 connections can be created on all RouteBased VPN type SKUs, except the Basic
SKU, Standard SKU, and other legacy SKUs. You can specify a connection protocol type
of IKEv1 or IKEv2 while creating connections. If you don't specify a connection protocol
type, IKEv2 is used as default option where applicable. For more information, see the
PowerShell cmdlet documentation. For SKU types and IKEv1/IKEv2 support, see Connect
gateways to policy-based VPN devices.

Is transit between IKEv1 and IKEv2 connections allowed?

Yes. Transit between IKEv1 and IKEv2 connections is supported.

Can I have IKEv1 site-to-site connections on Basic SKUs of

RouteBased VPN type?
No. The Basic SKU doesn't support this.

Can I change the connection protocol type after the

connection is created (IKEv1 to IKEv2 and vice versa)?
No. Once the connection is created, IKEv1/IKEv2 protocols can't be changed. You must
delete and recreate a new connection with the desired protocol type.

Why is my IKEv1 connection frequently reconnecting?

If your static routing or route based IKEv1 connection is disconnecting at routine
intervals, it's likely due to VPN gateways not supporting in-place rekeys. When Main
mode is getting rekeyed, your IKEv1 tunnels will disconnect and take up to 5 seconds to
reconnect. Your Main mode negotiation time out value will determine the frequency of
rekeys. To prevent these reconnects, you can switch to using IKEv2, which supports in-
place rekeys.

If your connection is reconnecting at random times, follow our troubleshooting guide.

Where can I find configuration information and steps?

See the following articles for more information and configuration steps.

Configure IPsec/IKE policy for S2S or VNet-to-VNet connections - Azure portal

Configure IPsec/IKE policy for S2S or VNet-to-VNet connections - Azure
PowerShell

BGP and routing

Is BGP supported on all Azure VPN Gateway SKUs?

BGP is supported on all Azure VPN Gateway SKUs except Basic SKU.

Can I use BGP with Azure Policy VPN gateways?

No, BGP is supported on route-based VPN gateways only.

What ASNs (Autonomous System Numbers) can I use?

You can use your own public ASNs or private ASNs for both your on-premises networks
and Azure virtual networks. You can't use the ranges reserved by Azure or IANA.

The following ASNs are reserved by Azure or IANA:

ASNs reserved by Azure:

Public ASNs: 8074, 8075, 12076
Private ASNs: 65515, 65517, 65518, 65519, 65520

ASNs reserved by IANA :

23456, 64496-64511, 65535-65551 and 429496729

You can't specify these ASNs for your on-premises VPN devices when you're connecting
to Azure VPN gateways.

Can I use 32-bit (4-byte) ASNs?

Yes, VPN Gateway now supports 32-bit (4-byte) ASNs. To configure by using ASN in
decimal format, use PowerShell, the Azure CLI, or the Azure SDK.

What private ASNs can I use?

The useable ranges of private ASNs are:

64512-65514 and 65521-65534

These ASNs aren't reserved by IANA or Azure for use, and therefore can be used to
assign to your Azure VPN gateway.

What address does VPN Gateway use for BGP peer IP?
By default, VPN Gateway allocates a single IP address from the GatewaySubnet range for
active-standby VPN gateways, or two IP addresses for active-active VPN gateways.
These addresses are allocated automatically when you create the VPN gateway. You can
get the actual BGP IP address allocated by using PowerShell or by locating it in the
Azure portal. In PowerShell, use Get-AzVirtualNetworkGateway, and look for the
bgpPeeringAddress property. In the Azure portal, on the Gateway Configuration page,
look under the Configure BGP ASN property.
If your on-premises VPN routers use APIPA IP addresses (169.254.x.x) as the BGP IP
addresses, you must specify one or more Azure APIPA BGP IP addresses on your Azure
VPN gateway. Azure VPN Gateway selects the APIPA addresses to use with the on-
premises APIPA BGP peer specified in the local network gateway, or the private IP
address for a non-APIPA, on-premises BGP peer. For more information, see Configure
BGP.

What are the requirements for the BGP peer IP addresses

on my VPN device?
Your on-premises BGP peer address must not be the same as the public IP address of
your VPN device or from the virtual network address space of the VPN gateway. Use a
different IP address on the VPN device for your BGP peer IP. It can be an address
assigned to the loopback interface on the device (either a regular IP address or an APIPA
address). If your device uses an APIPA address for BGP, you must specify one or more
APIPA BGP IP addresses on your Azure VPN gateway, as described in Configure BGP.
Specify these addresses in the corresponding local network gateway representing the
location.

What should I specify as my address prefixes for the local

network gateway when I use BGP?

） Important

This is a change from the previously documented requirement. If you use BGP for a
connection, leave the Address space field empty for the corresponding local
network gateway resource. Azure VPN Gateway adds a host route internally to the
on-premises BGP peer IP over the IPsec tunnel. Don't add the /32 route in the
Address space field. It's redundant and if you use an APIPA address as the on-
premises VPN device BGP IP, it can't be added to this field. If you add any other
prefixes in the Address space field, they are added as static routes on the Azure
VPN gateway, in addition to the routes learned via BGP.

Can I use the same ASN for both on-premises VPN

networks and Azure virtual networks?
No, you must assign different ASNs between your on-premises networks and your Azure
virtual networks if you're connecting them together with BGP. Azure VPN gateways have
a default ASN of 65515 assigned, whether BGP is enabled or not for your cross-premises
connectivity. You can override this default by assigning a different ASN when you're
creating the VPN gateway, or you can change the ASN after the gateway is created.
You'll need to assign your on-premises ASNs to the corresponding Azure local network
gateways.

What address prefixes will Azure VPN gateways advertise

to me?
The gateways advertise the following routes to your on-premises BGP devices:

Your virtual network address prefixes.

Address prefixes for each local network gateway connected to the Azure VPN
gateway.
Routes learned from other BGP peering sessions connected to the Azure VPN
gateway, except for the default route or routes that overlap with any virtual
network prefix.

How many prefixes can I advertise to Azure VPN

Gateway?
Azure VPN Gateway supports up to 4000 prefixes. The BGP session is dropped if the
number of prefixes exceeds the limit.

Can I advertise default route (0.0.0.0/0) to Azure VPN

gateways?
Yes. Note that this forces all virtual network egress traffic towards your on-premises site.
It also prevents the virtual network VMs from accepting public communication from the
internet directly, such RDP or SSH from the internet to the VMs.

Can I advertise the exact prefixes as my virtual network

prefixes?
No, advertising the same prefixes as any one of your virtual network address prefixes
will be blocked or filtered by Azure. You can, however, advertise a prefix that is a
superset of what you have inside your virtual network.

For example, if your virtual network used the address space 10.0.0.0/16, you can
advertise 10.0.0.0/8. But you can't advertise 10.0.0.0/16 or 10.0.0.0/24.
Can I use BGP with my connections between virtual
networks?
Yes, you can use BGP for both cross-premises connections and connections between
virtual networks.

Can I mix BGP with non-BGP connections for my Azure

VPN gateways?
Yes, you can mix both BGP and non-BGP connections for the same Azure VPN gateway.

Does Azure VPN Gateway support BGP transit routing?

Yes, BGP transit routing is supported, with the exception that Azure VPN gateways don't
advertise default routes to other BGP peers. To enable transit routing across multiple
Azure VPN gateways, you must enable BGP on all intermediate connections between
virtual networks. For more information, see About BGP.

Can I have more than one tunnel between an Azure VPN

gateway and my on-premises network?
Yes, you can establish more than one site-to-site (S2S) VPN tunnel between an Azure
VPN gateway and your on-premises network. Note that all these tunnels are counted
against the total number of tunnels for your Azure VPN gateways, and you must enable
BGP on both tunnels.

For example, if you have two redundant tunnels between your Azure VPN gateway and
one of your on-premises networks, they consume 2 tunnels out of the total quota for
your Azure VPN gateway.

Can I have multiple tunnels between two Azure virtual

networks with BGP?
Yes, but at least one of the virtual network gateways must be in active-active
configuration.

Can I use BGP for S2S VPN in an Azure ExpressRoute and

S2S VPN coexistence configuration?
Yes.
What should I add to my on-premises VPN device for the
BGP peering session?
Add a host route of the Azure BGP peer IP address on your VPN device. This route
points to the IPsec S2S VPN tunnel. For example, if the Azure VPN peer IP is
10.12.255.30, you add a host route for 10.12.255.30 with a next-hop interface of the
matching IPsec tunnel interface on your VPN device.

Does the virtual network gateway support BFD for S2S

connections with BGP?
No. Bidirectional Forwarding Detection (BFD) is a protocol that you can use with BGP to
detect neighbor downtime quicker than you can by using standard BGP "keepalives."
BFD uses subsecond timers designed to work in LAN environments, but not across the
public internet or Wide Area Network connections.

For connections over the public internet, having certain packets delayed or even
dropped isn't unusual, so introducing these aggressive timers can add instability. This
instability might cause routes to be dampened by BGP. As an alternative, you can
configure your on-premises device with timers lower than the default, 60-second
"keepalive" interval, and the 180-second hold timer. This results in a quicker
convergence time.

Do Azure VPN gateways initiate BGP peering sessions or

connections?
The gateway will initiate BGP peering sessions to the on-premises BGP peer IP addresses
specified in the local network gateway resources using the private IP addresses on the
VPN gateways. This is irrespective of whether the on-premises BGP IP addresses are in
the APIPA range or regular private IP addresses. If your on-premises VPN devices use
APIPA addresses as BGP IP, you need to configure your BGP speaker to initiate the
connections.

Can I configure forced tunneling?

Yes. See Configure forced tunneling.

NAT
Is NAT supported on all Azure VPN Gateway SKUs?
NAT is supported on VpnGw2~5 and VpnGw2AZ~5AZ.

Can I use NAT on VNet-to-VNet or P2S connections?

No, NAT is supported on IPsec cross-premises connections only.

How many NAT rules can I use on a VPN gateway?

You can create up to 100 NAT rules (Ingress and Egress rules combined) on a VPN
gateway.

Can I use / in a NAT rule name?

No. You'll receive an error.

Is NAT applied to all connections on a VPN gateway?

NAT is applied to the connections with NAT rules. If a connection doesn't have a NAT
rule, NAT won't take effect on that connection. On the same VPN gateway, you can have
some connections with NAT, and other connections without NAT working together.

What types of NAT is supported on Azure VPN gateways?

Only static 1:1 NAT and Dynamic NAT are supported. NAT64 is NOT supported.

Does NAT work on active-active VPN gateways?

Yes. NAT works on both active-active and active-standby VPN gateways.

Does NAT work with BGP connections?

Yes, you can use BGP with NAT. Here are some important considerations:

Select Enable BGP Route Translation on the NAT Rules configuration page to
ensure the learned routes and advertised routes are translated to post-NAT
address prefixes (External Mappings) based on the NAT rules associated with the
connections. You need to ensure the on-premises BGP routers advertise the exact
prefixes as defined in the IngressSNAT rules.
If the on-premises VPN router uses regular, non-APIPA address and it collides with
the VNet address space or other on-premises network spaces, ensure the
IngressSNAT rule will translate the BGP peer IP to a unique, non-overlapped
address and put the post-NAT address in the BGP peer IP address field of the local
network gateway.

NAT isn't supported with BGP APIPA addresses.

Do I need to create the matching DNAT rules for the

SNAT rule?
No. A single SNAT rule defines the translation for both directions of a particular
network:

An IngressSNAT rule defines the translation of the source IP addresses coming into
the Azure VPN gateway from the on-premises network. It also handles the
translation of the destination IP addresses leaving from the VNet to the same on-
premises network.

An EgressSNAT rule defines the translation of the VNet source IP addresses leaving
the Azure VPN gateway to on-premises networks. It also handles the translation of
the destination IP addresses for packets coming into the VNet via those
connections with the EgressSNAT rule.

In either case, no DNAT rules are needed.

What do I do if my VNet or local network gateway

address space has two or more prefixes? Can I apply NAT
to all of them? Or just a subset?
You need to create one NAT rule for each prefix you need to NAT because each NAT rule
can only include one address prefix for NAT. For example, if the local network gateway
address space consists of 10.0.1.0/24 and 10.0.2.0/25, you can create two rules as shown
below:

IngressSNAT rule 1: Map 10.0.1.0/24 to 100.0.1.0/24

IngressSNAT rule 2: Map 10.0.2.0/25 to 100.0.2.0/25

The two rules must match the prefix lengths of the corresponding address prefixes. The
same applies to EgressSNAT rules for VNet address space.

） Important
If you link only one rule to the connection above, the other address space will NOT
be translated.

What IP ranges can I use for External Mapping?

You can use any suitable IP range that you want for External Mapping, including public
and private IPs.

Can I use different EgressSNAT rules to translate my VNet

address space to different prefixes to different on-
premises networks?
Yes, you can create multiple EgressSNAT rules for the same VNet address space, and
apply the EgressSNAT rules to different connections.

Can I use the same IngressSNAT rule on different

connections?
Yes, this is typically used when the connections are for the same on-premises network to
provide redundancy. You can't use the same Ingress rule if the connections are for
different on-premises networks.

Do I need both Ingress and Egress rules on a NAT

connection?
You need both Ingress and Egress rules on the same connection when the on-premises
network address space overlaps with the VNet address space. If the VNet address space
is unique among all connected networks, you don't need the EgressSNAT rule on those
connections. You can use the Ingress rules to avoid address overlap among the on-
premises networks.

What do I choose as "IP configuration ID"?

"IP configuration ID" is simply the name of the IP configuration object you want the NAT
rule to use. With this setting, you're simply choosing which gateway public IP address
applies to the NAT rule. If you haven't specified any custom name at gateway creation
time, the gateway's primary IP address is assigned to the "default" IPconfiguration, and
the secondary IP is assigned to the "activeActive" IPconfiguration.
Cross-premises connectivity and VMs

If my virtual machine is in a virtual network and I have a

cross-premises connection, how should I connect to the
VM?
You have a few options. If you have RDP enabled for your VM, you can connect to your
virtual machine by using the private IP address. In that case, you would specify the
private IP address and the port that you want to connect to (typically 3389). You'll need
to configure the port on your virtual machine for the traffic.

You can also connect to your virtual machine by private IP address from another virtual
machine that's located on the same virtual network. You can't RDP to your virtual
machine by using the private IP address if you're connecting from a location outside of
your virtual network. For example, if you have a point-to-site virtual network configured
and you don't establish a connection from your computer, you can't connect to the
virtual machine by private IP address.

If my virtual machine is in a virtual network with cross-

premises connectivity, does all the traffic from my VM go
through that connection?
No. Only the traffic that has a destination IP that is contained in the virtual network
Local Network IP address ranges that you specified will go through the virtual network
gateway. Traffic has a destination IP located within the virtual network stays within the
virtual network. Other traffic is sent through the load balancer to the public networks, or
if forced tunneling is used, sent through the Azure VPN gateway.

How do I troubleshoot an RDP connection to a VM

If you are having trouble connecting to a virtual machine over your VPN connection,
check the following:

Verify that your VPN connection is successful.

Verify that you are connecting to the private IP address for the VM.
If you can connect to the VM using the private IP address, but not the computer
name, verify that you have configured DNS properly. For more information about
how name resolution works for VMs, see Name Resolution for VMs.

When you connect over Point-to-Site, check the following additional items:
Use 'ipconfig' to check the IPv4 address assigned to the Ethernet adapter on the
computer from which you are connecting. If the IP address is within the address
range of the VNet that you are connecting to, or within the address range of your
VPNClientAddressPool, this is referred to as an overlapping address space. When
your address space overlaps in this way, the network traffic doesn't reach Azure, it
stays on the local network.
Verify that the VPN client configuration package was generated after the DNS
server IP addresses were specified for the VNet. If you updated the DNS server IP
addresses, generate and install a new VPN client configuration package.

For more information about troubleshooting an RDP connection, see Troubleshoot

Remote Desktop connections to a VM.

Virtual Network FAQ

You can view additional virtual network information in the Virtual Network FAQ.

Next steps
For more information about VPN Gateway, see About VPN Gateway.
For more information about VPN Gateway configuration settings, see About VPN
Gateway configuration settings.

"OpenVPN" is a trademark of OpenVPN Inc.

VPN Gateway design
Article • 04/11/2023

It's important to know that there are different configurations available for VPN gateway
connections. You need to determine which configuration best fits your needs. In the
sections below, you can view design information and topology diagrams about the
following VPN gateway connections. Use the diagrams and descriptions to help select
the connection topology to match your requirements. The diagrams show the main
baseline topologies, but it's possible to build more complex configurations using the
diagrams as guidelines.

Site-to-site VPN
A Site-to-site (S2S) VPN gateway connection is a connection over IPsec/IKE (IKEv1 or
IKEv2) VPN tunnel. S2S connections can be used for cross-premises and hybrid
configurations. A S2S connection requires a VPN device located on-premises that has a
public IP address assigned to it. For information about selecting a VPN device, see the
VPN Gateway FAQ - VPN devices.

VPN Gateway can be configured in active-standby mode using one public IP or in

active-active mode using two public IPs. In active-standby mode, one IPsec tunnel is
active and the other tunnel is in standby. In this setup, traffic flows through the active
tunnel, and if some issue happens with this tunnel, the traffic switches over to the
standby tunnel. Setting up VPN Gateway in active-active mode is recommended in which
both the IPsec tunnels are simultaneously active, with data flowing through both tunnels
at the same time. An additional advantage of active-active mode is that customers
experience higher throughputs.

You can create more than one VPN connection from your virtual network gateway,
typically connecting to multiple on-premises sites. When working with multiple
connections, you must use a RouteBased VPN type (known as a dynamic gateway when
working with classic VNets). Because each virtual network can only have one VPN
gateway, all connections through the gateway share the available bandwidth. This type
of connection is sometimes referred to as a "multi-site" connection.


Deployment models and methods for S2S

Deployment model/method Azure portal PowerShell Azure CLI

Resource Manager Tutorial

Tutorial Tutorial
Tutorial

Classic Tutorial** Tutorial Not Supported

(**) denotes that this method contains steps that require PowerShell.

Point-to-site VPN
A point-to-site (P2S) VPN gateway connection lets you create a secure connection to
your virtual network from an individual client computer. A P2S connection is established
by starting it from the client computer. This solution is useful for telecommuters who
want to connect to Azure VNets from a remote location, such as from home or a
conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have
only a few clients that need to connect to a VNet.

Unlike S2S connections, P2S connections don't require an on-premises public-facing IP

address or a VPN device. P2S connections can be used with S2S connections through
the same VPN gateway, as long as all the configuration requirements for both
connections are compatible. For more information about point-to-site connections, see
About point-to-site VPN.


Deployment models and methods for P2S

Azure native certificate authentication

Deployment model/method Azure portal PowerShell

Resource Manager Tutorial Tutorial

Classic Tutorial Supported

RADIUS authentication

Deployment model/method Azure portal PowerShell

Resource Manager Supported Tutorial

Classic Not Supported Not Supported

VNet-to-VNet connections (IPsec/IKE VPN

tunnel)
Connecting a virtual network to another virtual network (VNet-to-VNet) is similar to
connecting a VNet to an on-premises site location. Both connectivity types use a VPN
gateway to provide a secure tunnel using IPsec/IKE. You can even combine VNet-to-
VNet communication with multi-site connection configurations. This lets you establish
network topologies that combine cross-premises connectivity with inter-virtual network
connectivity.

The VNets you connect can be:

in the same or different regions

in the same or different subscriptions
in the same or different deployment models

Connections between deployment models

Azure currently has two deployment models: classic and Resource Manager. If you have
been using Azure for some time, you probably have Azure VMs and instance roles
running in a classic VNet. Your newer VMs and role instances may be running in a VNet
created in Resource Manager. You can create a connection between the VNets to allow
the resources in one VNet to communicate directly with resources in another.

VNet peering
You may be able to use VNet peering to create your connection, as long as your virtual
network meets certain requirements. VNet peering doesn't use a virtual network
gateway. For more information, see VNet peering.

Deployment models and methods for VNet-to-VNet

Deployment model/method Azure portal PowerShell Azure CLI

Classic Tutorial* Supported Not Supported

Resource Manager Tutorial+ Tutorial Tutorial

Connections between different deployment Tutorial* Tutorial Not Supported

models

(+) denotes this deployment method is available only for VNets in the same
subscription.

(*) denotes that this deployment method also requires PowerShell.

Site-to-site and ExpressRoute coexisting

connections
ExpressRoute is a direct, private connection from your WAN (not over the public
Internet) to Microsoft Services, including Azure. Site-to-site VPN traffic travels encrypted
over the public Internet. Being able to configure site-to-site VPN and ExpressRoute
connections for the same virtual network has several advantages.

You can configure a site-to-site VPN as a secure failover path for ExpressRoute, or use
site-to-site VPNs to connect to sites that aren't part of your network, but that are
connected through ExpressRoute. Notice that this configuration requires two virtual
network gateways for the same virtual network, one using the gateway type 'Vpn', and
the other using the gateway type 'ExpressRoute'.

Deployment models and methods for S2S and

ExpressRoute coexist

Deployment model/method Azure portal PowerShell

Resource Manager Supported Tutorial

Classic Not Supported Tutorial

Highly available connections

For planning and design for highly available connections, see Highly available
connections.

Next steps
View the VPN Gateway FAQ for additional information.
Learn more about VPN Gateway configuration settings.

For VPN Gateway BGP considerations, see About BGP.

View the Subscription and service limits.

Learn about some of the other key networking capabilities of Azure.

About VPN Gateway configuration settings
Article • 08/10/2023

A VPN gateway is a type of virtual network gateway that sends encrypted traffic between your
virtual network and your on-premises location across a public connection. You can also use a
VPN gateway to send traffic between virtual networks across the Azure backbone.

A VPN gateway connection relies on the configuration of multiple resources, each of which
contains configurable settings. The sections in this article discuss the resources and settings that
relate to a VPN gateway for a virtual network created in Resource Manager deployment model.
You can find descriptions and topology diagrams for each connection solution in the About VPN
Gateway article.

The values in this article apply VPN gateways (virtual network gateways that use the -
GatewayType Vpn). Additionally, this article covers many, but not all, gateway types and SKUs.
See the following articles for information regarding gateways that use these specified settings:

For values that apply to -GatewayType 'ExpressRoute', see Virtual Network Gateways for
ExpressRoute.

For zone-redundant gateways, see About zone-redundant gateways.

For active-active gateways, see About highly available connectivity.

For Virtual WAN, see About Virtual WAN.

Gateway types
Each virtual network can only have one virtual network gateway of each type. When you're
creating a virtual network gateway, you must make sure that the gateway type is correct for your
configuration.

The available values for -GatewayType are:

Vpn
ExpressRoute

A VPN gateway requires the -GatewayType Vpn.

Example:

Azure PowerShell

New-AzVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg `

-Location 'West US' -IpConfigurations $gwipconfig -GatewayType Vpn `
-VpnType RouteBased
Gateway SKUs
When you create a virtual network gateway, you need to specify the gateway SKU that you want
to use. Select the SKU that satisfies your requirements based on the types of workloads,
throughput, features, and SLAs. For virtual network gateway SKUs in Azure Availability Zones, see
Zone-redundant gateway SKUs.

Gateway SKUs by tunnel, connection, and throughput

VPN SKU S2S/VNet- P2S P2S Aggregate BGP Zone-

Gateway to-VNet SSTP IKEv2/OpenVPN Throughput redundant
Generation Tunnels Connections Connections Benchmark

Generation1 Basic Max. 10 Max. 128 Not Supported 100 Mbps Not No
Supported

Generation1 VpnGw1 Max. 30 Max. 128 Max. 250 650 Mbps Supported No

Generation1 VpnGw2 Max. 30 Max. 128 Max. 500 1 Gbps Supported No

Generation1 VpnGw3 Max. 30 Max. 128 Max. 1000 1.25 Gbps Supported No

Generation1 VpnGw1AZ Max. 30 Max. 128 Max. 250 650 Mbps Supported Yes

Generation1 VpnGw2AZ Max. 30 Max. 128 Max. 500 1 Gbps Supported Yes

Generation1 VpnGw3AZ Max. 30 Max. 128 Max. 1000 1.25 Gbps Supported Yes

Generation2 VpnGw2 Max. 30 Max. 128 Max. 500 1.25 Gbps Supported No