Azure VPN – Part1 (Virtual Private Network)

Santosh Gaikwad

Connect on LinkedIn      Follow SCI Page

Write to
Santosh Gaikwad

Latest posts by Santosh Gaikwad (see all)

>>Related Articles      >> Azure VPN – Part 2

What is VPN (Virtual Private Network)?

A VPN gateway is a type of virtual network gateway that sends encrypted traffic across a public connection. To send network traffic between your Azure virtual network and your on-premises site, you must create a virtual network gateway for your virtual network.

Why VPN is required?

No organizations host all of their workloads in a public cloud like Microsoft Azure, most of the organizations have their own on-premises environments and probably it would decades to move all the applications to cloud, in such scenarios there has to be secured way of communication between public cloud like Azure and on-premises environments, which allows data exchange between cloud and on-premises data centers or private cloud like azure stack, this is called as hybrid cloud. If you’re building a hybrid cloud, you probably want to have network connectivity between the two clouds and that means a VPN. Microsoft Azure uses a Virtual Network Gateway to provide this connectivity.

Following are few scenarios of hybrid cloud

  • A company uses a public development platform that sends data to a private cloud or a data center–based application.
  • A company leverages a number of SaaS (Software as a Service) applications and moves data between private or data center resources.
  • A business process is designed as a service so that it can connect with environments as though they were a single environment.

Different ways to create VPN Gateways

To connect on-premises sites securely to a virtual network, three are different ways to do so.

The option can depend on various considerations, such as:

  • What kind of throughput does your solution require?
  • Do you want to communicate over the public Internet via secure VPN, or over a private connection?
  • Do you have a public IP address available to use?
  • Are you planning to use a VPN device? If so, is it compatible?
  • Are you connecting just a few computers, or do you want a persistent connection for your site?
  • What type of VPN gateway is required for the solution you want to create?
  • Which gateway SKU should you use?

A Site-to-Site (S2S) VPN gateway connection is a connection over IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has a public IP address assigned to it and is not located behind a NAT (Network Address Translation). S2S connections can be used for cross-premises and hybrid configurations.

Site to Site VPN
Site to Site VPN



This type of connection is a variation of the Site-to-Site connection. You create more than one VPN connection from your virtual network gateway, typically connecting to multiple on-premises sites. When working with multiple connections, you must use a RouteBased VPN type (known as a dynamic gateway when working with classic VNets). Because each virtual network can only have one VPN gateway, all connections through the gateway share the available bandwidth. This is often called a “multi-site” connection.

Multisite VPN
Multisite VPN


Point-to-Site (VPN over SSTP)

A Point-to-Site (P2S) VPN gateway connection allows you to create a secure connection to your virtual network from an individual client computer. P2S is a VPN connection over SSTP (Secure Socket Tunneling Protocol). P2S connections do not require a VPN device or a public-facing IP address to work. You establish the VPN connection by starting it from the client computer. This solution is useful when you want to connect to your VNet from a remote location, such as from home or a conference, or when you only have a few clients that need to connect to a VNet. P2S connections can be used with S2S connections through the same VPN gateway, as long as all the configuration requirements for both connections are compatible.

Point to Site VPN
Point to Site VPN


VNet-to-VNet connections (IPsec/IKE VPN tunnel)

Connecting a virtual network to another virtual network (VNet-to-VNet) is similar to connecting a VNet to an on-premises site location. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE. You can even combine VNet-to-VNet communication with multi-site connection configurations. This lets you establish network topologies that combine cross-premises connectivity with inter-virtual network connectivity.

The VNets you connect can be:

  • in the same or different regions
  • in the same or different subscriptions
  • in the same or different deployment models
VNet to VNet
VNet to VNet


ExpressRoute (dedicated private connection)

Microsoft Azure ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a dedicated private connection facilitated by a connectivity provider. With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Office 365, and CRM Online. Connectivity can be from any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a co-location facility.

ExpressRoute connections do not go over the public Internet. This allows ExpressRoute connections to offer more reliability, faster speeds, lower latencies, and higher security than typical connections over the Internet.

An ExpressRoute connection does not use a VPN gateway, although it does use a virtual network gateway as part of its required configuration. In an ExpressRoute connection, the virtual network gateway is configured with the gateway type ‘ExpressRoute’, rather than ‘Vpn’.




>>Related Articles      >> Azure VPN – Part 2


Check Articles From Categories      Health and Parenting      Inspiring Stories      Technology      Microsoft Azure      SharePoint O365

Leave a Reply

Your email address will not be published. Required fields are marked *