About Azure VPN Gateway (2024)

Article
07/23/2024

Azure VPN Gateway is a service that can be used to send encrypted traffic between an Azure virtual network and on-premises locations over the public Internet. You can also use VPN Gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. VPN Gateway uses a specific type of Azure virtual network gateway called a VPN gateway. Multiple connections can be created to the same VPN gateway. When you create multiple connections, all VPN tunnels share the available gateway bandwidth.

Why use VPN Gateway?

Here are some of the key scenarios for VPN Gateway:

Send encrypted traffic between an Azure virtual network and on-premises locations over the public Internet. You can do this by using the following types of connections:
- Site-to-site connection: A cross-premises IPsec/IKE VPN tunnel connection between the VPN gateway and an on-premises VPN device.
- Point-to-site connection: VPN over OpenVPN, IKEv2, or SSTP. This type of connection lets you connect to your virtual network from a remote location, such as from a conference or from home.
  See Also
  What is a VPN Gateway? How It Works & Benefits | NinjaOne VPN gateways | Google Cloud VMware Engine Documentation VPN Gateway - Virtual Networks | Microsoft Azure how to setup a basic vpn - Microsoft Q&A
Send encrypted traffic between virtual networks. You can do this by using the following types of connections:
- VNet-to-VNet: An IPsec/IKE VPN tunnel connection between the VPN gateway and another Azure VPN gateway that uses a VNet-to-VNet connection type. This connection type is designed specifically for VNet-to-VNet connections.
- Site-to-site connection: An IPsec/IKE VPN tunnel connection between the VPN gateway and another Azure VPN gateway. This type of connection, when used in the VNet-to-VNet architecture, uses the Site-to-site (IPsec) connection type, which allows cross-premises connections to the gateway in addition connections between VPN gateways.
Configure a site-to-site VPN as a secure failover path for ExpressRoute. You can do this by using:
- ExpressRoute + VPN Gateway: A combination of ExpressRoute + VPN Gateway connections (coexisting connections).
Use site-to-site VPNs to connect to sites that aren't connected through ExpressRoute. You can do this with:
- ExpressRoute + VPN Gateway: A combination of ExpressRoute + VPN Gateway connections (coexisting connections).

Planning and design

Because you can create multiple connection configurations using VPN Gateway, you need to determine which configuration best fits your needs. Point-to-site, site-to-site, and coexisting ExpressRoute/site-to-site connections all have different instructions and resource configuration requirements.

See the VPN Gateway topology and design article for design topologies and links to configuration instructions. The following sections of the article highlight some of the design topologies that are most often used.

Planning table

The following table can help you decide the best connectivity option for your solution.

	Point-to-Site	Site-to-Site
Azure Supported Services	Cloud Services and Virtual Machines	Cloud Services and Virtual Machines
Typical Bandwidths	Based on the gateway SKU	Typically < 10 Gbps aggregate
Protocols Supported	Secure Sockets Tunneling Protocol (SSTP), OpenVPN, and IPsec	IPsec
Routing	RouteBased (dynamic)	We support PolicyBased (static routing) and RouteBased (dynamic routing VPN)
Connection resiliency	active-passive or active-active	active-passive or active-active
Typical use case	Secure access to Azure virtual networks for remote users	Dev, test, and lab scenarios and small to medium scale production workloads for cloud services and virtual machines
SLA	SLA	SLA
Pricing	Pricing	Pricing
Technical Documentation	VPN Gateway	VPN Gateway
FAQ	VPN Gateway FAQ	VPN Gateway FAQ

Availability Zones

VPN gateways can be deployed in Azure Availability Zones. This brings resiliency, scalability, and higher availability to virtual network gateways. Deploying gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures. See About zone-redundant virtual network gateways in Azure Availability Zones.

Configuring VPN Gateway

A VPN gateway connection relies on multiple resources that are configured with specific settings. In some cases, resources must be configured in a certain order. The settings that you chose for each resource are critical to creating a successful connection.

For information about individual resources and settings for VPN Gateway, see About VPN Gateway settings and About gateway SKUs. These articles contain information to help you understand gateway types, gateway SKUs, VPN types, connection types, gateway subnets, local network gateways, and various other resource settings that you might want to consider.

For design diagrams and links to configuration articles, see the VPN Gateway topology and design article.

Gateway SKUs

When you create a virtual network gateway, you specify the gateway SKU that you want to use. Select the SKU that satisfies your requirements based on the types of workloads, throughputs, features, and SLAs. For more information about gateway SKUs, including supported features, performance tables, configuration steps, and production vs. dev-test workloads, see About gateway SKUs.

VPN Gateway Generation	SKU	S2S/VNet-to-VNet Tunnels	P2S SSTP Connections	P2S IKEv2/OpenVPN Connections	Aggregate Throughput Benchmark	BGP	Zone-redundant	Supported Number of VMs in the Virtual Network
Generation1	Basic	Max. 10	Max. 128	Not Supported	100 Mbps	Not Supported	No	200
Generation1	VpnGw1	Max. 30	Max. 128	Max. 250	650 Mbps	Supported	No	450
Generation1	VpnGw2	Max. 30	Max. 128	Max. 500	1 Gbps	Supported	No	1300
Generation1	VpnGw3	Max. 30	Max. 128	Max. 1000	1.25 Gbps	Supported	No	4000
Generation1	VpnGw1AZ	Max. 30	Max. 128	Max. 250	650 Mbps	Supported	Yes	1000
Generation1	VpnGw2AZ	Max. 30	Max. 128	Max. 500	1 Gbps	Supported	Yes	2000
Generation1	VpnGw3AZ	Max. 30	Max. 128	Max. 1000	1.25 Gbps	Supported	Yes	5000

Generation2	VpnGw2	Max. 30	Max. 128	Max. 500	1.25 Gbps	Supported	No	685
Generation2	VpnGw3	Max. 30	Max. 128	Max. 1000	2.5 Gbps	Supported	No	2240
Generation2	VpnGw4	Max. 100*	Max. 128	Max. 5000	5 Gbps	Supported	No	5300
Generation2	VpnGw5	Max. 100*	Max. 128	Max. 10000	10 Gbps	Supported	No	6700
Generation2	VpnGw2AZ	Max. 30	Max. 128	Max. 500	1.25 Gbps	Supported	Yes	2000
Generation2	VpnGw3AZ	Max. 30	Max. 128	Max. 1000	2.5 Gbps	Supported	Yes	3300
Generation2	VpnGw4AZ	Max. 100*	Max. 128	Max. 5000	5 Gbps	Supported	Yes	4400
Generation2	VpnGw5AZ	Max. 100*	Max. 128	Max. 10000	10 Gbps	Supported	Yes	9000

(*) If you need more than 100 S2S VPN tunnels, use Virtual WAN instead of VPN Gateway.

Pricing

You pay for two things: the hourly compute costs for the virtual network gateway, and the egress data transfer from the virtual network gateway. Pricing information can be found on the Pricing page. For legacy gateway SKU pricing, see the ExpressRoute pricing page and scroll to the Virtual Network Gateways section.

Virtual network gateway compute costs
Each virtual network gateway has an hourly compute cost. The price is based on the gateway SKU that you specify when you create a virtual network gateway. The cost is for the gateway itself and is in addition to the data transfer that flows through the gateway. Cost of an active-active setup is the same as active-passive. For more information about gateway SKUs for VPN Gateway, see Gateway SKUs.

Data transfer costs
Data transfer costs are calculated based on egress traffic from the source virtual network gateway.

If you're sending traffic to your on-premises VPN device, it will be charged with the Internet egress data transfer rate.
If you're sending traffic between virtual networks in different regions, the pricing is based on the region.
If you're sending traffic only between virtual networks that are in the same region, there are no data costs. Traffic between VNets in the same region is free.

What's new in VPN Gateway?

Azure VPN Gateway is updated regularly. To stay current with the latest announcements, see the What's new? article. The article highlights the following points of interest:

Recent releases
Previews underway with known limitations (if applicable)
Known issues
Deprecated functionality (if applicable)

You can also subscribe to the RSS feed and view the latest VPN Gateway feature updates on the Azure Updates page.

FAQ

For frequently asked questions about VPN gateway, see the VPN Gateway FAQ.

Next steps

Tutorial: Create and manage a VPN Gateway.
Learn module: Introduction to Azure VPN Gateway.
Learn module: Connect your on-premises network to Azure with VPN Gateway.
Subscription and service limits.

FAQs

What is the purpose of Azure VPN gateway? ›

Azure VPN Gateway connects your on-premises networks to Azure through Site-to-Site VPNs in a similar way that you set up and connect to a remote branch office. The connectivity is secure and uses the industry-standard protocols Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).

Read On ›

Which statement regarding Azure VPN gateway is true? ›

Answer: The statement "the gateway connects an Azure VNet to an on-premises network" is true. Explanation: The statement "The gateway connects an Azure VNet to an on-premises network" is true regarding an Azure VPN Gateway.

Discover More Details ›

What would you use a VPN gateway for? ›

VPN gateways are relevant for businesses because they provide secure access to company resources from remote locations. They facilitate encrypted connections between a company's private network and remote users or sites, ensuring data security and integrity.

What is the difference between application gateway and VPN gateway in Azure? ›

Application Gateway is a Layer 7 load balancing service with advanced features like SSL termination. It's used to route client requests to your applications. Virtual Network Gateway is a VPN gateway for point-to-site (user) and site-to-site (office/datacenter) VPN connections to your own Azure VNETs.

See Details ›

What is Azure gateway used for? ›

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. Traditional load balancers operate at the transport layer (OSI Layer 4 - TCP and UDP) and route traffic based on source IP address and port, to a destination IP address and port.

Find Out More ›

What is the difference between Azure VPN gateway and virtual WAN? ›

How is Virtual WAN different from an Azure virtual network gateway? A virtual network gateway VPN is limited to 100 tunnels. For connections, you should use Virtual WAN for large-scale VPN. You can connect up to 1,000 branch connections per virtual hub with aggregate of 20 Gbps per hub.

Tell Me More ›

What is the difference between a VPN and a VPN gateway? ›

A VPN gateway is a network device that creates secure connections over the internet. Find out how they work and what benefits they offer to small and medium enterprises. Virtual private networks (VPN) are popular solutions for protecting the identity of users and business data online.

Show Me More ›

What are the three major uses of a VPN? ›

Prevent ISP and third-party tracking

By routing to a remote VPN server instead of your ISP's servers, a VPN masks your IP address, prevents ISP tracking, and keeps your personal data private.

Explore More ›

What does VPN gateway mean? ›

A VPN gateway is a networking device that connects other devices and networks into a single VPN infrastructure. It can be used to establish communication between remote offices, connect two networks or devices together, and even combine multiple VPNs together into a single network.

How do I connect to Azure VPN gateway? ›

To add a connection, go to the VPN gateway and then select Connections to open the Connections page. Select + Add to add your connection. Adjust the connection type to reflect either VNet-to-VNet (if connecting to another virtual network gateway) or site-to-site.

Show Me More ›

How long does it take for Azure VPN gateway to deploy? ›

If the Azure VPN Gateway is deployed it is "running" 24 hours / 7days. The only option is to create/delete the VPN Gateway automatically with a script. But deploying a new VPN Gateway needs about 30-45 minutes for deployment.

Read The Full Story ›

Can I stop Azure VPN gateway? ›

Delete a VPN gateway by deleting the resource group

In All resources, locate the resource group and click to open the page. Click Delete.

See Details ›

What is the main purpose of API gateway? ›

An API gateway manages incoming requests and routes them based on key factors such as request path, headers, and query parameters, among others. It allows for efficient distribution of traffic and ensures proper load balancing among target endpoints.

Get More Info Here ›

Why use an Azure Application Gateway? ›

Application Gateway is integrated with several Azure services. Azure Traffic Manager supports multiple-region redirection, automatic failover, and zero-downtime maintenance. Use Azure Virtual Machines, virtual machine scale sets, or the Web Apps feature of Azure App Service in your back-end pools.

Why use Azure NAT gateway? ›

NAT Gateway provides dynamic SNAT port functionality to automatically scale outbound connectivity and reduce the risk of SNAT port exhaustion. Azure NAT Gateway provides outbound connectivity for many Azure resources, including: Azure virtual machines or virtual machine scale-sets in a private subnet.

What is the difference between VPN gateway and tunnel? ›

For Classic VPN, the remote peer IP address is the external IP address of the peer VPN gateway. A VPN tunnel connects two VPN gateways and serves as a virtual medium through which encrypted traffic is passed.

View Details ›