A virtual private network (VPN) is a type of private interconnected network. VPNs use an encrypted tunnel within another network. I will explain what is VPN Gateway and how to deploy in Azure.
Azure VPN gateways
Virtual Network Gateway is of 2 types:
- VPN Gateway
ExpressRoute is another gateway type which is most efficient and costly.If your organization uses Office 365. It wants to reduce traffic over the internet and send this traffic over a dedicated connection to Azure. Then ExpressRoute is the best choice. It’s a service that provides a direct connection from your on-premises datacenter to the Microsoft cloud. One disadvantage is it has no encrypted network communication.
I will focus VPN gateway only in this article.
If you want to setup below connections then you need VPN Gateway:
- Connect on-premises data centers to Azure virtual networks through a site-to-site connection.
- Connect individual devices to Azure virtual networks through a point-to-site connection.
- Connect Azure virtual networks to other Azure virtual networks through a network-to-network connection.
🏆 Pro Tip
You can deploy only one VPN gateway in each virtual network, but you can use one gateway to connect to multiple locations.
The main difference of these two types of
VPNs is how traffic to be encrypted is specified.
Policy-based VPN gateways specify statically the IP address of packets that should be encrypted through each tunnel.
- Support for
- Used for compatibility with legacy on-premises VPN devices.
- The source and destination of the tunneled networks are declared in the policy and don’t need to be declared in routing tables.
Rout Based VPN
With route-based gateways,
IPSec tunnels are modeled as a network interface or VTI (virtual tunnel interface). IP routing (static routes or dynamic routing protocols) decide across which one of these tunnel interfaces to send each packet.
Both types of VPN gateways (route-based and policy-based) in Azure use pre-shared key as the only method of authentication. Both types also rely on Internet Key Exchange (IKE) in either version 1 or version 2 and Internet Protocol Security (
IPSec). IKE is used to set up a security association (an agreement of the encryption) between two endpoints. This association is then passed to the
IPSec suite, which encrypts and decrypts data packets encapsulated in the VPN tunnel.
Components of VPN Gateway in Azure
You need below 6 resources to be created and configured in order to setup site-to-site connection with VPN Gateway:
- VNet: Only one VPN Gateway can be deployed in a Single VNet. While creating VNet give enough address space to accommodate future subnets.
- GatewaySubnet: You need a dedicated subnet for VPN Gateway. You have to call this as
GatewaySubnet. You can not use this subnet for other service. Make sure you give
/27address mask to make sure you have enough IP addresses for future growth. Also remember sometime you want to put 2 VPN Gateways in
Active/Activemode within this subnet in order for redundancy.
- Virtual Network Gateway: Create Virtual Network Gateway of
VPNtype. This will route the traffic from on-premise to Azure VNet and vice-versa.
- Public IP address: Create
Dynamic Public IP Addressresource. This address will only change if you delete and recreate the VPN. This IP will be internet facing and your on-premise VPN Device can point to this IP Address.
- Local Network Gateway: This is created to represent on-premise network’s configurations. This configuration includes the on-premises VPN device’s public
IPv4address and the on-premises routable networks. This information is used by the VPN gateway to route packets that are destined for on-premises networks through the
- Connection: Create a
connectionresource. Connect VPN Gateway with on-premise VPN Device IPv4 address. Connect VPN Gateway with it’s Public IP Address.
You need Physical VPN Device and a Public-Facing IPv4 address in your data center to connect to Azure resources.
Since all traffic has to go from VPN Gateway. You must think of what will happen in case of any issues. We have to work on fault tolerance.
You can use 2 VPN Gateways one in
Active/Standby and other is in
Active / Standby
On any planned maintenance or un-planned interruption affects active instance then within
90 seconds the standby gateway will become active
automatically without any human involvement. This is excellent feature.
In this mode you have to deploy
2 VPN gateways with 2
distinct IP Addresses. Then on-premise will have
2 VPN devices to connect with them. With this you see how much traffic can be distributed among these 2 gateways.
Site to Site VPN Gateway Deployment
Our goal is to create these 2 sites and connect them using vpn.
The first step is to create both sites in Azure.
Let’s create HQ-Network and Azure-VNet1 sites in Azure.
Create Azure VNet
VNet, we also create a
services subnet. You need
az network vnet create \ --resource-group learn-a6e8a4cb-44d7-4c35-b40c-9a61faff22e0 \ --name Azure-VNet-1 \ --address-prefixes 10.0.0.0/16 \ --subnet-name Services \ --subnet-prefixes 10.0.0.0/24
We need Gateway subnet to be created and for that we need
GatewaySubnet will remain under
az network vnet subnet create \ --resource-group learn-a6e8a4cb-44d7-4c35-b40c-9a61faff22e0 \ --vnet-name Azure-VNet-1 \ --address-prefixes 10.0.255.0/27 \ --name GatewaySubnet
Local Network Gateway representing Head Quarter VNet
The Local Network Gateway(LNG) is a specific object that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection.
Local Network Gateway will point to gateway ip address which is the Public IP(PIP) Address of the Head Quarter Network. I will assign this ip address later once I create PIP of HQ-Network.
az network local-gateway create \ --resource-group learn-a6e8a4cb-44d7-4c35-b40c-9a61faff22e0 \ --gateway-ip-address 18.104.22.168 \ --name LNG-HQ-Network \ --local-address-prefixes 172.16.0.0/16
Similarly, you go ahead and create Site for Head Quarter Network also.
Verify Network Topology
2nd Step Create a site-to-site VPN gateway by using Azure CLI commands
We will create:
- VNet for gateway
- VPN gateways
- Public IP Address
- Create connection
Here is the hands on lab link
Thanks for reading my article till end. I hope you learned something special today. If you enjoyed this article then please share to your friends and if you have suggestions or thoughts to share with me then please write in the comment box.
Founder of Fullstack Master