Azure supports different types of VPNs. Find out which one is right for you.
Checkout this video:
VPN Gateway supports point-to-site, site-to-site, and VNet-to-VNet connections. Azure supports the following VPN types: Point-to-Site (P2S) VPNs, Site-to-Site (S2S) VPNs, VNet-to-VNet (V2V) VPNs, and Multi-Site VPNs.
Policy-based VPNs (Static Routing) are the oldest type of VPN gateway. In a policy-based VPN, traffic is routed based on route tables defined in the gateway. A policy-based VPN can support multiple external IP addresses and multiple internal IP subnets. You can use a single policy-based VPN gateway to connect to multiple on-premises policies.
Typically, you use policy-based VPNs if your on-premises location has already implemented a router that you want to continue using. You might also use policy-based VPNs if you have a limited number of IP addresses available and you require more than one external IP address for your site-to-site connection. Policy-based VPN gateways require you to configure each application that will be used over the VPN connection individually.
Route-based VPNs are also called dynamic gateway VPNs. A route-based VPN uses dynamic routing, and each time a packet arrives, the route is recalculated. To support a route-based VPN, the Azure VPN gateway uses Border Gateway Protocol (BGP), which is an industry standard protocol to manage the routing information between gateways.
Because BGP is used for all route-based VPNs, including cross-premises and VNet-to-VNet configurations, you can provide site-to-site connectivity for all supported Azure regions without requiring any additional configuration at the gateway level. You need only provide the list of Azure regions that you want to connect in your configuration.
Azure supports two types of VPN clients: point-to-site (P2S) and site-to-site (S2S). P2S VPNs are useful when you have a small number of clients that need to connect to a VNet. An S2S VPN connection is useful when you need to connect a large number of on-premises clients, or when you have a gateway device that terminates the VPN connection.
SSTP (Secure Socket Tunneling Protocol) is a Microsoft proprietary protocol that uses TLS/SSL to secure point-to-point connections. The initial connection is made over HTTPS and then wrapped in an encrypted SSL tunnel. SSTP is supported on Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.
IKEv2 (Internet Key Exchange version 2) is a tunneling protocol that’s used to set up virtual private network (VPN) connections. It supports many different types of devices and can run on many different types of networks, including the public Internet. IKEv2 is also considered to be more secure than other types of VPN protocols, such as PPTP and L2TP/IPsec.
IKEv2 uses a “security association” (SA) to define each security relationship between two devices. The SA contains information about the security protocols that will be used, the cryptographic keys that will be used, and other parameters.
IKEv2 can be used without encryption, but it’s usually used with the IPsec encryption protocol. IPsec is a protocol that encrypts and authenticates each packet of data that’s sent over the VPN connection. IKEv2 can also be used with other encryption protocols, such as ESP (Encapsulating Security Payload).
Layer 2 Tunneling Protocol/Internet Protocol Security (L2TP/IPsec): This is a built-in native VPN client that can be used on Windows, Mac, Linux, iOS, Android, and some routers. L2TP/IPsec uses AES-256 for encryption. It also uses the following protocols:
-IKEv2 for key exchange and authentication
-ESP for data encryption
-AH for data integrity
A site-to-site VPN lets you create a secure connection between your on-premises site and your VNet. This type of VPN is also known as a gateway-to-gateway VPN. Azure supports both policy-based and route-based VPNs.
VPN connection between two VNets is sometimes called Site-to-Site VPN. VNet-to-VNet is a VPN connection over IPsec (IKEv1 and IKEv2). It encryption all traffic between VNets and no internet gateway is required. You can have multiple VPN connections from a single VNet to multiple VNets. Such topology is supported by Azure. You can use both PolicyBased and RouteBased VPNs to build such configuration.
Point-to-site (P2S) creates a secure connection to an Azure virtual network from an individual client computer. P2S VPN connections are established over SSTP (Secure Socket Tunneling Protocol) or IKEv2. P2S connections can use either public key infrastructure (PKI) certificates or Azure AD authentication. This type of VPN connection requires a VPN device located at each client’s site.