Choosing the right VPN gateway is critical. Sharon outlines the differences between the gateways, a policy or route based gateway, including the number of connections supported, authentication method
- [Instructor] Azure VPN gateways are services that are used to send traffic between your virtual networks and your on-premise environments. The gateway you choose will, for the most part, be based on the type of connection you want or need to make to your on-premise environment. You can either use an ExpressRoute gateway or a VPN gateway, which will enable you to configure site to site and point to site connectivity to your on-premise environments. Let's first take a look at the ExpressRoute gateway SKUs. We'll also look at the corresponding throughput for each SKU, and whether or not the ExpressRoute gateway can coexist with the gateway VPN.
We have four SKUs to choose from. There is the basic SKU, which allows for 500 megabits per second of throughput. This is the only SKU that cannot coexist with a gateway VPN. Next we have the standard SKU, for 1000 megabits per second of throughput. The high performance SKU can handle 2000 megabits per second, and the ultra performance, in which you can achieve a whopping 10,000 megabits of throughput per second. Now, let's compare that to the VPN gateway SKUs.
And this may be a little disappointing after seeing the ExpressRoute options, but if ExpressRoute is not available to you either due to your location or cost, the VPN gateways are a great option. One thing to note here. Besides the throughput, you will also need to look at the maximum number of tunnels that is supported. If you need more than 10 tunnels, then your choice is very clear. You need the high performance SKU. And again, the basic SKU cannot coexist with the ExpressRoute gateways. The next consideration for your VPN gateway is to determine if you're going to be using a policy-based VPN or a route-based VPN.
The policy-based VPN encrypts and forwards based on policies. An easy way to remember policy-based is to think of an access control list. It is only available in the basic SKU of site to site VPNs for very specific configurations. And only one tunnel is supported using the policy-based VPN. For those of you who have seen the classic portal or may still be using it, we refer to these as static routing gateways in the classic model. Next, we have our route-based VPNs.
A routing table or IP forwarding is used to direct the packets. The tunnel interfaces encrypt and decrypt the packets, and these can coexist with point to site. And you'll be happy to know that this route-based VPN is required by most VPN gateways. We do not too often see the policy-based VPN for a gateway. And we've previously referred to these as dynamic routing gateways in that classic portal. Now that we have an understanding of the VPN gateways, your next step is to choose the right one.
Remember, I keep saying it, Azure implementation is all about planning. And these charts will help you make the right choice. The policy-based VPN is only available in a site to site connection, and again, it's not too often we see it. For a site to site connection that requires more than 10 tunnels, you are looking at a route-based high performance VPN. And remember that policy-based VPN is not supported in the point to site scenario. Next is your authentication method. When you're using a site to site connection, it will always be a pre-shared key, and in the point to site, with the exception of that policy-based VPN, which is not allowed in the point to site, it will always be a certificate.
And if you need active routing support or border gateway protocol, BGP, then you will again be looking at the route-based standard VPN. I know there is a lot to think about when planning your VPN gateway. You will need to look at your requirements, and then choose the gateway that best meets your needs. I would like to point out that you cannot change your gateway VPN after it has been created. In the words of Grail Knight from Indiana Jones, choose wisely. But to ease your mind from my experience, most implementations use standard route-based VPN as minimum.
- Creating an Azure virtual network
- Creating a virtual network using PowerShell
- Deploying a VM into a virtual network
- Modifying IP addresses
- Working with Azure DNS
- Configuring NSGs
- Setting up load balancers
- Configuring Azure load balancers
- Creating an application gateway
- Setting up on-premises connectivity
- Adding gateway VPNs
- Validating VPN devices
- Configuring VNet
- Creating site connections