Learn difference between the Azure VPN Gateway SKUs. Policy-based and route-based VPNs are also discussed including the requirements and limitations of each.
- [Instructor] VPN gateways connect our Azure virtual networks to other virtual networks and to our on-premise environments. In Azure we have three SKUs that we an choose from. We have the basic SKU, which supports policy-based VPNs only. And you'll see in a moment that this can be a very limiting factor. We have our standard SKU and finally we have our high performance SKU. The high performance SKU is the only SKU that supports active-to-active site-to-site VPN connections.
The basic and standard SKUs only support active-to-passive site-to-site VPN connections. Now that we've determined that we have three SKUs we can choose from, now we have two VPN types to work with. We have a policy-based and a route-based. Let's go ahead and examine the policy-based VPN first. The policy-based VPN will encrypt and forward traffic based on policies. I like to think of a policy-based VPN akin to an access control list. You will only find the policy-based VPN in a basic SKU.
And you can only use it for site-to-site. It will not work with point-to-site connections. There's very specific configurations when you go to configure a policy-based VPN and the policy-based VPN will support only one tunnel. If you're familiar with the classic portal of Azure or ASM as it was also referred to, policy-based VPNs would have been known as static routing gateways. Now, let's go ahead and take a look at the route-based VPN. And typically, this will be what you'll use.
Traffic is routed based on routing table or IP forwarding. The tunnel interfaces encrypt and decrypt the traffic. A route-based VPN will coexist with a point to site. Remember the policy-based VPN could not co-exist with the point-to-site. Our route-based VPNs are required by most VPN gateways and these were previously referred to as dynamic routing gateways in the older portal. Now, let's compare the VPN gateway SKUs. Our basic SKUs have a throughput of a 100 megabits per second and our maximum IPsec tunnels, and again this has to be route-based only, is 10.
And the basic SKU cannot coexist with ExpressRoute. Next our standard SKUs also support up to 100 megabits per second. 10 Ipsec tunnels, but the standard SKU can exist with ExpressRoute. And finally, we have that high performance SKU. Here 200 megabits per second is supported. We can have up to 30 IPsec tunnels and yes, it will exist with ExpressRoute. Next, we have the maximum number of connections. Let's first take a look at our site-to-site.
We've already talked about the policy-based VPN, only one connection is allowed. As you soon as you move into the route-based you move up to 10 and if you use a route-based high performance VPN, you can have up to 30 connections. And at our point-to-site, we've already said that policy-based basic VPNs are not supported in our point-to-site. Otherwise, the maximum number of connections we can have is 128. Next, let's take a quick look at our authentication methods between a point-to-site and a site-to-site.
For our site-to-site, it's pre-shared key all across the board. And our point-to-site, it'll be a certificate except for that policy-based VPN, again point-to-site is not supported in that policy-based VPN. And finally, we've been talking about the connections themselves, but what about the VPN devices? For a site-to-site connection you will require a VPN device. Microsoft does have a list of validated VPN devices. I would highly recommend that you check this list, prior to deploying.
The key things on this list that you are going to look for, is the minium OS version of the device itself. Please make sure that your device meets that minimum OS version. And refer to the configuration instructions to ensure that the device is being configured correctly. And finally, my piece of advice here, always backup your VPN device before you make any changes to it. If something were to go wrong while configuring your site-to-site connection, you need to be able to fall back to a working configuration.
As always, the key to Azure is the planning. Determine what are your connectivity requirements and then chose the VPN gateway that meets your needs.
- Designing virtual machines
- Selecting appropriate VM SKUs
- Designing template deployment
- Deploying ARM templates via PowerShell and CLI
- Designing for availability
- Designing Azure Virtual Networks
- Azure VPN and ExpressRoute architecture and design