Azure supports different types of VPNs. This article discusses the types of VPNs that you can use with Azure.
Checkout this video:
Azure VPN Gateway
Azure VPN Gateway connects Azure resources to an on-premises network or another virtual network in Azure. VPN Gateway supports the following two VPN types: Point-to-Site and Site-to-Site.
Supported VPN types
Azure VPN Gateway supports the following VPN types:
– Point-to-Site (P2S): P2S connections are used when clients need to connect to a VNet without going through a VPN server. This type of connection requires the installation of a VPN client on each client computer.
– Site-to-Site (S2S): S2S connections are used to connect one VNet to another, or multiple VNets to each other. An S2S connection is also known as an IPsec connection because the traffic passing through the connection is encrypted by using Internet Protocol Security (IPsec).
– VNet peering: VNet peering enables you to connect two Azure virtual networks together using the Microsoft backbone, eliminating the need for gateways or other devices. Traffic passing between virtual machines in different virtual networks is encrypted using IPsec. For more information about VNet peering, see What is VNet Peering? and Introduction to Azure Virtual Network Peering.
Point-to-Site (P2S) creates a secure connection to an Azure virtual network from an individual client computer. P2S is a solution that you set up and maintain yourself, whereas S2S is a fully managed service by Microsoft.
With P2S, all traffic is encrypted by the client before it reaches the Azure VPN Gateway allowing for greater security and peace of mind. Additionally, P2S connections do not require a public-facing IP address or a NAT device as all traffic is encrypted before it leaves the local computer.
P2S connections can be used with SSTP and IKEv2/IPsec protocols and support certificates, smart cards, and two-factor authentication including Microsoft Azure Multi-Factor Authentication.
The Azure VPN gateway supports the following VPN types: Site-to-Site, Point-to-Site, and VNet-to-VNet. The Site-to-Site type creates a VPN connection between twoAzure gateways, or between an Azure gateway and an on-premises VPN device. The Point-to-Site type creates a VPN connection from an individual computer to an Azure gateway. The VNet-to-VNet type creates a secure, private connection between two virtual networks in Azure.
VNet-to-VNet is the easiest and most common type of connection to set up. You can connect VNets together using the Azure Resource Manager deployment model and the Classic deployment model, which we will cover next. The figure below shows two VNets connected together using the Azure Resource Manager deployment model. When you set up a VNet-to-VNet connection, you create a virtual network gateway in each VNet that other VNets can connect to.
![Image result for Azure VPN Gateway](https://i.imgur.com/5A6sCsg.png)
With a VNet-to-VNet connection, you can route traffic between VNets using a software VPN gateway, or you can use a dedicated hardware VPN gateway, which provides better performance. You can also use ExpressRoute circuits to connect your VNets together. ExpressRoute does not use the public internet, so it provides more reliability, higher speeds, and lower latencies than typical internet connections.
ExpressRoute connectivity is available in all Azure public and Azure Government cloud regions. You can find more information in the ExpressRoute locations article. We plan to add ExpressRoute connectivity to Azure Private Cloud locations in the future.
Azure VPN Gateway connects your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. The following steps are required to configure a Site-to-Site (S2S) cross-premises connection using static routing:
Supported VPN protocols
Azure supports different types of VPN protocols such as IKEv2, SSTP, and L2TP/IPsec. You can use any of these protocols to connect your on-premises network to an Azure virtual network. IKEv2 is the most recent VPN protocol and is supported on most Azure VPN gateways.
IKEv2 is an IPSec-based VPN protocol that Microsoft endorsed for Windows Vista and Windows Server 2008. IKEv2 uses user-authenticated key exchange, mutual machine authentication, data encryption, data integrity protection, and optional Perfect Forward Secrecy (PFS). IKEv2 also uses MOBIKE to provide seamless roaming experiences to users. For more information about IKEv2, see Internet Key Exchange Version 2 (IKEv2).
SSTP was introduced in Windows Vista and Windows Server 2008. It uses port 443, which is also used by HTTPS. SSTP provides a mechanism to wrap PPP traffic in an SSL/TLS channel. The use of SSL/TLS ensures that all traffic passing through the VPN tunnel is protected from eavesdropping.
When using SSTP VPN type, you should consider the following:
-Most routers and firewalls support SSTP VPN type.
-You should be able to connect to your Azure VPN Gateway using this type of VPN from anywhere – public hotspot, hotel or airport Wi-Fi, cellular networks, and so on.
-If you are behind a web proxy, make sure it supports SSL/TLS traffic on port 443.
OpenVPN is an Internet Protocol that uses TLS/SSL to create a secure session. Due to its open source design, it is the most widely used protocol. OpenVPN is available on most major platforms including Windows, macOS, Linux, Android, and iOS. It can also be used with routers and other devices.
There are several types of VPN that you can set up with Azure. These include Point-to-Site, Site-to-Site, and VNet-to-VNet. Each type has its own benefits and drawbacks, so you’ll need to choose the right one for your needs.