Azure VPN Gateway

Natasha Ong
This is some text inside of a div block.
4 min read

In a nutshell:

VPNs are secure, encrypted internet pathways connecting private networks for safe data transfer.
VPNs are super useful in scenarios like businesses, government agencies, or large organisations needing a secure way to share information.
Azure VPN Gateway is Azure's magic bridge for secure data transfer, offering site-to-site, point-to-site, and network-to-network connections.


Imagine you have two private networks* that need to share important information. They trust each other, but they're far away and have to communicate over the internet. The internet isn't always the safest place, with all sorts of people trying to peek at your data.

This is where Virtual Private Networks (VPNs) come to the rescue. They create a secure, encrypted pathway on the internet, so information can travel safely between networks.

*What are two private networks? What does this look like? Here are two scenarios where two private networks want to communicate with each other:

Two different organisations: Two separate companies, such as a law firm and an accounting firm, might want to establish a secure connection to share sensitive client information. They would set up a VPN to ensure that their data remains confidential while crossing the public internet. Some other examples: two government agencies sharing secret project information, hospitals sharing patient data with a clinic, banks sharing financial information with a loan provider, universities sharing research or student data with each other.
Offices in the same organisation: Within a large business, different departments or offices may run separate networks, but still need to connect with each other.

How do VPNs actually work?

  1. Connect securely: To connect securely to another network, you initiate communication to a VPN gateway from your device.
  2. Secure tunnel: The VPN verifies that you are who you are, and creates a secure tunnel to the network you are trying to connect to.
  3. Data routing: Devices in your network, such as routers and switches, help in routing data. This means they help push your data to the right destination and through the right encryption method.
  4. Data encryption: With the tunnel in place, data you send and receive is encrypted to protect it from eavesdropping or interception. This encrypted data is routed through the secure tunnel to the remote network.
  5. Reaching the other side: The VPN gateway on the other side receives and decrypts your data, then passes it on to the destination in the remote network.
  6. Two-way communication: The remote network also uses the secure tunnel to send responses back to your device. These responses are encrypted while in transit and are decrypted on your device.

Azure VPN Gateway

Azure VPN Gateway is Azure's magic bridge that lets your data cross the internet without anyone knowing what it is.

The gateway is deployed in a dedicated subnet of a virtual network, and you can use it in three main ways:

  • Site-to-site connection: connect your on-premises datacenters to the virtual network.
  • Point-to-site connection: connect individual devices to the virtual network.
  • Network-to-network connection: Connect two virtual networks together.

Some important facts

  • All data transfer is encrypted inside a private tunnel as it crosses the internet.
  • You can deploy only one VPN gateway in each virtual network.
  • You can have multiple tunnels within your single VPN gateway. Each tunnel can be thought of as a separate highway, each having their own encryption policies and destination.
  • However, you can use one gateway to connect to multiple locations, which includes other virtual networks or on-premises datacenters. This means your one gateway can be the door to multiple tunnels, and each tunnel can have its own encryption policies.

When you set up a VPN gateway, you have to choose between two VPN types:

  • In policy-based VPNs, you tell the VPN which data goes through which tunnel. You give the VPN a list of the IP addresses of all the data that will be going through the gateway, and the tunnel that they should be travelling through. The VPN simply needs to match things up!
  • In route-based VPNs, the internet itself relies on routing tables to decide which data should be encrypted and sent through the VPN. Route-based VPNs are better than policy-based VPNs when it comes to adapting to changes in the network structure (e.g. if you were to add a new subnet). This makes it the preferred connection method for on-premises devices - on-premise networks are always going through changes when new devices or offices get added.
  • Use a route-based VPN gateway if you need any of the following types of connectivity:
  • Point-to-site connection
  • Network-to-network connection
  • Multisite connections*
  • Coexistence with an Azure ExpressRoute gateway (we'll talk about ExpressRoute in a sec!)
*Multisite connections means connecting multiple physical locations within a network to share data and resources. This is commonly used in businesses to for communication and connectivity between different office locations or data centres.

Ensuring high availability

If you're setting up a VPN to keep your information safe, let's not forget that your VPN stays available and doesn't go down easily too. Here are a few tricks to maximise the availability of your VPN gateway:

  • Active/Standby: By default, VPN gateways are deployed as two instances in an active/standby configuration, even if you only see one VPN gateway resource in Azure. This means there are two copies of the same VPN (so you still only have one gateway in your network). If one has a problem or needs to shut down for maintenance, the other one jumps in to save the day. This means only one device (e.g. a router, firewall, or switch) is actively processing data at any time, but others are on standby. This set up is great for high availability.
  • Fun fact: unplanned disruptions usually get fixed in 90 seconds with this handy set up!
  • Active/Active: In this expert mode, you're still dealing with one VPN gateway within your network (we're not breaking any rules here!), but it can be configured to have multiple unique IP addresses. Now, multiple devices (i.e. many routers, firewalls and switches!) can  connect to different IP address and actively process network traffic at the same time, sharing the load. This set up is great for situations where lots of data is getting exchanged.
  • ExpressRoute failover: If you're using another service called ExpressRoute (we'll talk about it a sec), you can set up a VPN gateway as your backup if things go wrong.
  • Zone-redundant gateways: In regions that support availability zones, VPN gateways and ExpressRoute gateways can be deployed in a zone-redundant configuration. This is like having your VPN in multiple places, so if one place has a problem, the other one takes over.