Configure VPN gateway settings for Azure Stack Hub

A VPN gateway is a type of virtual network gateway that sends encrypted traffic between your virtual network in Azure Stack Hub and a remote VPN gateway. The remote VPN gateway can be in Azure, a device in your datacenter, or a device on another site. If there is network connectivity between the two endpoints, you can establish a secure Site-to-Site (S2S) VPN connection between the two networks.

A VPN gateway relies on the configuration of multiple resources, each of which contains configurable settings. This article describes the resources and settings that relate to a VPN gateway for a virtual network that you create in the Resource Manager deployment model. You can find descriptions and topology diagrams for each connection solution in Create VPN gateways for Azure Stack Hub.

VPN gateway settings

Gateway types

Each Azure Stack Hub virtual network supports a single virtual network gateway, which must be of the type Vpn. This support is different from Azure, which supports additional types.

When you create a virtual network gateway, you must make sure that the gateway type is correct for your configuration. A VPN gateway requires the -GatewayType Vpn flag; for example:

New-AzVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg `
   -Location 'China East' -IpConfigurations $gwipconfig -GatewayType Vpn `
   -VpnType RouteBased

Gateway SKUs without VPN Fast Path Enabled

When you create a virtual network gateway, you must specify the SKU that you want to use. Select the SKUs that satisfy your requirements based on the types of workloads, throughput, features, and SLAs.

You can have 10 high performance gateways or 20 basic and standard before you reach the maximum capacity.

Azure Stack Hub offers the VPN gateway SKUs shown in the following table:

SKU Max VPN Connection throughput Max # of connections per active GW VM Max # of VPN Connections per stamp
Basic 100 Mbps Tx/Rx 10 20
Standard 100 Mbps Tx/Rx 10 20
High Performance 200 Mbps Tx/Rx 5 10

Gateway SKUs with VPN Fast Path Enabled

With the release of the VPN Fast Path public preview, Azure Stack Hub supports three new SKUs with higher throughput.

New limits and throughput will be enabled once VPN Fast Path is enabled on your Azure Stack stamp.

Azure Stack Hub offers the VPN gateway SKUs shown in the following table:

SKU Max VPN Connection throughput Max # of connections per active GW VM Max # of VPN Connections per stamp
Basic 100 Mbps Tx/Rx 25 50
Standard 100 Mbps Tx/Rx 25 50
High Performance 200 Mbps Tx/Rx 12 24
VPNGw1 650 Mbps Tx/Rx 3 6
VPNGw2 1000 Mbps Tx/Rx 2 4
VPNGw3 1250 Mbps Tx/Rx 2 4

Resizing virtual network gateways SKUs

Azure Stack Hub does not support a resize from a supported legacy SKU (Basic, Standard, and HighPerformance) to a newer SKU supported by Azure (VpnGw1, VpnGw2, and VpnGw3).

New virtual network gateways and connections must be created in order to use the new SKUs enabled by VPN Fast Path.

Configure the virtual network gateway SKU

Azure Stack Hub portal

If you use the Azure Stack Hub portal to create a virtual network gateway, the SKU can be selected using the dropdown list. The new VPN Fast Path SKUs (VpnGw1, VpnGw2, VpnGw3) will only be visible after adding the query parameter "?azurestacknewvpnskus=true" to the URL and refreshing.

The following URL example makes the new virtual network gateway SKUs visible in the Azure Stack Hub user portal:

https://portal.local.azurestack.local/?azurestacknewvpnskus=true

Before creating these resources, the operator must have enabled VPN Fast Path on the Azure Stack Hub stamp. For more information, see VPN Fast Path for operators.

Azure VNG new SKUs

PowerShell

The following PowerShell example specifies the -GatewaySku parameter as Standard:

New-AzVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg `
   -Location 'China East' -IpConfigurations $gwipconfig -GatewaySku Standard `
   -GatewayType Vpn -VpnType RouteBased

Connection types

In the Resource Manager deployment model, each configuration requires a specific virtual network gateway connection type. The available Resource Manager PowerShell values for -ConnectionType are IPsec.

In the following PowerShell example, a S2S connection is created that requires the IPsec connection type:

New-AzVirtualNetworkGatewayConnection -Name localtovon -ResourceGroupName testrg `
   -Location 'China East' -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local `
   -ConnectionType IPsec -RoutingWeight 10 -SharedKey 'abc123'

VPN types

When you create the virtual network gateway for a VPN gateway configuration, you must specify a VPN type. The VPN type that you choose depends on the connection topology that you want to create. A VPN type can also depend on the hardware that you're using. S2S configurations require a VPN device. Some VPN devices only support a certain VPN type.

Important

Currently, Azure Stack Hub only supports the route-based VPN type. If your device only supports policy-based VPNs, then connections to those devices from Azure Stack Hub are not supported.

In addition, Azure Stack Hub does not support using policy-based traffic selectors for route-based gateways at this time, because Azure Stack Hub does not support policy-based traffic selectors, although they are supported in Azure.

  • PolicyBased: Policy-based VPNs encrypt and direct packets through IPsec tunnels based on the IPsec policies that are configured with the combinations of address prefixes between your on-premises network and the Azure Stack Hub VNet. The policy, or traffic selector, is usually an access list in the VPN device configuration.

    Note

    PolicyBased is supported in Azure, but not in Azure Stack Hub.

  • RouteBased: Route-based VPNs use routes that are configured in the IP forwarding or routing table to direct packets to their corresponding tunnel interfaces. The tunnel interfaces then encrypt or decrypt the packets in and out of the tunnels. The policy, or traffic selector, for RouteBased VPNs are configured as any-to-any (or use wild cards). By default, they cannot be changed. The value for a RouteBased VPN type is RouteBased.

The following PowerShell example specifies the -VpnType as RouteBased. When you create a gateway, you must make sure that the -VpnType is correct for your configuration.

New-AzVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg `
   -Location 'China East' -IpConfigurations $gwipconfig `
   -GatewayType Vpn -VpnType RouteBased

Virtual network gateways supported configurations when VPN Fast Path is not enabled

SKU VPN Type Connection type Active Routing support (BGP) Remote endpoint NAT-T Enabled
Basic VNG SKU Route-based VPN IPSec Pre-shared key Not Supported Not required
Standard VNG SKU Route-based VPN IPSec Pre-shared key Supported, up to 150 routes Not required
High-Performance VNG SKU Route-based VPN IPSec Pre-shared key Supported, up to 150 routes Not required

Virtual network gateways supported configurations when VPN Fast Path is enabled

SKU VPN Type Connection type Active routing support (BGP) Remote endpoint NAT-T Enabled
Basic VNG SKU Route-based VPN IPSec Pre-shared key Not Supported Required
Standard VNG SKU Route-based VPN IPSec Pre-shared key Supported, up to 150 routes Required
High-Performance VNG SKU Route-based VPN IPSec Pre-shared key Supported, up to 150 routes Required
VPNGw1 VNG SKU Route-based VPN IPSec Pre-shared key Supported, up to 150 routes Required
VPNGw2 VNG SKU Route-based VPN IPSec Pre-shared key Supported, up to 150 routes Required
VPNGw2 VNG SKU Route-based VPN IPSec Pre-shared key Supported, up to 150 routes Required

Gateway subnet

Before you create a VPN gateway, you must create a gateway subnet. The gateway subnet has the IP addresses that the virtual network gateway VMs and services use. When you create your virtual network gateway and the connection, the Gateway VM owning the connection will be linked to the gateway subnet and will be configured with the required VPN gateway settings. Don't deploy anything else (for example, additional VMs) to the gateway subnet.

Important

The gateway subnet must be named GatewaySubnet to work properly. Azure Stack Hub uses this name to identify the subnet to which to deploy the virtual network gateway VMs and services.

When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The IP addresses in the gateway subnet are allocated to the gateway VMs and gateway services. Some configurations require more IP addresses than others. Look at the instructions for the configuration that you want to create and verify that the gateway subnet you want to create meets those requirements.

Additionally, you should make sure your gateway subnet has enough IP addresses to handle additional future configurations. Although you can create a gateway subnet as small as /29, we recommend you create a gateway subnet of /28 or larger (/28, /27, /26, and so on.) That way, if you add functionality in the future, you do not have to tear down your gateway, then delete and recreate the gateway subnet to allow for more IP addresses.

The following Resource Manager PowerShell example shows a gateway subnet named GatewaySubnet. You can see the CIDR notation specifies a /27, which allows for enough IP addresses for most configurations that currently exist.

Add-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.0.3.0/27

Important

When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating a network security group to this subnet can cause your VPN gateway to stop functioning as expected. For more information about network security groups, see What is a network security group?.

Local network gateways

When creating a VPN gateway configuration in Azure, the local network gateway often represents your on-premises location. In Azure Stack Hub, it represents any remote VPN device that sits outside Azure Stack Hub. This device could be a VPN device in your datacenter (or a remote datacenter), or a VPN gateway in Azure.

You give the local network gateway a name, the public IP address of the remote VPN device, and specify the address prefixes that are on the on-premises location. Azure Stack Hub looks at the destination address prefixes for network traffic, consults the configuration that you've specified for your local network gateway, and routes packets accordingly.

This PowerShell example creates a new local network gateway:

New-AzLocalNetworkGateway -Name LocalSite -ResourceGroupName testrg `
   -Location 'China East' -GatewayIpAddress '198.51.100.101' -AddressPrefix '10.5.51.0/24'

Sometimes you need to modify the local network gateway settings; for example, when you add or modify the address range, or if the IP address of the VPN device changes. For more info, see Modify local network gateway settings using PowerShell.

IPsec/IKE parameters

When you set up a VPN connection in Azure Stack Hub, you must configure the connection at both ends. If you're configuring a VPN connection between Azure Stack Hub and a hardware device such as a switch or router that is acting as a VPN gateway, that device might ask you for additional settings.

Unlike Azure, which supports multiple offers as both an initiator and a responder, Azure Stack Hub supports only one offer by default. If you need to use different IPSec/IKE settings to work with your VPN device, there are more settings available to you to configure your connection manually. For more information, see Configure IPsec/IKE policy for site-to-site VPN connections.

Important

When using the S2S tunnel, packets are further encapsulated with additional headers which increases the overall size of the packet. In these scenarios, you must clamp TCP MSS at 1350. Or, if your VPN devices do not support MSS clamping, you can alternatively set the MTU on the tunnel interface to 1400 bytes instead. For more information, see Virutal Network TCPIP performance tuning.

IKE Phase 1 (Main Mode) parameters

Property Value
IKE Version IKEv2
Diffie-Hellman Group* ECP384
Authentication Method Pre-Shared Key
Encryption & Hashing Algorithms* AES256, SHA384
SA Lifetime (Time) 28,800 seconds

IKE Phase 2 (Quick Mode) parameters

Property Value
IKE Version IKEv2
Encryption & Hashing Algorithms (Encryption) GCMAES256
Encryption & Hashing Algorithms (Authentication) GCMAES256
SA Lifetime (Time) 27,000 seconds
SA Lifetime (Kilobytes) 33,553,408
Perfect Forward Secrecy (PFS)* ECP384
Dead Peer Detection Supported

* New or changed parameter.

Next steps