What is VPN Gateway?
A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. Each virtual network can have only one VPN gateway. However, you can create multiple connections to the same VPN gateway. When you create multiple connections to the same VPN gateway, all VPN tunnels share the available gateway bandwidth.
What is a virtual network gateway?
A virtual network gateway is composed of two or more VMs that are deployed to a specific subnet you create called the gateway subnet. Virtual network gateway VMs contain routing tables and run specific gateway services. These VMs are created when you create the virtual network gateway. You can't directly configure the VMs that are part of the virtual network gateway.
When you configure a virtual network gateway, you configure a setting that specifies the gateway type. The gateway type determines how the virtual network gateway will be used and the actions that the gateway takes. The gateway type 'Vpn' specifies that the type of virtual network gateway created is a 'VPN gateway'. This distinguishes it from an ExpressRoute gateway, which uses a different gateway type. A virtual network can have two virtual network gateways; one VPN gateway and one ExpressRoute gateway. For more information, see Gateway types.
Creating a virtual network gateway can take up to 45 minutes to complete. When you create a virtual network gateway, gateway VMs are deployed to the gateway subnet and configured with the settings that you specify. After you create a VPN gateway, you can create an IPsec/IKE VPN tunnel connection between that VPN gateway and another VPN gateway (VNet-to-VNet), or create a cross-premises IPsec/IKE VPN tunnel connection between the VPN gateway and an on-premises VPN device (Site-to-Site). You can also create a Point-to-Site VPN connection (VPN over OpenVPN, IKEv2, or SSTP), which lets you connect to your virtual network from a remote location, such as from a conference or from home.
Configuring a VPN Gateway
A VPN gateway connection relies on multiple resources that are configured with specific settings. Most of the resources can be configured separately, although some resources must be configured in a certain order.
It's important to know that there are different configurations available for VPN gateway connections. You need to determine which configuration best fits your needs. For example, Point-to-Site, Site-to-Site, and coexisting ExpressRoute/Site-to-Site connections all have different instructions and configuration requirements. For information about design and to view connection topology diagrams, see Design.
The following table can help you decide the best connectivity option for your solution.
|Azure Supported Services||Cloud Services and Virtual Machines||Cloud Services and Virtual Machines||Services list|
|Typical Bandwidths||Based on the gateway SKU||Typically < 1 Gbps aggregate||50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps|
|Protocols Supported||Secure Sockets Tunneling Protocol (SSTP), OpenVPN and IPsec||IPsec||Direct connection over VLANs, NSP's VPN technologies (MPLS, VPLS,...)|
|Routing||RouteBased (dynamic)||We support PolicyBased (static routing) and RouteBased (dynamic routing VPN)||BGP|
|Connection resiliency||active-passive||active-passive or active-active||active-active|
|Typical use case||Secure access to Azure virtual networks for remote users||Dev / test / lab scenarios and small to medium scale production workloads for cloud services and virtual machines||Access to all Azure services (validated list), Enterprise-class and mission critical workloads, Backup, Big Data, Azure as a DR site|
|Technical Documentation||VPN Gateway Documentation||VPN Gateway Documentation||ExpressRoute Documentation|
|FAQ||VPN Gateway FAQ||VPN Gateway FAQ||ExpressRoute FAQ|
The settings that you chose for each resource are critical to creating a successful connection. For information about individual resources and settings for VPN Gateway, see About VPN Gateway settings. The article contains information to help you understand gateway types, gateway SKUs, VPN types, connection types, gateway subnets, local network gateways, and various other resource settings that you may want to consider.
You can start out creating and configuring resources using one configuration tool, such as the Azure portal. You can later decide to switch to another tool, such as PowerShell, to configure additional resources, or modify existing resources when applicable. Currently, you can't configure every resource and resource setting in the Azure portal. The instructions in the articles for each connection topology specify when a specific configuration tool is needed.
When you create a virtual network gateway, you specify the gateway SKU that you want to use. Select the SKU that satisfies your requirements based on the types of workloads, throughputs, features, and SLAs.
- For more information about gateway SKUs, including supported features, production and dev-test, and configuration steps, see the VPN Gateway Settings - Gateway SKUs article.
- For Legacy SKU information, see Working with Legacy SKUs.
Gateway SKUs by tunnel, connection, and throughput
|Generation1||Basic||Max. 10||Max. 128||Not Supported||100 Mbps||Not Supported|
|Generation1||VpnGw1||Max. 30*||Max. 128||Max. 250||650 Mbps||Supported|
|Generation1||VpnGw2||Max. 30*||Max. 128||Max. 500||1 Gbps||Supported|
|Generation1||VpnGw3||Max. 30*||Max. 128||Max. 1000||1.25 Gbps||Supported|
|Generation2||VpnGw2||Max. 30*||Max. 128||Max. 500||1.25 Gbps||Supported|
|Generation2||VpnGw3||Max. 30*||Max. 128||Max. 1000||2.5 Gbps||Supported|
|Generation2||VpnGw4||Max. 30*||Max. 128||Max. 5000||5 Gbps||Supported|
|Generation2||VpnGw5||Max. 30*||Max. 128||Max. 10000||10 Gbps||Supported|
(*) Use Virtual WAN if you need more than 30 S2S VPN tunnels.
The resizing of VpnGw SKUs is allowed within the same generation, except resizing of the Basic SKU. The Basic SKU is a legacy SKU and has feature limitations. In order to move from Basic to another VpnGw SKU, you must delete the Basic SKU VPN gateway and create a new gateway with the desired Generation and SKU size combination.
These connection limits are separate. For example, you can have 128 SSTP connections and also 250 IKEv2 connections on a VpnGw1 SKU.
Pricing information can be found on the Pricing page.
SLA (Service Level Agreement) information can be found on the SLA page.
On a single tunnel a maximum of 1 Gbps throughput can be achieved. Aggregate Throughput Benchmark in the above table is based on measurements of multiple tunnels aggregated through a single gateway. The Aggregate Throughput Benchmark for a VPN Gateway is S2S + P2S combined. If you have a lot of P2S connections, it can negatively impact a S2S connection due to throughput limitations. The Aggregate Throughput Benchmark is not a guaranteed throughput due to Internet traffic conditions and your application behaviors.
To help our customers understand the relative performance of SKUs using different algorithms, we used publicly available iPerf and CTSTraffic tools to measure performances. The table below lists the results of performance tests for Generation 1, VpnGw SKUs. As you can see, the best performance is obtained when we used GCMAES256 algorithm for both IPsec Encryption and Integrity. We got average performance when using AES256 for IPsec Encryption and SHA256 for Integrity. When we used DES3 for IPsec Encryption and SHA256 for Integrity we got lowest performance.
|Packets per second
AES256 & SHA256
DES3 & SHA256
AES256 & SHA256
DES3 & SHA256
AES256 & SHA256
DES3 & SHA256
You pay for two things: the hourly compute costs for the virtual network gateway, and the egress data transfer from the virtual network gateway. Pricing information can be found on the Pricing page.
Virtual network gateway compute costs
Each virtual network gateway has an hourly compute cost. The price is based on the gateway SKU that you specify when you create a virtual network gateway. The cost is for the gateway itself and is in addition to the data transfer that flows through the gateway. Cost of an active-active setup is the same as active-passive.
Data transfer costs
Data transfer costs are calculated based on egress traffic from the source virtual network gateway.
- If you are sending traffic to your on-premises VPN device, it will be charged with the Internet egress data transfer rate.
- If you are sending traffic between virtual networks in different regions, the pricing is based on the region.
- If you are sending traffic only between virtual networks that are in the same region, there are no data costs. Traffic between VNets in the same region is free.
For more information about gateway SKUs for VPN Gateway, see Gateway SKUs.
For frequently asked questions about VPN gateway, see the VPN Gateway FAQ.