Azure supports different types of VPNs. This article discusses the types of VPNs that you can use with Azure.
Checkout this video:
Azure supports three different types of VPNs: Point-to-Site, Site-to-Site, and VNet-to-VNet. Point-to-Site (P2S) creates a VPN connection from your computer to an Azure virtual network. Site-to-Site (S2S) creates a VPN connection between your on-premises network and an Azure virtual network. VNet-to-VNet creates a VPN connection between two Azure virtual networks.
A policy-based VPN can filter traffic by source and destination IP address, application protocol, and user. Policy-based VPNs only look at the headers of the packets to make filtering decisions and do not inspect the actual data. This type of VPN is commonly used with legacy equipment that does not support route-based VPNs. Policy-based VPNs are sometimes called filter-based or packet-filtering VPNs.
Microsoft Azure supports policy-based VPNs using the industry standard IPsec protocol. When you create a policy-based virtual network gateway, you specify a list of security rules that control traffic allowed into and out of the virtual network.
Route-based VPNs are also known as policy-based VPNs. A route-based VPN uses the routing table to determine where to route traffic. A policy is applied to an interface, and all traffic that arrives on that interface is subject to the policy. Policy-based VPNs were the only type of VPN supported by Azure’s predecessor, Windows Azure Virtual Network (WAVN).
A Azure route-based VPN gateway uses the industry standard Border Gateway Protocol (BGP) to advertise routes in the virtual network’s address space. BGP is a dynamic routing protocol that allows for automatic discovery and configuration of network paths.
Microsoft recommends using route-based VPN gateways whenever possible because they offer greater flexibility andHigher performance than policy-based gateways.
Azure VPN types
Azure supports different types of VPNs. Point-to-Site (P2S) VPNs connect an individual device to Azure. Site-to-Site (S2S) VPNs connect an on-premises network to an Azure VNet. VNet-to-VNet (V2V) VPNs connect two Azure VNets. ExpressRoute circuits provide private, high-bandwidth, low-latency connectivity between Azure and your on-premises network.
Policy-based VPNs (Static Routing) were the first type of VPN supported on the Azure platform. With policy-based VPNs, traffic is filtered based on the configurations that you make in your VPN gateway settings. You specify traffic filters to allow or deny traffic to your VNet resources, based on source and destination IP addresses, protocols, and port numbers. Policy-based VPN Gateways are supported only in Classic deployment model.
Route-based VPNs (Dynamic Routing) provide a superior level of flexibility and scalability when compared to policy based solutions. With route based solutions, traffic is filtered by specifying Access Control Lists (ACLs). Route based solutions use Internet Protocol Security (IPSec) encryption to protect traffic in transit across public networks. Route based solutions are available only in Resource Manager deployment model.
Route-based VPNs are also known as dynamic gateways in Azure. A route-based VPN gateway uses routes to determine what traffic to send through the VPN tunnel. Route-based gateways are ideal for sites that have changing IP addresses or that connect to multiple on-premises sites. The only supported type of route-based gateway is the Azure Standard Resource Manager VPN gateway.
Supported VPN types
Azure supports three different types of VPNs: Point-to-Site, Site-to-Site, and VNet-to-VNet. Point-to-Site VPNs are used to connect individual clients to an Azure VNet. Site-to-Site VPNs are used to connect on-premises networks to an Azure VNet. VNet-to-VNet VPNs are used to connect Azure VNets to each other.
Policy-based VPNs (static routing) polices are defined to allow or deny traffic based on the source and destination addresses, ports, and protocols. Policy-based Gateways implement traffic policies by using access control lists (ACLs).
OpenVPN is an SSL VPN and as such is not compatible with a policy-based VPN gateway. Only route-based VPNs are supported.
Route-based VPNs are also known as dynamic gateway VPNs. A route-based VPN gateway uses the Routing and Remote Access Service (RRAS) to create a virtual private network (VPN) gateway service on Windows Server 2016. RRAS is a legacy technology that was originally designed before Windows Server 2012 and Windows 8. Though it has been significantly improved in recent years, RRAS is still a legacy technology.
Because of this, we don’t recommend using RRAS to create a VPN gateway unless you have an existing investment in this technology or you’re using an unsupported device. For more information, see RRAS deprecated in Windows Server 2016.