Azure supports different types of VPNs. You can use Azure to connect your on-premises network to your Azure virtual network, or you can use Azure to connect your Azure virtual network to another Azure virtual network. You can also use Azure to connect your Azure virtual network to an on-premises network.
Checkout this video:
Introduction
Microsoft’s Azure cloud computing platform supports several virtual private network (VPN) technologies, each with its own advantages and benefits. In this article, we’ll take a closer look at the different types of VPNs supported by Azure and how they can be used to secure your cloud-based resources.
Azure supports two main types of VPNs: site-to-site VPNs and point-to-site VPNs. Site-to-site VPNs are used to connect an on-premises network to an Azure virtual network (VNet). This type of connection is often used by organizations that have existing datacenters or other physical infrastructure that they want to connect to their Azure resources. Point-to-site VPNs are used to connect individual computers or devices to an Azure VNet. This type of connection is often used by remote workers who need to connect to their organization’s Azure resources from home or other locations outside the office.
Both site-to-site and point-to-site VPNs use the industry standard Internet Protocol Security (IPSec) protocol to encrypt traffic flowing between Azure and your on-premises or remote resources. IPSec uses a process called “tunneling” to create a secure, encrypted link between two IPSec “endpoints” – in this case, between your Azure VNet and your on-premises network or remote device.
Once the tunnel is established, traffic flowing through it is encrypted using either the Advanced Encryption Standard (AES) or Triple Data Encryption Standard (3DES) algorithm. AES is the newer and more secure of the two algorithms, while 3DES is considered a legacy algorithm that is still used for backwards compatibility in some cases.
Point-to-Site VPN
With Point-to-Site VPN, you can connect to your VNets from anywhere in the world, using any device – without the need for a gateway. You can set up P2S VPNs using native Azure certificate authentication, or with Azure Active Directory authentication using RADIUS. P2S is available for the Resource Manager deployment model only.
P2S creates a secure connection to an Azure virtual network over an IPsec/IKE (IKEv2) VPN tunnel. P2S connections do not require a VPN device or a public-facing IP address at your on-premises location. You can use any device (desktop, laptop, or mobile) to create the P2S connection.
Site-to-Site VPN
Site-to-Site VPN: Site-to-site VPNs connect entire networks to each other over a public network, such as the Internet. A site-to-site VPN uses IPsec. IPsec encrypts all traffic from one network to another.
In a site-to-site VPN, also called an IPsec VPN, each location has its own security gateway. The security gateway at each location authenticates and encrypts traffic before it passes through the public network. The gateway at the other end of the tunnel decrypts the traffic and forwards it to its destination on the private network.
Azure VPN Gateway
Azure VPN Gateway supports the following device families:
– PolicyBased (IKEv1)
– RouteBased (IKEv2)
-PolicyBased and RouteBased VpnGw1, VpnGw2, and VpnGw3 devices
Azure VPN Gateway doesn’t support point-to-point tunneling protocol (PPTP), layer two tunneling protocol version 3 (L2TPv3), or secure socket tunneling protocol (SSTP)- based client VPNs.
VPN Client
There are three types of VPN clients supported by Azure: Point-to-Site (P2S), Site-to-Site (S2S), and ExpressRoute. P2S VPNs are used to connect an individual client computer to an Azure VNet. S2S VPNs are used to connect an on-premises network to an Azure VNet. ExpressRoute is used to create a private connection between an on-premises network and Azure.
Comparison of VPN Types
The table below provides a comparison of the different VPN types that are supported by Azure.
VPN Type|IKEv2|IKEv1|SSTP|OpenVPN
—|—|—|—|—
Supported Platforms|Windows 10, Windows Server 2016, macOS Sierra, iOS 10, Android 7.0, andLater1. Ubuntu 16.04, Fedora 24, CentOS 7.2 and RHEL 7.2 |Windows Server 2012 R2 and later1.Ubuntu 16.04, Fedora 24, CentOS 7.2 and RHEL 7.2 |Windows 101, Windows Server 2012 R2 and later1,Ubuntu 16.04, Fedora 24, CentOS 7.2 and RHEL 7.2 |Ubuntu 16.04 and later1,Fedora 24 and later1,RHEL 7.3 and later1,CentOS 7.3 and later1
Policies/Constraints| requires AES128-GCM or AES256-GCM ciphers; IKEv2 uses Transform Set; phase 1 uses Lifetimesand phase 2 uses Proposal; PFS is optional but recommended; DH Group can be ECP256/ECP384/DH2048/DH3072/DH4096/DH6144or DH8192 |IKEv1 uses Transform Set; phase 1 uses Lifetimes; phase 2 uses Proposal; PFS is required but MD5 is also allowed asthe Hash algorithm if PFS is not available on one side |None
How Does It Work?||Uses UDP 500 & 4500 ports for NAT-T traffic.
IKE SA negotiation consists of two phases: phase 1 & 2.
Each phase has its own key negotiation.
Phase 1 negotiates a secure channel through which future communications will take place.
This communication can use one of two modes: aggressive or main.
In aggressive mode, less information is exchanged than in main mode resulting in a faster connection but providing less protection from DoS attacks such as anonymizing the identities of each party.
Main mode protects against this type of attack by ensuring that more information is exchanged during the initial negotiation making it more difficult to spoof identities.- Main mode consists of three exchanges between peers while aggressive mode only requires two.
IKEv2 also supports Extended Authentication (XAUTH) for remote access clients using username & password authentication methods such as RADIUS or LDAP while IKEv1 only supports Pre-Shared Keys (PSK).||
1: For a list of supported device families, see Supported VPN devices for Azure VPN Gateway
Conclusion
Azure supports the following VPN types:
– Point-to-Site (SSTP and IKEv2 VPN)
– Site-to-Site (IKEv2 VPN)
– ExpressRoute or Site-to-Site (IKEv1 and IPsec VPN)
Which one you choose depends on a number of factors, including budget, azure subscription type, security requirements, and so on. You can read more about each type of VPN in our What is a VPN? article.