Microsoft AZ-700: Design and Implement Azure VPN Gateway

Reading Time: 6 minutes

Notes from MS Learn AZ-700 Module 2: Design and Implement Hybrid Networking – Unit 2: Design and Implement Azure VPN Gateway

VPN provides secure, encrypted connections across another network. Often eployed. To connect 2 or more trusted private networks over an untrusted network (e.g. Internet) One option for connecting on-prem networks to an Azure VNet is VPN. A VPN Gateway is used as an endpoint for incoming connections to Azure VNet

  • Azure VPN Gateways
    • Specific type of virtual network gateway used to Tx/Rx encrypted traffic between Azure and On-Prem Networks
    • Can also be used to connect separate VNets encrypting over the MS network backbone
    • Made up of 2 or more special VM’s deployed to a specific subnet called the “gateway subnet”
    • Can take some time to complete so proper planning is important
    • When creating a Virtual Network Gateway the gateway VMs are created and deployed to the gateway subnet
      • VMs then have setting to configure on the gateway
  • Plan a VPN Gateway
    • Architectures to consider
      • Point-to-Site over internet
      • Site-to-Site over internet
      • Site-to-Site over dedicated network (e.g. Azure ExpressRoute)
  • Planning Factors
    • Factors to cover during planning
      • Throughput
        • Mbps
        • Gbps
      • Backbone
        • Internet
        • Private
      • Availability of public IP Address
      • VPN device compatibility
      • Multiple client connections vs Site-to-Site link
      • VPN Gateway type
      • Azure VPN Gateway SKU
  • Gateway SKU’s and Generations (Table
    • When creating you select the SKU that meets your requirements (Table taken from MS Learn)
      • Workload
      • Throughput
      • Features
      • SLA’s
  • (*) Virtual WAN used if more than 30 Site-to-Site VPN tunnels required
  • Resizing on VpnGw SKU’s allowed in same Gen but not the Basic SKU
    • Basic SKU is legacy with feature limitations
    • To move from Basic to VpnGw SKU deletion of Basic and rebuild with other Generation and SKU size combo required
  • Connection limits are separate
    • E.g. can have 128 @@TP connections and 250 IKEv2 connections on a single VpnGw1 SKU
  • Single tunnel
    • Max of 1Gbps
    • Aggregate Throughput Benchmark on VPN Gateway is Site-to-Site + Point-to-Site
    • Multiple Point-to-Site connection can negatively impact Site-to-Site due to throughput limitations
    • Aggregate Throughput Benchmark isn’t guaranteed due to Inet traffic conditions and app behavior
  • VPN Gateway Types
    • When creating a Virtual Network Gateway for a VPN Gateway config type must be specified
    • VPN type depends on connection topology desired
    • For example of above
      •  Point-to-Site requires RouteBased VPN Type
    • VPN type selected must meet all connection requirements for desired solution
    • For example of above
      • Create a Site-to-Site VPN & Point-to-Site VPN gateway connections on same VNet use RouteBased
        • This is due to Point-to-Site requiring RouteBased VPN type
        • Would also require VPN device supports RouteBased VPN connections
    • PolicyBased type
      • Previously called “static routing gateways” in classic deployment model
      • Encrypt and direct packets through IPsec tunnels based on IPsec policies
      • Policy (traffic selector) defined as ACL in VPN device config
      • Value for PolicyBased VPN type is PolicyBased
      • Limitations
        • Support IKEv1 protocols and used with Basic Gateway SKU only
        • Only 1 tunnel can be used
        • Only use for Site-to-Site connections & only certain configs
        • Most VPN Gateway configs require RouteBased type
    • RouteBased
      • Previously called “Dynamec routing gateways” in classic deployment model (Table taken from MS Learn)
      • Table below (Table taken from MS Learn) applies to both Resource Manager and Classic deployment models
      • For classic model, PolicyBased VPN are the same as Static Gateways & Route-Based are the same as Dynamic Gateways
      •    
      • (*) No BGP in classic deployment model
  • Create VPN Gateway
    • VPN Settings chosen critical in successful connection
      • Name
      • Region
      • Gateway Type
        • VPN
        • ExpressRoute
      • VPN Type
        • Most are Route-Based for Point-toSite, Inter-virtual network, or multiple Site-to-Site
        • Route-based
          • Most are Route-Based for Point-toSite, Inter-virtual network, or multiple Site-to-Site
          • Also for ExpressRoute or if IKEv2 required
        • Policy-based
          • Only supports IKEv1
      • SKU
        • Affects number of tunnels
        • Can have the “aggregate throughput benchmark”
          • Based on multiple tunnels aggregated through single gateway – not guaranteed due to Inet traffic and app behavior
      • Generation
        • Gen 1 or 2
        • Cannot change generations or SKU’s across generations
        • Basic and VPNGw1 SKU only supported in Gen1
        • VpnGw4 and VpnGw5 SKU only in Gen2
      • Virtual Network
        • VNet able to Tx/Rx traffic through a virtual network gateway
        • Cannot associate with multiple gateways
      • Active-Active mode
        • Enabled
        • Disabled
      • BGP ASN
        • Enabled
        • Disabled
    • Gateway should appear as a connected device – can view IP address assigned to gateway
  • Gateway Subnet
    • Required for VPN. Gateways
    • Can create before you create the gateway
    • Contains IP addresses the VNet gateway VMs and Services use
    • Never deploy anything other than gateway VMs in this subnet
    • Must be named GatewaySubnet as it tells Azure which subnets to deploy virtual network gateway VMs and Services to
    • When creating gateway subnet specify the number of IP Addresses subnet contains
      • IP addresses are allocated to gateway VMs and Services
      • Some configs require more IP’s than others
    • Refer to documentation for desired configuration when planning gateway subnet size
      • E.g. ExpressRoute/VPN Gateway coexistant config requires a larger subnet than most other
    • Plan for possible future configurations
      • MS Learn recommendation – /27 or larger although the smallest is /29
  • Create Local Network Gateway
    • Local Network Gateway usually is the on-prem location
    • Settings
      • Give site a name that Azure can refer to
      • Specify IP address prefixes to route through VPN gateway to VPN devices
      • IP Address is the public IP of the local gateway
      • Address Space is 1 or more CIDR ranges defining local networks address space
      • If doing BGP-Enabled check the box
        • Min prefix declaration is the host address of BGP Peer IP on VPN device
  • Configure On-prem VPN Device
    • Reference validated list of standard VPN Devices Created  with Vendors such as
      • Cisco
      • Juniper
      • Barracuda
    • My latest search came back with the following Azure support site
    • When not listed contact manufacturer for support/configuration help
    • There may be pre-build configuration scripts available
    • Required
      • Shared Key
      • Public IP address of VPN gateway
  • Create VPN Connection
    • Once VPN Gateways created connection between them can be created
    • If VNets are in the same subscription you can use the portal
      • Under Add Connection
        • Name connection
        • Select Connection type – Site-to-Site
        • Enter the Pre-shared Key
  • Verify VPN Connection
    • Use either Portal or PowerShell
  • High Availability options
    • VPN Gateway Redundancy (Active-Standby)
      • Every Azure VPN Gateway has active-standby
      • Automatic failover for planned maintenance or unplanned outages
        • Brief interruption
      • For planned restoration usually in 10-15 seconds (site-to-site)
      • For unplanned restoration around 1-3 minutes (site-to-site)
      • Point-to-Site connections are disconnect and users need to reconnect
    • Multiple on-prem VPN devices
      • Requirements and Constraints
        • Need multiple Site-to-Site VPN connections from VPN devices to Azure created
          • When connecting multiple VPN devices from same on-prem to Azure one local network gateway required for each VPN device
          • One connection from Azure VPN Gateway to each local network gateway
        • Local Network Gateways corresponding to VPN devices must have unique public IP in the GatewayIpAddress property
        • BGP required
          • Each local network gateway reping a VPN device must have unique BGP peer IP specified in BgpPeerIpAddress property
          • Use BGP to advertise same prefixes of same on-prem network prefixes to Azure VPN Gateway – traffic forwarded through these tunnels at same time
        • Must use ECMP
        • Each connection counts against max number of tunnels for Azure VPN Gateway
          • 10 for Basic and Standard SKU’s
          • 30 for HighPerformance SKU
      • Stil active-standby but guards against failures/interruptions on on-prm network and VPN devices
    • Active-Active Azure VPN Gateway
      • Both Azure VPN Gateways create Site-to-Site tunnels to on prem VPN device
      • Each Azure gateway has unique public IP and establishes Ipsec/IKE Site-to-Site VPN tunnel to on-prem VPN device
      • Configure on-prem VPN device to accept 2 Site-to-Site VPN tunnels two the 2 Azure VPN Gateway public IP’s
      • Traffic from Azure VNet to on-prem network routed through both tunnels
      • For single TCP/UDP flow Azure attempts to use same tunnel
    • Combo of both
  • Dual-redundancy: active-active for both Azure and On-Prem Networks
    • Create and setup Azure VPN Gateway in active-active
    • Create two local network gateways and two connections for 2 on-prem VPN devices
    • Makes full mesh connectivity of 4 Ipsec tunnels between Azure VNet and on-prem network
    • All gateways and tunnels are active from Azure side so traffic spread across 4 tunnels
    • May result in better throughput
    • BGP required
  • Highly Available VNet-to-VNet
    • Follows same idea as Azure to on-prem active active
    • Only requires on connection for each gateway
    • BGP optional unless transit routing required
  • Troubleshoot Azure VPN Gateway Using Logs
    • Use of logs to troubleshoot such as
      • Configuration Activity
      • VPN Tunnel Connectivity
      • IPSec
      • BGP Route Exchanging
      • Point-to-Site Advanced Logging
    • Example Logs
      • GatewayDiagnosticLog
        • Configuration events, primary changes, maintenance events
      • TunnelDiagnosticLog
        • Tunnel state changes
        • Connect/Disconnect events summarized reasons if applicable
      • RouteDiagnosticLogs
        • Changes to Static and BGP routes
      • IKEDiagnosticLog
        • IKE control messages and events on gateway
      • P2SDiagnosticLog
        • Control messages and events on gateway
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-design-and-implement-azure-vpn-gateway/

Leave a Reply

Your email address will not be published.