Notes from MS Learn AZ-700 Module 2: Design and Implement Hybrid Networking – Unit 2: Design and Implement Azure VPN Gateway
VPN provides secure, encrypted connections across another network. Often eployed. To connect 2 or more trusted private networks over an untrusted network (e.g. Internet) One option for connecting on-prem networks to an Azure VNet is VPN. A VPN Gateway is used as an endpoint for incoming connections to Azure VNet
- Azure VPN Gateways
- Specific type of virtual network gateway used to Tx/Rx encrypted traffic between Azure and On-Prem Networks
- Can also be used to connect separate VNets encrypting over the MS network backbone
- Made up of 2 or more special VM’s deployed to a specific subnet called the “gateway subnet”
- Can take some time to complete so proper planning is important
- When creating a Virtual Network Gateway the gateway VMs are created and deployed to the gateway subnet
- VMs then have setting to configure on the gateway
- Plan a VPN Gateway
- Architectures to consider
- Point-to-Site over internet
- Site-to-Site over internet
- Site-to-Site over dedicated network (e.g. Azure ExpressRoute)
- Architectures to consider
- Planning Factors
- Factors to cover during planning
- Throughput
- Mbps
- Gbps
- Backbone
- Internet
- Private
- Availability of public IP Address
- VPN device compatibility
- Multiple client connections vs Site-to-Site link
- VPN Gateway type
- Azure VPN Gateway SKU
- Throughput
- Factors to cover during planning
- Gateway SKU’s and Generations (Table
- When creating you select the SKU that meets your requirements (Table taken from MS Learn)
- Workload
- Throughput
- Features
- SLA’s
- When creating you select the SKU that meets your requirements (Table taken from MS Learn)
- (*) Virtual WAN used if more than 30 Site-to-Site VPN tunnels required
- Resizing on VpnGw SKU’s allowed in same Gen but not the Basic SKU
- Basic SKU is legacy with feature limitations
- To move from Basic to VpnGw SKU deletion of Basic and rebuild with other Generation and SKU size combo required
- Connection limits are separate
- E.g. can have 128 @@TP connections and 250 IKEv2 connections on a single VpnGw1 SKU
- Single tunnel
- Max of 1Gbps
- Aggregate Throughput Benchmark on VPN Gateway is Site-to-Site + Point-to-Site
- Multiple Point-to-Site connection can negatively impact Site-to-Site due to throughput limitations
- Aggregate Throughput Benchmark isn’t guaranteed due to Inet traffic conditions and app behavior
- VPN Gateway Types
- When creating a Virtual Network Gateway for a VPN Gateway config type must be specified
- VPN type depends on connection topology desired
- For example of above
- Point-to-Site requires RouteBased VPN Type
- VPN type selected must meet all connection requirements for desired solution
- For example of above
- Create a Site-to-Site VPN & Point-to-Site VPN gateway connections on same VNet use RouteBased
- This is due to Point-to-Site requiring RouteBased VPN type
- Would also require VPN device supports RouteBased VPN connections
- Create a Site-to-Site VPN & Point-to-Site VPN gateway connections on same VNet use RouteBased
- PolicyBased type
- Previously called “static routing gateways” in classic deployment model
- Encrypt and direct packets through IPsec tunnels based on IPsec policies
- Policy (traffic selector) defined as ACL in VPN device config
- Value for PolicyBased VPN type is PolicyBased
- Limitations
- Support IKEv1 protocols and used with Basic Gateway SKU only
- Only 1 tunnel can be used
- Only use for Site-to-Site connections & only certain configs
- Most VPN Gateway configs require RouteBased type
- RouteBased
- Previously called “Dynamec routing gateways” in classic deployment model (Table taken from MS Learn)
- Table below (Table taken from MS Learn) applies to both Resource Manager and Classic deployment models
- For classic model, PolicyBased VPN are the same as Static Gateways & Route-Based are the same as Dynamic Gateways
- (*) No BGP in classic deployment model
- Create VPN Gateway
- VPN Settings chosen critical in successful connection
- Name
- Region
- Gateway Type
- VPN
- ExpressRoute
- VPN Type
- Most are Route-Based for Point-toSite, Inter-virtual network, or multiple Site-to-Site
- Route-based
- Most are Route-Based for Point-toSite, Inter-virtual network, or multiple Site-to-Site
- Also for ExpressRoute or if IKEv2 required
- Policy-based
- Only supports IKEv1
- SKU
- Affects number of tunnels
- Can have the “aggregate throughput benchmark”
- Based on multiple tunnels aggregated through single gateway – not guaranteed due to Inet traffic and app behavior
- Generation
- Gen 1 or 2
- Cannot change generations or SKU’s across generations
- Basic and VPNGw1 SKU only supported in Gen1
- VpnGw4 and VpnGw5 SKU only in Gen2
- Virtual Network
- VNet able to Tx/Rx traffic through a virtual network gateway
- Cannot associate with multiple gateways
- Active-Active mode
- Enabled
- Disabled
- BGP ASN
- Enabled
- Disabled
- Gateway should appear as a connected device – can view IP address assigned to gateway
- VPN Settings chosen critical in successful connection
- Gateway Subnet
- Required for VPN. Gateways
- Can create before you create the gateway
- Contains IP addresses the VNet gateway VMs and Services use
- Never deploy anything other than gateway VMs in this subnet
- Must be named GatewaySubnet as it tells Azure which subnets to deploy virtual network gateway VMs and Services to
- When creating gateway subnet specify the number of IP Addresses subnet contains
- IP addresses are allocated to gateway VMs and Services
- Some configs require more IP’s than others
- Refer to documentation for desired configuration when planning gateway subnet size
- E.g. ExpressRoute/VPN Gateway coexistant config requires a larger subnet than most other
- Plan for possible future configurations
- MS Learn recommendation – /27 or larger although the smallest is /29
- Create Local Network Gateway
- Local Network Gateway usually is the on-prem location
- Settings
- Give site a name that Azure can refer to
- Specify IP address prefixes to route through VPN gateway to VPN devices
- IP Address is the public IP of the local gateway
- Address Space is 1 or more CIDR ranges defining local networks address space
- If doing BGP-Enabled check the box
- Min prefix declaration is the host address of BGP Peer IP on VPN device
- Configure On-prem VPN Device
- Reference validated list of standard VPN Devices Created with Vendors such as
- Cisco
- Juniper
- Barracuda
- My latest search came back with the following Azure support site
- When not listed contact manufacturer for support/configuration help
- There may be pre-build configuration scripts available
- Required
- Shared Key
- Public IP address of VPN gateway
- Reference validated list of standard VPN Devices Created with Vendors such as
- Create VPN Connection
- Once VPN Gateways created connection between them can be created
- If VNets are in the same subscription you can use the portal
- Under Add Connection
- Name connection
- Select Connection type – Site-to-Site
- Enter the Pre-shared Key
- Under Add Connection
- Verify VPN Connection
- Use either Portal or PowerShell
- High Availability options
- VPN Gateway Redundancy (Active-Standby)
- Every Azure VPN Gateway has active-standby
- Automatic failover for planned maintenance or unplanned outages
- Brief interruption
- For planned restoration usually in 10-15 seconds (site-to-site)
- For unplanned restoration around 1-3 minutes (site-to-site)
- Point-to-Site connections are disconnect and users need to reconnect
- Multiple on-prem VPN devices
- Requirements and Constraints
- Need multiple Site-to-Site VPN connections from VPN devices to Azure created
- When connecting multiple VPN devices from same on-prem to Azure one local network gateway required for each VPN device
- One connection from Azure VPN Gateway to each local network gateway
- Local Network Gateways corresponding to VPN devices must have unique public IP in the GatewayIpAddress property
- BGP required
- Each local network gateway reping a VPN device must have unique BGP peer IP specified in BgpPeerIpAddress property
- Use BGP to advertise same prefixes of same on-prem network prefixes to Azure VPN Gateway – traffic forwarded through these tunnels at same time
- Must use ECMP
- Each connection counts against max number of tunnels for Azure VPN Gateway
- 10 for Basic and Standard SKU’s
- 30 for HighPerformance SKU
- Need multiple Site-to-Site VPN connections from VPN devices to Azure created
- Stil active-standby but guards against failures/interruptions on on-prm network and VPN devices
- Requirements and Constraints
- Active-Active Azure VPN Gateway
- Both Azure VPN Gateways create Site-to-Site tunnels to on prem VPN device
- Each Azure gateway has unique public IP and establishes Ipsec/IKE Site-to-Site VPN tunnel to on-prem VPN device
- Configure on-prem VPN device to accept 2 Site-to-Site VPN tunnels two the 2 Azure VPN Gateway public IP’s
- Traffic from Azure VNet to on-prem network routed through both tunnels
- For single TCP/UDP flow Azure attempts to use same tunnel
- Combo of both
- VPN Gateway Redundancy (Active-Standby)
- Dual-redundancy: active-active for both Azure and On-Prem Networks
- Create and setup Azure VPN Gateway in active-active
- Create two local network gateways and two connections for 2 on-prem VPN devices
- Makes full mesh connectivity of 4 Ipsec tunnels between Azure VNet and on-prem network
- All gateways and tunnels are active from Azure side so traffic spread across 4 tunnels
- May result in better throughput
- BGP required
- Highly Available VNet-to-VNet
- Follows same idea as Azure to on-prem active active
- Only requires on connection for each gateway
- BGP optional unless transit routing required
- Troubleshoot Azure VPN Gateway
- Failure due to various reasons. MS recommendations
- Validate VPN throughput to VNET
- Test from on-prem resource to Azure VM
- Microsoft Guide: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-validate-throughput-to-vnet
- Point-to-Site Connections
- Site-toSite Connections
- VPN/Firewall Device Settings
- Check device vendor support and documentation
- Microsoft Guide: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-third-party-settings
- Validate VPN throughput to VNET
- Failure due to various reasons. MS recommendations
- Troubleshoot Azure VPN Gateway Using Logs
- Use of logs to troubleshoot such as
- Configuration Activity
- VPN Tunnel Connectivity
- IPSec
- BGP Route Exchanging
- Point-to-Site Advanced Logging
- Example Logs
- GatewayDiagnosticLog
- Configuration events, primary changes, maintenance events
- TunnelDiagnosticLog
- Tunnel state changes
- Connect/Disconnect events summarized reasons if applicable
- RouteDiagnosticLogs
- Changes to Static and BGP routes
- IKEDiagnosticLog
- IKE control messages and events on gateway
- P2SDiagnosticLog
- Control messages and events on gateway
- GatewayDiagnosticLog
- Use of logs to troubleshoot such as