What is VPN Gateway?

A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. Each virtual network can have only one VPN gateway. However, you can create multiple connections to the same VPN gateway. When you create multiple connections to the same VPN gateway, all VPN tunnels share the available gateway bandwidth.

What is a virtual network gateway?

A virtual network gateway is composed of two or more VMs that are deployed to a specific subnet you create called the gateway subnet. Virtual network gateway VMs contain routing tables and run specific gateway services. These VMs are created when you create the virtual network gateway. You can't directly configure the VMs that are part of the virtual network gateway.

When you configure a virtual network gateway, you configure a setting that specifies the gateway type. The gateway type determines how the virtual network gateway will be used and the actions that the gateway takes. The gateway type 'Vpn' specifies that the type of virtual network gateway created is a 'VPN gateway'. This distinguishes it from an ExpressRoute gateway, which uses a different gateway type. A virtual network can have two virtual network gateways; one VPN gateway and one ExpressRoute gateway. For more information, see Gateway types.

Creating a virtual network gateway can take up to 45 minutes to complete. When you create a virtual network gateway, gateway VMs are deployed to the gateway subnet and configured with the settings that you specify. After you create a VPN gateway, you can create an IPsec/IKE VPN tunnel connection between that VPN gateway and another VPN gateway (VNet-to-VNet), or create a cross-premises IPsec/IKE VPN tunnel connection between the VPN gateway and an on-premises VPN device (Site-to-Site). You can also create a Point-to-Site VPN connection (VPN over OpenVPN, IKEv2, or SSTP), which lets you connect to your virtual network from a remote location, such as from a conference or from home.

Configuring a VPN Gateway

A VPN gateway connection relies on multiple resources that are configured with specific settings. Most of the resources can be configured separately, although some resources must be configured in a certain order.

Design

It's important to know that there are different configurations available for VPN gateway connections. You need to determine which configuration best fits your needs. For example, Point-to-Site, Site-to-Site, and coexisting ExpressRoute/Site-to-Site connections all have different instructions and configuration requirements. For information about design and to view connection topology diagrams, see Design.

Planning table

The following table can help you decide the best connectivity option for your solution.

Point-to-Site Site-to-Site ExpressRoute
Azure Supported Services Cloud Services and Virtual Machines Cloud Services and Virtual Machines Services list
Typical Bandwidths Based on the gateway SKU Typically < 1 Gbps aggregate 50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps
Protocols Supported Secure Sockets Tunneling Protocol (SSTP), OpenVPN and IPsec IPsec Direct connection over VLANs, NSP's VPN technologies (MPLS, VPLS,...)
Routing RouteBased (dynamic) We support PolicyBased (static routing) and RouteBased (dynamic routing VPN) BGP
Connection resiliency active-passive active-passive or active-active active-active
Typical use case Prototyping, dev / test / lab scenarios for cloud services and virtual machines Dev / test / lab scenarios and small scale production workloads for cloud services and virtual machines Access to all Azure services (validated list), Enterprise-class and mission critical workloads, Backup, Big Data, Azure as a DR site
SLA SLA SLA SLA
Pricing Pricing Pricing Pricing
Technical Documentation VPN Gateway Documentation VPN Gateway Documentation ExpressRoute Documentation
FAQ VPN Gateway FAQ VPN Gateway FAQ ExpressRoute FAQ

Settings

The settings that you chose for each resource are critical to creating a successful connection. For information about individual resources and settings for VPN Gateway, see About VPN Gateway settings. The article contains information to help you understand gateway types, gateway SKUs, VPN types, connection types, gateway subnets, local network gateways, and various other resource settings that you may want to consider.

Deployment tools

You can start out creating and configuring resources using one configuration tool, such as the Azure portal. You can later decide to switch to another tool, such as PowerShell, to configure additional resources, or modify existing resources when applicable. Currently, you can't configure every resource and resource setting in the Azure portal. The instructions in the articles for each connection topology specify when a specific configuration tool is needed.

Gateway SKUs

When you create a virtual network gateway, you specify the gateway SKU that you want to use. Select the SKU that satisfies your requirements based on the types of workloads, throughputs, features, and SLAs.

Gateway SKUs by tunnel, connection, and throughput

VPN
Gateway
Generation
SKU S2S/VNet-to-VNet
Tunnels
P2S
SSTP Connections
P2S
IKEv2/OpenVPN Connections
Aggregate
Throughput Benchmark
BGP Zone-redundant
Generation1 Basic Max. 10 Max. 128 Not Supported 100 Mbps Not Supported No
Generation1 VpnGw1 Max. 30* Max. 128 Max. 250 650 Mbps Supported No
Generation1 VpnGw2 Max. 30* Max. 128 Max. 500 1 Gbps Supported No
Generation1 VpnGw3 Max. 30* Max. 128 Max. 1000 1.25 Gbps Supported No
Generation1 VpnGw1AZ Max. 30* Max. 128 Max. 250 650 Mbps Supported Yes
Generation1 VpnGw2AZ Max. 30* Max. 128 Max. 500 1 Gbps Supported Yes
Generation1 VpnGw3AZ Max. 30* Max. 128 Max. 1000 1.25 Gbps Supported Yes
Generation2 VpnGw2 Max. 30* Max. 128 Max. 500 1.25 Gbps Supported No
Generation2 VpnGw3 Max. 30* Max. 128 Max. 1000 2.5 Gbps Supported No
Generation2 VpnGw4 Max. 30* Max. 128 Max. 5000 5 Gbps Supported No
Generation2 VpnGw5 Max. 30* Max. 128 Max. 10000 10 Gbps Supported No
Generation2 VpnGw2AZ Max. 30* Max. 128 Max. 500 1.25 Gbps Supported Yes
Generation2 VpnGw3AZ Max. 30* Max. 128 Max. 1000 2.5 Gbps Supported Yes
Generation2 VpnGw4AZ Max. 30* Max. 128 Max. 5000 5 Gbps Supported Yes
Generation2 VpnGw5AZ Max. 30* Max. 128 Max. 10000 10 Gbps Supported Yes

(*) Use Virtual WAN if you need more than 30 S2S VPN tunnels.

  • The resizing of VpnGw SKUs is allowed within the same generation, except resizing of the Basic SKU. The Basic SKU is a legacy SKU and has feature limitations. In order to move from Basic to another VpnGw SKU, you must delete the Basic SKU VPN gateway and create a new gateway with the desired Generation and SKU size combination.

  • These connection limits are separate. For example, you can have 128 SSTP connections and also 250 IKEv2 connections on a VpnGw1 SKU.

  • Pricing information can be found on the Pricing page.

  • SLA (Service Level Agreement) information can be found on the SLA page.

  • On a single tunnel a maximum of 1 Gbps throughput can be achieved. Aggregate Throughput Benchmark in the above table is based on measurements of multiple tunnels aggregated through a single gateway. The Aggregate Throughput Benchmark for a VPN Gateway is S2S + P2S combined. If you have a lot of P2S connections, it can negatively impact a S2S connection due to throughput limitations. The Aggregate Throughput Benchmark is not a guaranteed throughput due to Internet traffic conditions and your application behaviors.

To help our customers understand the relative performance of SKUs using different algorithms, we used publicly available iPerf and CTSTraffic tools to measure performances. The table below lists the results of performance tests for Generation 1, VpnGw SKUs. As you can see, the best performance is obtained when we used GCMAES256 algorithm for both IPsec Encryption and Integrity. We got average performance when using AES256 for IPsec Encryption and SHA256 for Integrity. When we used DES3 for IPsec Encryption and SHA256 for Integrity we got lowest performance.

Generation SKU Algorithms
used
Throughput
observed
Packets per second
observed
Generation1 VpnGw1 GCMAES256
AES256 & SHA256
DES3 & SHA256
650 Mbps
500 Mbps
120 Mbps
58,000
50,000
50,000
Generation1 VpnGw2 GCMAES256
AES256 & SHA256
DES3 & SHA256
1 Gbps
500 Mbps
120 Mbps
90,000
80,000
55,000
Generation1 VpnGw3 GCMAES256
AES256 & SHA256
DES3 & SHA256
1.25 Gbps
550 Mbps
120 Mbps
105,000
90,000
60,000
Generation1 VpnGw1AZ GCMAES256
AES256 & SHA256
DES3 & SHA256
650 Mbps
500 Mbps
120 Mbps
58,000
50,000
50,000
Generation1 VpnGw2AZ GCMAES256
AES256 & SHA256
DES3 & SHA256
1 Gbps
500 Mbps
120 Mbps
90,000
80,000
55,000
Generation1 VpnGw3AZ GCMAES256
AES256 & SHA256
DES3 & SHA256
1.25 Gbps
550 Mbps
120 Mbps
105,000
90,000
60,000

Availability Zones

VPN gateways can be deployed in Azure Availability Zones. This brings resiliency, scalability, and higher availability to virtual network gateways. Deploying gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures. see About zone-redundant virtual network gateways in Azure Availability Zones.

Pricing

You pay for two things: the hourly compute costs for the virtual network gateway, and the egress data transfer from the virtual network gateway. Pricing information can be found on the Pricing page. For legacy gateway SKU pricing, see the ExpressRoute pricing page and scroll to the Virtual Network Gateways section.

Virtual network gateway compute costs
Each virtual network gateway has an hourly compute cost. The price is based on the gateway SKU that you specify when you create a virtual network gateway. The cost is for the gateway itself and is in addition to the data transfer that flows through the gateway. Cost of an active-active setup is the same as active-passive.

Data transfer costs
Data transfer costs are calculated based on egress traffic from the source virtual network gateway.

  • If you are sending traffic to your on-premises VPN device, it will be charged with the Internet egress data transfer rate.
  • If you are sending traffic between virtual networks in different regions, the pricing is based on the region.
  • If you are sending traffic only between virtual networks that are in the same region, there are no data costs. Traffic between VNets in the same region is free.

For more information about gateway SKUs for VPN Gateway, see Gateway SKUs.

FAQ

For frequently asked questions about VPN gateway, see the VPN Gateway FAQ.

What's new?

Subscribe to the RSS feed and view the latest VPN Gateway feature updates on the Azure Updates page.

Next steps