VPN Ipsec between Azure and On-Prem

Jérôme 21 Reputation points


I would like to connect our Azure infrastructure with our local sites via VPN Ipsec. On Azure, I use Palo Alto firewall.

What is the recommanded/best configuration : 1/ configure the Azure VPN Gateway to establish the VPN IPsec tunnel between Azure VPN Gateway and our firewall hosted on-prem ? 2/ Or create the VPN IPsec tunnel directly between the Palo Alto on Azure (on the Interface connected on the public zone) and our on-prem firewall ?

And regarding the cost, in both cases, we will pay the trafic in/out inside the tunnel? The only difference is if we use the Azure VPN Gateway (choice 1), we will also pay this appliance (~30€/month up 24h/24h)


Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,203 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
1,827 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. msrini-MSFT 8,901 Reputation points Microsoft Employee


    I would suggest you to go with the Azure VPN based solution as it come with high availability and Microsoft manages this gateway which includes the patching, upgrade, etc.

    From the cost perspective, traffic in and out is paid on both the cases. If you use appliance, then you will not require VPN gateway. Similarly, if you don't use the VPN, you will be using the PA appliance for which you will be paying the VM per hour cost.

    Karthik Srinivas

    0 comments No comments