Policy Based VPN Gateway Type is depreciated

Donapati Ravindra Kumar Reddy 0 Reputation points
2024-04-03T04:07:12.5833333+00:00

hi ,
https://learn.microsoft.com/en-us/training/modules/design-implement-hybrid-networking/2-design-implement-vpn-gateway

as I was going through this module, I can see that , policy based type is still discussed and even screenshots are old showing selection of option between policy based and route based.

when I try to practice by creating the VPN Gateway, I could not see the option to select and from the documentation I learn that, its deprecated and by default its route based only

can you please update the module and exam questions related to this in AZ-700

Azure | Azure Training
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. anand 235 Reputation points
    2024-04-03T04:46:43.85+00:00

    Hello @Donapati Ravindra Kumar Reddy ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you are trying to setup an Azure Gateway VPN to connect to another companies' network located in AWS using a Checkpoint VPN manager and the remote connection is policy based however Azure has removed policy-based VPN from the GUI setup and indicate that you can create a route-based gateway that will make a policy-based connection using traffic selectors but you are not sure how to specify the traffic selectors.

    So, there are 2 points to this question which I'm answering below:

    Azure has removed policy-based VPN from the GUI setup:

    We're taking action to ensure the continued operation of deployed VPN gateways that utilize Basic SKU public IP addresses. If you already have VPN gateways with Basic SKU public IP addresses, there is no need for you to take any action.

    However, it's important to note that Basic SKU public IP addresses are being phased out. We highly recommend using Standard SKU public IP addresses when creating new VPN gateways. Further details on the retirement of Basic SKU public IP addresses can be found here.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#how-does-the-retirement-of-the-public-ip-address-basic-sku-affect-my-vpn-gateways

    Even though the Basic SKU VPN gateway isn't available in the portal, you can still create Basic SKU VPN gateway using Azure CLI or PowerShell.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#vpn-basic

    To create Basic SKU VPN gateway using Azure PowerShell, you can refer the below articles:

    https://github.com/MicrosoftDocs/azure-docs/issues/114852

    https://learn.microsoft.com/en-us/answers/questions/1382332/azure-create-vpn-gw-not-found-the-basic-option-on

    How to create a route-based gateway that will make a policy-based connection using traffic selectors?

    To make a policy-based VPN connection using a route-based VPN gateway, configure the route-based VPN gateway to use prefix-based traffic selectors with the option "PolicyBasedTrafficSelectors".

    Traffic selectors can be defined via the trafficSelectorPolicies attribute on a connection via the New-AzIpsecTrafficSelectorPolicy PowerShell command. For the specified traffic selector to take effect, ensure the Use Policy Based Traffic Selectors option is enabled.

    The custom configured traffic selectors will be proposed only when an Azure VPN gateway initiates the connection. A VPN gateway accepts any traffic selectors proposed by a remote gateway (on-premises VPN device). This behavior is consistent between all connection modes (Default, InitiatorOnly, and ResponderOnly).

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#can-i-specify-my-own-policy-based-traffic-selectors

    https://learn.microsoft.com/en-us/azure/vpn-gateway/ipsec-ike-policy-howto

    https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps#azure-support-for-policy-based-vpn

    The workflow to enable this connectivity:

    • Create the virtual network, VPN gateway, and local network gateway for your cross-premises connection.
    • Create an IPsec/IKE policy.
    • Apply the policy when you create a S2S connection and enable the policy-based traffic selectors on the connection.

    To create Route-based VPN gateway: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-create-gateway-portal

    If you want to enable Azure VPN gateway to connect to policy-based on-premises VPN devices, you can select Enable for the Use policy-based traffic selectors option.

    'UsePolicyBasedTrafficSelectors' is an optional parameter on the connection. If you set UsePolicyBasedTrafficSelectors to $True on a connection, it will configure the Azure VPN gateway to connect to policy-based VPN firewall on premises. If you enable PolicyBasedTrafficSelectors, you need to ensure your VPN device has the matching traffic selectors defined with all combinations of your on-premises network (local network gateway) prefixes to/from the Azure virtual network prefixes, instead of any-to-any.

    For example, if your on-premises network prefixes are 10.1.0.0/16 and 10.2.0.0/16, and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you need to specify the following traffic selectors:

    10.1.0.0/16 <====> 192.168.0.0/16

    10.1.0.0/16 <====> 172.16.0.0/16

    10.2.0.0/16 <====> 192.168.0.0/16

    10.2.0.0/16 <====> 172.16.0.0/16

    To create an IPsec/IKE policy and apply it: https://learn.microsoft.com/en-us/azure/vpn-gateway/ipsec-ike-policy-howto#step-3-configure-a-custom-ipsecike-policy-on-the-s2s-vpn-connection

    To define traffic selectors on an Azure S2S VPN connection, you can use the New-AzIpsecTrafficSelectorPolicy PowerShell command as below:

    PowerShellCopy

    $trafficSelectorPolicy
    

    Refer: https://learn.microsoft.com/en-us/powershell/module/az.network/new-azipsectrafficselectorpolicy?view=azps-10.4.1

    NOTE: For the specified traffic selector to take effect, ensure the Use Policy Based Traffic Selectors option is enabled.

    Checkpoint VPN device doc: https://support.checkpoint.com/results/sk/sk101275

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "upvote" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

  2. anand 235 Reputation points
    2024-04-03T05:15:06.5066667+00:00

    Hello @Donapati Ravindra Kumar Reddy ,

    the Azure VPN Gateway prices are listed here: https://azure.microsoft.com/en-us/pricing/details/vpn-gateway/

    The supported IKE/IPsec settings you will find here: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell#part-2---supported-cryptographic-algorithms--key-strengths

    IKE version 2 -> yes IKE encryption AES256 -> yes IKE integrity SHA384 -> yes IPsec encryption GCMAES256 -> yes IPsec integrity GCMAES256 -> yes PFS group Enabled -> yes - available options are: PFS24, ECP384, ECP256, PFS2048, PFS2, PFS1, None DH group 20 -> No - available options are: DHGroup24, ECP384, ECP256, DHGroup14, DHGroup2048, DHGroup2, DHGroup1, None


    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.