Static vs Dynamic Routing Gateways in Azure
I was recently designing an Azure Hybrid Cloud implementation and was asked some questions regarding Azure routing that I had to research. The questions were something like…
“Why can my Cisco ASA only establish a Static Routing VPN connection to Azure?”
“My Cisco ASA can route dynamically so why can we only create a static routing VPN?”
Using a Static-Routing gateway, when establishing a VPN connection, is limiting so the question is certainly valid. With Static Gateways you can’t use Point-to-Site (P2S) VPN, only 1 Site-to-Site (S2S) VPN connection is supported, and vNet to vNet isn’t supported.
At the time the verbiage around the differences between a static-routing and dynamic-routing VPN connections in Azure wasn’t that clear, but this has been improved:
When you create a site-to-site VPN, you’ll specify either a static, or dynamic gateway. Select the gateway type that is supported by your router and for the type of IPSec parameters and configuration that you require. The tables below show the supported configurations for both static and dynamic VPNs. If you plan to use a site-to-site configuration concurrently with a point-to-site configuration, you’ll need to configure a dynamic routing VPN gateway.
- Static routing VPNs – Static routing VPNs are also referred to as policy-based VPNs. Policy-based VPNs encrypt and route packets through an interface based on a customer-defined policy. The policy is usually defined as an access list. Static routing VPNs require a static routing VPN gateway.
Note - Multi-Site VPN, VNet to VNet, and Point-to-Site are not supported with static routing VPN gateways.
- Dynamic routing VPNs – Dynamic routing VPNs are also referred to as route-based VPNs. Route-based VPNs depend on a tunnel interface specifically created for forwarding packets. Any packet arriving on the tunnel interface will be forwarded through the VPN connection. Dynamic routing VPNs require a dynamic routing VPN gateway.
Note - A dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
So really the naming is what was confusing, I think this makes it easier to understand:
Static Routing VPN = Policy Based VPN
Dynamic Routing VPN = Route Based VPN
I’m not a networking guru so I looked up the differences between policy and route based VPNs online and found a great series that explains it in detail on PacketLife.net:
Policy-Based vs Route-Based VPNs: Part 1
Policy-Based vs Route-Based VPNs: Part 2
To summarize: To use Multi-Site VPN, vNet to vNet, or Point-to-Site VPN connections with an on premise network and Azure make sure your VPN device supports Route Based VPNs.