What is Azure VPN Gateway?

Azure VPN Gateway is a service that uses a specific type of virtual network gateway to send encrypted traffic between an Azure virtual network and on-premises locations over the public Internet. You can also use VPN Gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. Multiple connections can be created to the same VPN gateway. When you create multiple connections, all VPN tunnels share the available gateway bandwidth.

About VPN gateways

A VPN gateway is a type of virtual network gateway. A virtual network gateway is composed of two or more Azure-managed VMs that are automatically configured and deployed to a specific subnet you create called the GatewaySubnet. The gateway VMs contain routing tables and run specific gateway services.

One of the settings that you specify when creating a virtual network gateway is the "gateway type". The gateway type determines how the virtual network gateway will be used and the actions that the gateway takes. A virtual network can have two virtual network gateways; one VPN gateway and one ExpressRoute gateway. The gateway type 'Vpn' specifies that the type of virtual network gateway created is a VPN gateway. This distinguishes it from an ExpressRoute gateway, which uses a different gateway type. For more information, see Gateway types.

When you create a VPN gateway, gateway VMs are deployed to the gateway subnet and configured with the settings that you specified. This process can take 45 minutes or more to complete, depending on the gateway SKU that you selected. After you create a VPN gateway, you can configure connections. For example, you can create an IPsec/IKE VPN tunnel connection between that VPN gateway and another VPN gateway (VNet-to-VNet), or create a cross-premises IPsec/IKE VPN tunnel connection between the VPN gateway and an on-premises VPN device (Site-to-Site). You can also create a Point-to-Site VPN connection (VPN over OpenVPN, IKEv2, or SSTP), which lets you connect to your virtual network from a remote location, such as from a conference or from home.

Configuring VPN Gateway

A VPN gateway connection relies on multiple resources that are configured with specific settings. Most of the resources can be configured separately, although some resources must be configured in a certain order.

Connectivity

Because you can create multiple connection configurations using VPN Gateway, you need to determine which configuration best fits your needs. Point-to-Site, Site-to-Site, and coexisting ExpressRoute/Site-to-Site connections all have different instructions and configuration requirements. For connection diagrams and corresponding links to configuration steps, see VPN Gateway design.

Planning table

The following table can help you decide the best connectivity option for your solution. Note that ExpressRoute isn't a part of VPN Gateway, but is included in the table.

Point-to-Site Site-to-Site ExpressRoute
Azure Supported Services Cloud Services and Virtual Machines Cloud Services and Virtual Machines Services list
Typical Bandwidths Based on the gateway SKU Typically < 10 Gbps aggregate 50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps, 100 Gbps
Protocols Supported Secure Sockets Tunneling Protocol (SSTP), OpenVPN and IPsec IPsec Direct connection over VLANs, NSP's VPN technologies (MPLS, VPLS,...)
Routing RouteBased (dynamic) We support PolicyBased (static routing) and RouteBased (dynamic routing VPN) BGP
Connection resiliency active-passive active-passive or active-active active-active
Typical use case Secure access to Azure virtual networks for remote users Dev / test / lab scenarios and small to medium scale production workloads for cloud services and virtual machines Access to all Azure services (validated list), Enterprise-class and mission critical workloads, Backup, Big Data, Azure as a DR site
SLA SLA SLA SLA
Pricing Pricing Pricing Pricing
Technical Documentation VPN Gateway VPN Gateway ExpressRoute
FAQ VPN Gateway FAQ VPN Gateway FAQ ExpressRoute FAQ

Settings

The settings that you chose for each resource are critical to creating a successful connection. For information about individual resources and settings for VPN Gateway, see About VPN Gateway settings. The article contains information to help you understand gateway types, gateway SKUs, VPN types, connection types, gateway subnets, local network gateways, and various other resource settings that you may want to consider.

Deployment tools

You can start out creating and configuring resources using one configuration tool, such as the Azure portal. You can later decide to switch to another tool, such as PowerShell, to configure additional resources, or modify existing resources when applicable. Currently, you can't configure every resource and resource setting in the Azure portal. The instructions in the articles for each connection topology specify when a specific configuration tool is needed.

Gateway SKUs

When you create a virtual network gateway, you specify the gateway SKU that you want to use. Select the SKU that satisfies your requirements based on the types of workloads, throughputs, features, and SLAs.

Gateway SKUs by tunnel, connection, and throughput

VPN
Gateway
Generation
SKU S2S/VNet-to-VNet
Tunnels
P2S
SSTP Connections
P2S
IKEv2/OpenVPN Connections
Aggregate
Throughput Benchmark
BGP Zone-redundant
Generation1 Basic Max. 10 Max. 128 Not Supported 100 Mbps Not Supported No
Generation1 VpnGw1 Max. 30 Max. 128 Max. 250 650 Mbps Supported No
Generation1 VpnGw2 Max. 30 Max. 128 Max. 500 1 Gbps Supported No
Generation1 VpnGw3 Max. 30 Max. 128 Max. 1000 1.25 Gbps Supported No
Generation1 VpnGw1AZ Max. 30 Max. 128 Max. 250 650 Mbps Supported Yes
Generation1 VpnGw2AZ Max. 30 Max. 128 Max. 500 1 Gbps Supported Yes
Generation1 VpnGw3AZ Max. 30 Max. 128 Max. 1000 1.25 Gbps Supported Yes
Generation2 VpnGw2 Max. 30 Max. 128 Max. 500 1.25 Gbps Supported No
Generation2 VpnGw3 Max. 30 Max. 128 Max. 1000 2.5 Gbps Supported No
Generation2 VpnGw4 Max. 100* Max. 128 Max. 5000 5 Gbps Supported No
Generation2 VpnGw5 Max. 100* Max. 128 Max. 10000 10 Gbps Supported No
Generation2 VpnGw2AZ Max. 30 Max. 128 Max. 500 1.25 Gbps Supported Yes
Generation2 VpnGw3AZ Max. 30 Max. 128 Max. 1000 2.5 Gbps Supported Yes
Generation2 VpnGw4AZ Max. 100* Max. 128 Max. 5000 5 Gbps Supported Yes
Generation2 VpnGw5AZ Max. 100* Max. 128 Max. 10000 10 Gbps Supported Yes

(*) Use Virtual WAN if you need more than 100 S2S VPN tunnels.

  • The resizing of VpnGw SKUs is allowed within the same generation, except resizing of the Basic SKU. The Basic SKU is a legacy SKU and has feature limitations. In order to move from Basic to another SKU, you must delete the Basic SKU VPN gateway and create a new gateway with the desired Generation and SKU size combination. (see Working with Legacy SKUs).

  • These connection limits are separate. For example, you can have 128 SSTP connections and also 250 IKEv2 connections on a VpnGw1 SKU.

  • Pricing information can be found on the Pricing page.

  • SLA (Service Level Agreement) information can be found on the SLA page.

  • If you have a lot of P2S connections, it can negatively impact your S2S connections. The Aggregate Throughput Benchmarks were tested by maximizing a combination of S2S and P2S connections. A single P2S or S2S connection can have a much lower throughput.

  • Note that all benchmarks aren't guaranteed due to Internet traffic conditions and your application behaviors

To help our customers understand the relative performance of SKUs using different algorithms, we used publicly available iPerf and CTSTraffic tools to measure performances for site-to-site connections. The table below lists the results of performance tests for VpnGw SKUs. As you can see, the best performance is obtained when we used GCMAES256 algorithm for both IPsec Encryption and Integrity. We got average performance when using AES256 for IPsec Encryption and SHA256 for Integrity. When we used DES3 for IPsec Encryption and SHA256 for Integrity we got lowest performance.

A VPN tunnel connects to a VPN gateway instance. Each instance throughput is mentioned in the above throughput table and is available aggregated across all tunnels connecting to that instance.

The table below shows the observed bandwidth and packets per second throughput per tunnel for the different gateway SKUs. All testing was performed between gateways (endpoints) within Azure across different regions with 100 connections and under standard load conditions.

Generation SKU Algorithms
used
Throughput
observed per tunnel
Packets per second per tunnel
observed
Generation1 VpnGw1 GCMAES256
AES256 & SHA256
DES3 & SHA256
650 Mbps
500 Mbps
130 Mbps
62,000
47,000
12,000
Generation1 VpnGw2 GCMAES256
AES256 & SHA256
DES3 & SHA256
1.2 Gbps
650 Mbps
140 Mbps
100,000
61,000
13,000
Generation1 VpnGw3 GCMAES256
AES256 & SHA256
DES3 & SHA256
1.25 Gbps
700 Mbps
140 Mbps
120,000
66,000
13,000
Generation1 VpnGw1AZ GCMAES256
AES256 & SHA256
DES3 & SHA256
650 Mbps
500 Mbps
130 Mbps
62,000
47,000
12,000
Generation1 VpnGw2AZ GCMAES256
AES256 & SHA256
DES3 & SHA256
1.2 Gbps
650 Mbps
140 Mbps
110,000
61,000
13,000
Generation1 VpnGw3AZ GCMAES256
AES256 & SHA256
DES3 & SHA256
1.25 Gbps
700 Mbps
140 Mbps
120,000
66,000
13,000
Generation2 VpnGw2 GCMAES256
AES256 & SHA256
DES3 & SHA256
1.25 Gbps
550 Mbps
130 Mbps
120,000
52,000
12,000
Generation2 VpnGw3 GCMAES256
AES256 & SHA256
DES3 & SHA256
1.5 Gbps
700 Mbps
140 Mbps
140,000
66,000
13,000
Generation2 VpnGw4 GCMAES256
AES256 & SHA256
DES3 & SHA256
2.3 Gbps
700 Mbps
140 Mbps
220,000
66,000
13,000
Generation2 VpnGw5 GCMAES256
AES256 & SHA256
DES3 & SHA256
2.3 Gbps
700 Mbps
140 Mbps
220,000
66,000
13,000
Generation2 VpnGw2AZ GCMAES256
AES256 & SHA256
DES3 & SHA256
1.25 Gbps
550 Mbps
130 Mbps
120,000
52,000
12,000
Generation2 VpnGw3AZ GCMAES256
AES256 & SHA256
DES3 & SHA256
1.5 Gbps
700 Mbps
140 Mbps
140,000
66,000
13,000
Generation2 VpnGw4AZ GCMAES256
AES256 & SHA256
DES3 & SHA256
2.3 Gbps
700 Mbps
140 Mbps
220,000
66,000
13,000
Generation2 VpnGw5AZ GCMAES256
AES256 & SHA256
DES3 & SHA256
2.3 Gbps
700 Mbps
140 Mbps
220,000
66,000
13,000

Availability Zones

VPN gateways can be deployed in Azure Availability Zones. This brings resiliency, scalability, and higher availability to virtual network gateways. Deploying gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures. See About zone-redundant virtual network gateways in Azure Availability Zones.

Pricing

You pay for two things: the hourly compute costs for the virtual network gateway, and the egress data transfer from the virtual network gateway. Pricing information can be found on the Pricing page. For legacy gateway SKU pricing, see the ExpressRoute pricing page and scroll to the Virtual Network Gateways section.

Virtual network gateway compute costs
Each virtual network gateway has an hourly compute cost. The price is based on the gateway SKU that you specify when you create a virtual network gateway. The cost is for the gateway itself and is in addition to the data transfer that flows through the gateway. Cost of an active-active setup is the same as active-passive.

Data transfer costs
Data transfer costs are calculated based on egress traffic from the source virtual network gateway.

  • If you're sending traffic to your on-premises VPN device, it will be charged with the Internet egress data transfer rate.
  • If you're sending traffic between virtual networks in different regions, the pricing is based on the region.
  • If you're sending traffic only between virtual networks that are in the same region, there are no data costs. Traffic between VNets in the same region is free.

For more information about gateway SKUs for VPN Gateway, see Gateway SKUs.

FAQ

For frequently asked questions about VPN gateway, see the VPN Gateway FAQ.

What's new?

Subscribe to the RSS feed and view the latest VPN Gateway feature updates on the Azure Updates page.

Next steps