Azure VPN and Protocol Basics

This document explains the major protocols that form the basis of VPN (Virtual Private Network) technology and the specifications of Azure VPN Gateway, which is the VPN implementation in Azure.

1. VPN Protocol Basics

VPN is a technology that builds a virtual dedicated line over a public network (Internet) to achieve secure communication. To achieve this, various tunneling protocols and encryption protocols are used.

IPSec (Internet Protocol Security)

IPSec is a protocol suite that performs encryption and authentication at the IP packet level. It is mainly used for Site-to-Site VPN, but can also be used for remote access.

IKE (Internet Key Exchange): Key exchange protocol.
- IKEv1: Older standard. Has Main Mode and Aggressive Mode.
- IKEv2: Improved version of IKEv1. Faster connection establishment and better reconnection capabilities (MOBIKE). Standard for Azure Route-based VPN.
ESP (Encapsulating Security Payload): Performs data encryption and authentication.
AH (Authentication Header): Performs data authentication only (no encryption). Usually, ESP is used in VPNs.

OpenVPN

OpenVPN is an open-source VPN software and protocol that uses the SSL/TLS protocol.

Features:
- Uses SSL/TLS, so it can masquerade as HTTPS (port 443) traffic, making it easy to pass through firewalls.
- Highly flexible and supported by many OSs (Windows, Mac, Linux, iOS, Android).
- Supported in Azure for Point-to-Site (P2S) connections.

SSTP (Secure Socket Tunneling Protocol)

A VPN protocol developed by Microsoft.

Features:
- Uses SSL/TLS (TCP 443), so like OpenVPN, it has high firewall transparency.
- Very high affinity with Windows environments.
- Supported in Azure P2S connections.

2. Azure VPN Gateway Specifications

Azure VPN Gateway is a specific type of virtual network gateway used to send encrypted traffic between an Azure Virtual Network (VNet) and an on-premises location, or between VNets.

VPN Type: Route-based vs Policy-based

Feature	Route-based	Policy-based
IKE Version	IKEv2 (Recommended)	IKEv1
Traffic Selector	Any-to-Any (0.0.0.0/0)	Specific prefix pairs
Use Case	Most configurations (P2S, VNet-to-VNet, Multi-site)	Connection with legacy on-premises devices
Coexistence	Can coexist with ExpressRoute	Cannot coexist with ExpressRoute

Recommendation: Unless there is a specific reason (such as limitations of old on-premises equipment), choose Route-based.

SKUs and Generations

Azure VPN Gateway has SKUs based on performance and features. There are also hardware generations: Generation 1 and Generation 2.

SKU	Generation	Max Tunnels	Max Throughput (Approx)	BGP	Zone Redundant
Basic	Gen1	10	100 Mbps	Not Supported	Not Supported
VpnGw1	Gen1	30	650 Mbps	Supported	Not Supported
VpnGw2	Gen1	30	1 Gbps	Supported	Not Supported
VpnGw1AZ	Gen1	30	650 Mbps	Supported	Supported
VpnGw2 / VpnGw2AZ	Gen2	30	1.25 Gbps	Supported	Supported (AZ)
VpnGw3 / VpnGw3AZ	Gen2	30	2.5 Gbps	Supported	Supported (AZ)
VpnGw4 / VpnGw4AZ	Gen2	30	5 Gbps	Supported	Supported (AZ)
VpnGw5 / VpnGw5AZ	Gen2	30	10 Gbps	Supported	Supported (AZ)

Note: The Basic SKU is a legacy SKU that does not support IKEv2, BGP, or Entra ID authentication. VpnGw1 or higher is recommended for production environments.

Active/Active vs Active/Standby Configuration

Active/Standby (Default):
- Has one public IP.
- The standby instance waits in the background and switches over in case of failure. There may be a few seconds to minutes of interruption during switchover.
Active/Active:
- Has two public IPs, and two instances run simultaneously.
- By preparing two VPN devices (or dual WAN) on the on-premises side, higher availability can be achieved.
- Throughput improvement can also be expected.

3. Point-to-Site (P2S) Connection

Provides a secure connection from an individual client computer to an Azure VNet. Suitable for telework and administrator access.

Supported Protocols

OpenVPN Protocol:
- Most recommended option.
- Supports Azure AD (Entra ID) authentication, Certificate authentication, and RADIUS authentication.
SSTP (Secure Socket Tunneling Protocol):
- For Windows devices.
IKEv2 VPN:
- Standards-based IPSec VPN solution.
- Can be used on Mac devices, etc.

Authentication Mechanisms

Azure Active Directory (Entra ID) Authentication:
- Available only with OpenVPN protocol.
- Users can connect using Azure AD credentials. MFA integration is possible.
- Requires Azure VPN Client app.
Azure Certificate Authentication:
- Upload the root certificate to Azure and install client certificates on each device.
RADIUS Authentication:
- Used when integrating with on-premises AD or third-party authentication servers.

Summary

For Site-to-Site (S2S) connections, it is common to use IPSec (IKEv2) Route-based VPN.
For Remote Access (P2S), the combination of OpenVPN protocol and Entra ID authentication is recommended for a good balance of security and usability.
If availability is critical, consider Zone Redundant SKUs (AZ) and Active/Active configuration.

1. VPN Protocol Basics​

IPSec (Internet Protocol Security)​

OpenVPN​

SSTP (Secure Socket Tunneling Protocol)​

2. Azure VPN Gateway Specifications​

VPN Type: Route-based vs Policy-based​

SKUs and Generations​

Active/Active vs Active/Standby Configuration​

3. Point-to-Site (P2S) Connection​

Supported Protocols​

Authentication Mechanisms​

Summary​