Setting up a site-to-site VPN in Azure is the easiest way to connect your on-premises network to your Azure virtual network. This allows for secure communication between your networks over the internet.
Introduction to Azure VPN Gateway
Azure VPN Gateway is a service that enables encrypted network data transfer between your on-premises network and your Azure virtual network. It supports two types of gateways:
- VPN: For site-to-site, point-to-site, and VNet-to-VNet connections that travel encrypted over the internet.
- ExpressRoute: For dedicated private network fibre connections, that travel over private Microsoft networks.
VPN Gateway SKUs
Azure offers various SKUs for VPN gateways, which determine the performance and features available. As of the latest update:
- Basic, Standard, and High-Performance SKUs are being retired.
- VPNGW1, VPNGW2, VPNGW3 are the new SKUs, with AZ variants for zone-redundant gateways.
- Soon only the AZ variants will be available and all existing gateways will be updated to their AZ counterparts.
Cost Considerations
The cost of a VPN gateway depends on the SKU, region, and amount of data transferred. For example, a VPNGW1AZ SKU in the UK South region with one site-to-site tunnel and 1 TB of outbound data costs around £224/month.
Types of VPN Tunnels
Azure supports different types of VPN tunnels:
- Point-to-Site (P2S): For individual client devices, such as laptops or pc’s, to connect to the Azure network.
- Site-to-Site (S2S): For connecting entire networks, such as branch offices or data centres, to Azure.
- VNet-to-VNet: For connecting virtual networks within Azure.
Azure VPN Resources
Virtual Network (VNet)
A Virtual Network is the fundamental building block for your private network in Azure. It enables many types of Azure resources, such as Azure Virtual Machines (VMs), to securely communicate with each other, the internet, and on-premises networks.
Gateway Subnet
The Gateway Subnet contains the IP addresses that the virtual network gateway services use. You need to create a gateway subnet in your VNet in which the VPN gateway will be created. The subnet must be named ‘GatewaySubnet’ to work properly.
VPN Gateway
A VPN Gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet.
Local Network Gateway
The Local Network Gateway acts as a representation of your local VPN device within Azure. When creating a local network gateway, you specify the public IP address of the on-premises VPN device and the on-premises address space prefixes that will be routed through the VPN gateway.
Public IP Address
A Public IP Address resource is used by the VPN gateway to communicate with the on-premises VPN device. When you create a VPN gateway, you also specify the public IP address configuration, such as active-active which requires 2 IP addresses.
Connection
A Connection resource is used to establish a link between your VPN gateway and the local network gateway. This resource includes the connection type (IPsec), shared key, and IPsec/IKE policies.
Setting Up a Site-to-Site (S2S) VPN
To set up a site-to-site VPN, you need to create and configure several Azure resources:
1. Create a Virtual Network
Define the address space and subnets for your Azure virtual network, creating a subnet called GatewaySubnet to host the VPN Gateway.
2. Create a VPN Gateway
Deploy a VPN gateway in the virtual network. This must be deployed to the GatewaySubnet. Here you will also create the Public IP address/s of your Gateway.
3. Create a Local Network Gateway
This represents your on-premises network in Azure. You’ll need to specify the public IP address of your on-premises VPN device and the address space of your on-premises network.
4. Create a VPN Connection
Establish a connection between the Azure VPN gateway and the local network gateway. This involves specifying the connection type (IPsec), shared key, and IPsec/IKE policies. Ensure that the IPsec policies you set here match that of your local VPN device, as otherwise the Connection will fail to connect.
5. Configure Your On-Premises VPN Device
Set up you’re on-premises VPN device with the corresponding settings to establish the VPN tunnel. This includes the Azure VPN gateway’s public IP address, the shared key, and the IPsec/IKE policies. You can also download the configuration file from the Connection resource in Azure to help you with this setup.
Redundancy and High Availability
Redundancy and high availability are critical considerations when designing and deploying VPN solutions in Azure. They ensure that your network connectivity remains resilient and available, even in the face of failures or maintenance events. Here’s a detailed look at how Azure supports redundancy and high availability for VPNs:
Active-Passive VPN Gateways
In an active-passive configuration, the VPN gateway has a single active instance and a standby instance. The standby instance takes over if the active instance fails. This provides redundancy but does not offer load balancing.
Active-Active VPN Gateways
Azure VPN gateways can be configured in an active-active mode, which provides redundancy and load balancing. In this configuration, the VPN gateway has two active instances, each with its own public IP address. Traffic is distributed across both instances, and if one instance fails, the other can continue to handle the traffic.
Zone-Redundant Gateways
Azure offers zone-redundant VPN gateways, which leverage Azure Availability Zones to protect against zone-level failures. A zone-redundant gateway spreads its instances across multiple availability zones, ensuring that the gateway remains available even if one zone goes down.
Geo-Redundant Gateways
For even higher levels of availability, you can deploy geo-redundant VPN gateways. This involves creating VPN gateways in multiple Azure regions and configuring your on-premises VPN device to failover to a secondary region if the primary region becomes unavailable.
Connection Resiliency
Azure VPN gateways support connection resiliency features such as rekeying and dead peer detection. Rekeying ensures that the keys used to encrypt the VPN tunnel are periodically refreshed, while dead peer detection monitors the health of the VPN tunnel and triggers a reconnection if the tunnel goes down.
Monitoring
Azure provides various tools for monitoring and troubleshooting VPN connections, the biggest and most useful of these tools is alerting. Some of the examples of VPN alerts in Azure are:
VPN Gateway Alerts
- VPN Gateway Status: Alert when the VPN gateway is unavailable or has a status other than ‘Succeeded’.
- VPN Gateway Throughput: Alert when the throughput of the VPN gateway exceeds a certain threshold, indicating high traffic.
- VPN Gateway P2S Connection Count: Alert when the number of Point-to-Site connections exceeds a certain limit.
Connection Alerts
- Connection Status: Alert when the connection status changes, for example, from ‘Connected’ to ‘Disconnected’.
- Tunnel Failure: Alert when a tunnel fails to establish or is disconnected.
- Data Ingress/Egress: Alert when the amount of data transferred in or out of the VPN connection exceeds a certain threshold.
Diagnostic Log Alerts
- Gateway Diagnostic Logs: Alert on specific events in the gateway diagnostic logs, such as errors or warnings.
- IKEv2 Security Association Changes: Alert when there are changes in the IKEv2 security associations, which could indicate rekeying or other security events.
- IPsec Security Association Changes: Alert when there are changes in the IPsec security associations.
Metrics Alerts
- Tunnel Bandwidth: Alert when the bandwidth usage of a tunnel exceeds a certain threshold.
- Tunnel Packet Drop Rate: Alert when the packet drop rate of a tunnel exceeds a certain threshold.
- Tunnel Latency: Alert when the latency of a tunnel exceeds a certain threshold.
Resource Health Alerts
- Resource Health: Alert when the resource health of the VPN gateway is ‘Unhealthy’ or ‘Degraded’.
Conclusion
Setting up a site-to-site VPN in Azure involves creating and configuring several resources, both in Azure and on-premises. It’s important to choose the right SKU, configure the IPsec/IKE policies correctly, and ensure that you’re on-premises VPN device is compatible with Azure’s settings. With the right configuration, you can establish a secure and reliable connection between your networks.
This guide provides a high-level overview of the process. For detailed step-by-step instructions, you can refer to the Azure documentation and the deep dive video, which walks through the theory and practical setup of Azure VPNs.
Check out our Video here on our YouTube channel Don’t forget to subscribe to see our latest videos and keep updated with us and Azure.
Stay connected with LA NET
Stay connected with us on LinkedIn and YouTube for more tips and updates. Download our new eBook for an in-depth guide on optimising your Azure environment.
● LinkedIn: Follow us on LinkedIn
● YouTube: Subscribe to our YouTube Channel
● E-Book: Download our E-Book