When you create a VPN gateway, you need to select the VPN type. This selection is based on which type of connection is your end goal. For example, for establishing point-to-site connectivity, you need a route-based VPN type. This again depends on the type of hardware that you are using on-premises if you are going with a site-to-site connection. Let’s take a look at these VPN types and understand how they differ.
- Route-based VPN: As the name suggests, the route-based VPN relies on the routing table or IP forwarding rules you configure to force the packets the respective tunnels interfaces. It’s the responsibility of the tunnel interfaces to encrypt and decrypt traffic that comes in and out of the tunnel. Any to any traffic selectors are configured on the route-based VPNs.
- Policy-based VPN: Here also, as the name implies, the packets are routed based on the IPSec policies that you configured. The policies comprise the address prefix combinations based on your on-premises and Azure virtual network address spaces. Unlike route-based VPNs, the traffic selector is defined using an access list. There are certain limitations when it comes to policy-based VPN. As discussed, there are different pricing tiers of VPN, and policy-based VPN is not supported in the Basic SKU of the VPN gateway. Second, you can have only one tunnel, and your connections are limited to only site-to-site connections and certain configurations where you cannot control or modify the path the traffic will flow through. For most scenarios, you should prefer route-based VPNs.
With that you will move to the SKUs that are available for VPN gateways.
SKU
VPN gateway tiers are classified based on the number of connections, throughput, and features. You need to choose a tier or SKU based on the number of connections you require and throughput you desire. You will see a maximum number of connections that can be established for both P2S and S2S connections. Table 4.1 shows the different SKUs that are available for the VPN gateway along with the max connections and throughput.
TABLE 4.1 VPN Gateway SKUs
| VPN Gateway Generation | SKU | S2S/Virtual Network to Virtual Network Tunnels | P2S SSTP Connections | P2S IKEv2/OpenVPN Connections | Agg: Throughput Benchmark |
| 1 | Basic | Max. 10 | Max. 128 | Not Supported | 100 Mbps |
| 1 | VpnGw1 | Max. 30 | Max. 128 | Max. 250 | 650 Mbps |
| 1 | VpnGw2 | Max. 30 | Max. 128 | Max. 500 | 1 Gbps |
| 1 | VpnGw3 | Max. 30 | Max. 128 | Max. 1000 | 1.25 Gbps |
| 1 | VpnGw1AZ | Max. 30 | Max. 128 | Max. 250 | 650 Mbps |
| 1 | VpnGw2AZ | Max. 30 | Max. 128 | Max. 500 | 1 Gbps |
| 1 | VpnGw3AZ | Max. 30 | Max. 128 | Max.1000 | 1.25 Gbps |
| 2 | VpnGw2 | Max. 30 | Max. 128 | Max. 500 | 1.25 Gbps |
| 2 | VpnGw3 | Max. 30 | Max. 128 | Max. 1000 | 2.5 Gbps |
| 2 | VpnGw4 | Max. 30 | Max. 128 | Max. 5000 | 5 Gbps |
| 2 | VpnGw5 | Max. 30 | Max. 128 | Max. 10000 | 10 Gbps |
| 2 | VpnGw2AZ | Max. 30 | Max. 128 | Max. 500 | 1.25 Gbps |
| 2 | VpnGw3AZ | Max. 30 | Max. 128 | Max. 1000 | 2.5 Gbps |
| 2 | VpnGw4AZ | Max. 30 | Max. 128 | Max. 5000 | 5 Gbps |
| 2 | VpnGw5AZ | Max. 30 | Max. 128 | Max. 10000 | 10 Gbps |
The data in this table is copied from here:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#benchmark
At the time of writing this book, these are the only SKUs available for VPN gateways. The SKUs that have AZ in the SKU name represent availability zone gateway SKUs; these SKUs can be deployed to availability zones and improve the high availability of your VPN gateway. Speaking of high availability, a VPN gateway is shipped with built-in availability. Let’s understand how high availability is achieved in VPN gateways.
Leave a Reply