If you’re looking to set up a VPN on your Azure account, you’ll need to know which types of VPN are supported. In this blog post, we’ll go over the different VPN types that can be used with Azure.
Checkout this video:
VPN Gateway
You can create a VPN gateway to support both site-to-site and point-to-site VPNs. Site-to-site VPNs allow you to connect your on-premises network to your virtual network, so that your on-premises network can access resources in the virtual network. Point-to-site VPNs allow you to connect from your computer or device to your virtual network.
Point-to-Site
Point-to-Site (P2S) creates a secure connection to an Azure virtual network from an individual client computer. P2S is a VPN connection over SSTP (Secure Socket Tunneling Protocol). P2S connections do not require a VPN device or an on-premises public-facing IP address. You can use native Azure certificate authentication or Azure Active Directory authentication with Point-to-Site connections.
With Point-to-Site, you can connect to a VNet without the need for an on-premises public IP address, domain name, or a VPN device. You can also dynamically download the VPN client configuration package directly from the Azure portal, eliminating the need to preconfigure a package beforehand. To learn more about how to configure Point-to-Site, see Configure Point-to-Site.
Site-to-Site
Site-to-Site is a type of VPN gateway connection. Site-to-Site (also called Hardware VPN) connects your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of VPN gateway is also known as a Policy-Based VPN. When you create this type of VPN gateway, two VPN devices or gateways are used. One is deployed on your premises. The other is deployed in an Azure virtual network.
The device on your premises is known as a VPN device and could be, for example, a firewall, router, or even a High Performance Computer (HPC). The device in the Azure virtual network is called a VPN gateway. When you configure PolicyBased routing, traffic originating from your on-premises network is routed through the IPsec/IKE tunnel to the Azure VPN gateway. The Azure VPN gateway forwards the traffic to the resources in the Azure VNet.
For more information about supported device types for Site-to-Site connections, see About Site-to-Site connections and Supported devices for Site-to-Site connections.
ExpressRoute
VPN Type: Azure supports the following VPN types: Point-to-Site, Site-to-Site, VNet-to-VNet, and Multi-Site.
Private Peering
Private Peering is the connection of your on-premises network to a single Azure region using an Azure VPN Gateway. The advantage of Private Peering is that your traffic remains on the Microsoft global network rather than passing over the public Internet.
To establish a VPN connection using Private Peering, you’ll need to create a virtual network gateway and connect it to your on-premises network. You can then connect your virtual network gateway to an Azure ExpressRoute circuit using either a Standard or Premium edition ExpressRoute gateway.
Public Peering
Public Peering enables you to connect your on-premises network to Azure, and to route traffic between the Azure network and your on-premises network through a private connection. You can also use Public Peering to connect your virtual network (VNet) to Azure, and to route traffic between the VNet and your on-premises network through a private connection.
Hybrid Connection
A hybrid connection is a type of VPN connection that uses a combination of an on-premises public IP address and a private IP address. The on-premises public IP address is used to route traffic to the internet, while the private IP address is used for all other traffic, such as to Azure VMs or other resources on your on-premises network. You can use a hybrid connection to connect your VNet to an on-premises network.