VPN Gateway

This is a continuation of a series of articles on operational engineering aspects of Azure public cloud computing that included the most recent discussion on Azure DNS which is a full-fledged general availability service that provides similar Service Level Agreements as expected from others in the category. In this document, we discuss VPN Gateway.

A VPN gateway is a specific type of virtual network gateway that is used to send traffic between an Azure Virtual Network and on-premises location over the public internet. The source and the destination can be any two virtual networks if there is an internet connectivity between them. They can even be across geographical regions. The VPN adds an IP header over the existing IP header so that the packet travels across the internet with one IP address but is peeled to determine the other IP address only the remote network knows about. That is why it is called a Tunnel. When we create multiple connections to the same VPN gateway, all the VPN tunnels share the available gateway bandwidth.  A gateway is composed of two or more VMs that are automatically configured or deployed to a specific subnet, and these contain routing tables and specific gateway services.

The gateway configuration includes the gateway type which determines how the gateway will be used and the actions it can take. At the time of creation, we can specify whether an IPSec/IKE tunnel is used or a VNet-to-VNet tunnel is used but one of the most common usages is the Point-To-Site VPN connectivity. Cloud sites and Virtual machines leverage this so that the resource itself does not need to have a public IP assigned but the service is accessible over the VPN. Even DNS servers can be used in the VNets if they can resolve the domain names needed for Azure. The Point-to-Site connectivity occurs over the Secure Socket Tunneling Protocol or IKEv2.  It lets us connect from a single computer to any resource within a virtual network. A certificate and a VPN client configuration package is required to set it up. Gateways can be policy-based gateway or route-based gateway. Even custom policies or TrafficSelectors can be specified.

When an Azure VM is setup for Point-to-Site connectivity, it does not need a public IP address nor the RDP/SSH firewall rule.  By adding a virtual network gateway, a root and client certificate, downloading a VPN client and then running the setup, we can have a network reachable working VM that is part of the remote network such as the workplace and accessible from a computer over the VPN. We can verify the VPN connection by using the RDP to connect and targeting the private IP of the VM and not the public IP address.

The networking does not affect the authentication. If the Azure Active Directory account can log in to the Virtual Machine, it can continue to do so over the VPN connection.