- A secured hybrid cloud architecture.
- It is composed of gateway subnet, tunnel, and on-premises gateway.
- Protocols: Internet Protocol Security (IPsec) and Internet Key Exchange (IKE)
- VPN gateway connections: VNet-to-VNet, Site-to-Site, and Point-to-Site
- Create a secure connection from your on-premises network to an Azure virtual network with a site-to-site VPN.
- VNet-to-VNet connection automatically routes to the updated address space, if you updated the address space on the other VNet.
- If you need to establish a connection to your virtual network from a remote location, you can use a point-to-site (P2S) VPN.
- You can also have one VPN gateway with more than one on-premises network using a Multi-Site connection.
- Policy-based gateway
- Implements a policy-based VPN.
- Policy-based VPNs are used to encrypt and direct packets to IPsec tunnels.
- The policy or traffic selector is defined as an access list in the VPN configuration.
- You cannot change a policy-based VPN to a route-based VPN, and vice versa.
- Route-based gateway
- Implements a route-based VPN.
- Route-based VPNs use routes in the routing table to direct packets to tunnel interfaces.
- Tunnel interfaces can encrypt and decrypt packets.
- The policy or traffic selector are configured as wild cards (any-to-any).
- In an active-active configuration, each Azure VPN gateway instance will establish S2S VPN tunnels and the traffic will be routed to multiple tunnels.
- For active-passive configuration, the standby instance would only take over if a disruption happens on the active instance.
Details | Site-to-Site | Point-to-Site |
Supported Services | Cloud Services and Virtual Machines | Cloud Services and Virtual Machines |
Bandwidths | Typically < 1 Gbps aggregate | Based on the gateway SKU |
Protocols | IPsec | Secure Sockets Tunneling Protocol (SSTP), OpenVPN and IPsec |
Routing | We support PolicyBased (static routing) and RouteBased (dynamic routing VPN) | RouteBased (dynamic) |
Connection resiliency | active-passive or active-active | active-passive |
Use case | Dev / test / lab scenarios and small scale production workloads for cloud services and virtual machines | Prototyping, dev / test / lab scenarios for cloud services and virtual machines |
- You are billed hourly for the compute costs of the VNet gateway.
- You are charged for the egress data transfer from the virtual network gateway.
- You are only charged by the VPN Gateway when you transfer data between two different regions, except with Point-to-Site VPN.
No comments:
Post a Comment