If you’re looking to set up a VPN on your Azure account, you might be wondering what types of VPNs are supported. In this blog post, we’ll go over the different types of VPNs that can be used with Azure, so you can choose the best option for your needs.
Checkout this video:
VPN types
A Virtual Private Network (VPN) is a private network that is built on top of a public infrastructure. Azure supports two types of VPNs: Point-to-Site and Site-to-Site. Point-to-Site VPNs are usually used by individual users who need to connect to an Azure VNET. Site-to-Site VPNs are used to connect an on-premises network to an Azure VNET.
Point-to-Site (P2S)
Point-to-Site (P2S) creates a secure connection to an Azure virtual network from an individual client computer. P2S is a configuration where the VPN client is installed on each user’s computer or mobile device. A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer.
You can connect to a Point-to-Site VPN when you need to connect to resources in your Azure virtual network, but don’t require the additional features that Site-to-Site VPNs provide, such as cross-premises and hybrid connectivity, or gateway transit. Point-to-Site VPNs are useful when you want to connect to your VNet from remote locations such as from home or a hotel room.
Point-to-Site doesn’t require a multi-network infrastructure like Site-to-Site VPNs. You can easily configure a Point-to -Site VPN connection by using the Azure portal, or by using PowerShell. When you configure a P2S VPN connection, Azure creates a certificate (.cer file) and generates the corresponding private key (.pfx file). You install the certificate and private key on the client computer, and then use the resulting profile to create the VPN connection.
Site-to-Site (S2S)
S2S is the most common type of VPN configuration. It requires that a VPN device be deployed at each location that will connect to the S2S VPN gateway in Azure. The S2S gateway authenticates each VPN device by using Internet Key Exchange Version 2 (IKEv2) with strong cryptographic algorithms and hashes. The key used during IKE authentication is based on a shared secret, also known as a preshared key (PSK).
The connection between the VPN devices and the S2S gateway in Azure is encrypted and authenticated using Internet Protocol Security (IPsec). IKEv2 with IPsec usesSuite B ciphers, which offer great security for both encryption and integrity. These ciphers are:
-AES 128-GCM and AES 256-GCM for encryption
-SHA-256 and SHA384 for hashing/integrity
Multi-Site
Multi-Site is a type of VPN that connects multiple sites together. This is ideal for businesses with multiple locations, as it allows all employees to communicate as if they were in the same office. Multi-Site VPNs typically use a shared IP address, which makes it easy to connect and disconnect locations as needed.
Protocols
Azure only supports Point-to-Site (P2S) VPNs using the following protocols: IKEv2, SSTP, and OpenVPN. Point-to-Site connections do not require a VPN device or an on-premises public-facing IP address. P2S VPNs are point-to-point connections between an Azure virtual network and an individual client. A P2S VPN connection is established by installing VPN client software on the user’s device. This type of connection requires the following components:
IKEv2
IKEv2 is a VPN protocol that provides security when communicating over unprotected channels like the Internet. IKEv2 is an extension of the Internet Key Exchange protocol, which is used to set up secure communications between two devices. IKEv2 uses a cryptographic key to authenticate and encrypt each communication, ensuring that only the intended recipient can read it.
IKEv2 is often used in conjunction with IPsec, which is a protocol that provides data encryption and integrity checking. IPsec is typically used to protect traffic between two devices, but it can also be used to protect traffic between a device and a network, or between two networks. IKEv2 can be used with either AH or ESP, but it is most commonly used with ESP.
AH and ESP are two different types of IPsec protocols. AH provides data integrity and authentication, while ESP provides data confidentiality. When using IKEv2 with IPsec, AH or ESP must be specified in order to determine which type of traffic will be protected.
IKEv2 can be configured manually, or it can be configured automatically using the Azure VPN gateway. When configuring IKEv2 manually, you will need to specify the following parameters:
– mode: This parameter specifies whether IKEv2 will operate in tunnel mode or transport mode. Tunnel mode encrypts and encapsulates each packet in a new IP header, while transport mode only encrypts the data payload of each packet. Tunnel mode is more secure than transport mode, but it is also more expensive to operate.
– encryption: This parameter specifies the type of encryption that will be used to encrypt the data payload of each packet. AES-256 is the most common type of encryption, but other types are also available.
– hash: This parameter specifies the type of hash algorithm that will be used to generate a message digest for each packet. Message digests are used to verify the integrity of each packet. SHA-256 is the most common type of hash algorithm, but other types are also available.
– DH group: This parameter specifies the Diffie-Hellman group that will be used for key exchange. IKEv2 supports several different DH groups, including DH groups 2, 5, 14-18, and 22-24.
– lifetime: This parameter specifies how long a security association (SA) will remain valid before it needs to be renegotiated. The lifetime must be specified in seconds, and it must be greater than or equal to 300 seconds (5 minutes).
SSTP
SSTP is a VPN protocol that uses SSL/TLS to create a secure, encrypted tunnel between two devices. It is supported by Azure and can be used to connect Azure VMs to other devices over the internet. SSTP is also supported by most major VPN providers, so it can be used to connect to other VPN networks as well.
OpenVPN
OpenVPN is an SSL/TLS VPN solution. It is able to traverse NAT connections and firewalls. Azure supports OpenVPN over UDP. The UDP protocol is more efficient and therefore faster than the TCP protocol.
Supported VPN types
Azure supports the following VPN types: Point-to-Site (P2S), Site-to-Site (S2S), VNet-to-VNet, and Azure VPN Gateway. P2S VPNs are used to connect an individual client computer to a VNet. S2S VPNs are used to connect two VNets to each other. VNet-to-VNet is used to connect two VNets using a gateway. Azure VPN Gateway is used to connect on-premises networks to VNets.
Azure supports P2S, S2S, and Multi-Site
Azure supports the Point-to-Site (P2S), Site-to-Site (S2S), and Multi-Site connection types. P2S creates a secure, private connection from your computer or device to Azure. S2S connections are used when you have a site-to-site VPN gateway already deployed in your on-premises network. The Multi-Site connection type is used when you want to connect multiple on-premises sites to an Azure virtual network using a single VPN gateway.
Azure supports IKEv2, SSTP, and OpenVPN
Azure supports three VPN types: IKEv2, SSTP, and OpenVPN. You can use any of these VPN types to connect to Azure. IKEv2 is natively supported on iOS and MacOS devices. SSTP requires Windows Server 2008 R2 or later on the VpnServer. OpenVPN requires that you use a third-party OpenVPN client.
Conclusion
At this time, Azure supports the following VPN types:
-Point-to-Site (P2S) VPNs
-Site-to-Site (S2S) VPNs
-VNet-to-VNet
You can read more about these types of VPNs and how to set them up in Azure here.