If you’re looking to set up a VPN on your Azure account, you’ll need to know which type of VPN is supported. In this blog post, we’ll go over the three main types of VPNs and how they can be used with Azure.
Checkout this video:
VPN types are the protocols used to connect and communicate with the VPN server. Each type of VPN has its own set of benefits and drawbacks. The most common VPN types are Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and Internet Key Exchange version 2 (IKEv2).
Policy-based VPNs (static routing), route traffic through a VPN gateway based on traffic filters and the security policies that you configure. The advantage to policy-based VPNs is that they can be configured on a VPN gateway that doesn’t support route-based VPNs. Policy-based VPNs are supported only on the following devices:
– Cisco ASA devices that run Cisco ASA Software Release 9.0(1) or later
– Cisco routers that run Cisco IOS® Software Release 15.2(2)T or later
Azure doesn’t support policy-based site-to-site VPNs.
Route-based VPNs are implemented with a routing device, such as a router, that supports Border Gateway Protocol (BGP) and virtual tunnel interfaces (VTI). A route-based VPN uses persistent tunnels that are preconfigured between each site. Traffic is routed between sites using BGP. All traffic sent through a tunnel interface is encrypted and encapsulated with an IPsec header.
Azure Route-based VPN gateways use the industry standard Border Gateway Protocol (BGP), to route traffic between different networks. BGP is an exterior gateway protocol designed to automatically exchange routing and reachability information among different routers on the internet.
A key advantage of using BGP is that it enables Azure VPN gateways to dynamically learn and advertise routes to on-premises network resources. As a result, route changes on your on-premises network are automatically reflected on all VPN devices connected to your Azure VPN gateway without any intervention from you. You can also configure BGP session settings, such as Route Reflectors and Route Filters to further control how Azure VPN devices learn routes from your on-premises network devices.
Supported VPN types
VPN types are important to consider when you set up a virtual private network (VPN) on Azure. Azure supports the following VPN types: Point-to-Site (P2S), Site-to-Site (S2S), and Azure VPN Gateway.
A policy-based VPN only allows traffic that matches a defined statement, known as a policy, to pass through the VPN gateway. Azure supports two types of policy-based gateways: SonicWALL and WatchGuard. Policy-based VPNs are more common in on-premises implementations and in Azure, can be used to support legacy devices.
If you have an existing policy-based VPN device, you can create a Site-to-Site connection in Azure by using the steps in Create a Site-to-Site connection with a policy-based gateway. You will need the IP address and pre-shared key (PSK) from your on-premises VPN device for this process.
Route-based VPNs are also known as dynamic VPNs. A route-based VPN uses the routing table to determine where to forward traffic. A route based VPN gateway can send traffic to multiple systems, over either IPsec or an SSL/TLS tunnel.
With a route based VPN, you can also change the connection type (for example, from IPsec to SSL/TLS) without affecting the security associations (SAs). This is known as a policy-based VPN.