If you’re looking to set up a VPN on your Azure account, you’ll need to know which types of VPNs are supported. In this blog post, we’ll go over the different VPN types that can be used with Azure.
Checkout this video:
According to microsoft, these are the VPN types that are supported by Azure: Point-to-Site, Site-to-Site, VNet-to-VNet, and ExpressRoute.
Policy-based VPNs enforce the security policies of an organization by managing traffic flows with the help of access control lists (ACLs). An ACL is a set of permit and deny conditions that specify the types of traffic that can, or cannot, pass through a VPN gateway. Policy-based VPNs are also known as route-based VPNs. Policy-based VPNs are supported only on Routing and Remote Access Service (RRAS) servers that are running Windows Server 2008 and later versions.
Route-based VPNs are also known as policy-based VPNs. A route-based VPN uses IPv4 or IPv6 routing to forward traffic to the appropriate security gateway. This type of VPN works with any type of internet connection, such as Site-to-Site, VNet-to-VNet, and Point-to-Site. You can use a route-based VPN with an Azure gateway that has dynamic routing enabled, or you can use static routing. If you use static routing, you must add a route on your local network for each Virtual Network that you want to connect to.
Supported VPN types
Currently, Azure supports the following VPN types: Point-to-Site (P2S), Site-to-Site (S2S), VNet-to-VNet, and Multi-Site.
Policy-based VPNs (Static Routing) were the first type of VPN Azure supported when it was launched. A policy-based VPN is identified by a route-based VPN with the following traits:
The gateway subnet contains only a single IP address.
The policy (IKE) uses pre-shared keys for authentication.
Policies contain classifications for traffic, encryption, and hashing algorithms.
A single policy is applied to the gateway.
Policy-based gateways are also known as static routing or route-based VPNs.
Route-based VPNs are also known as policy-based VPNs. A route-based VPN uses the routing table to determine where to forward packets. In this type of VPN, a policy determines which traffic should go through the VPN tunnel. Policy-based Azure VPN gateway does not support BGP and dynamic routing. Policy-based gateways have a single tunnel with one S2S connection. You can create multiple policies for incoming and outgoing traffic and apply encryption, integrity, and IPsec settings on a per-policy basis.
The following diagram shows a route-based (policy-based) virtual private network (VPN) gateway connection with two site-to-site IPsec/IKE policies—each with unique encryption and integrity algorithms—overlaying the default traffic selector for all Azure gateway connections, *.
Each policy contains different security algorithms and parameters:
Policy 1 uses 3DES encryption, SHA1 hashing, Group 2 DiffieHellman (DH), and a lifetime of 4,800 seconds for IKE Phase 1 negotiation and 28,800 seconds for IKE Phase 2 negotiation.
Policy 2 uses AES256 encryption, SHA256 hashing, Group 5 DH, and a lifetime of 3600 seconds for Phase 1 negotiation and 28800 seconds for Phase 2 negotiation