Azure VPN Gateway

  • A secured hybrid cloud architecture.
  • It is composed of gateway subnet, tunnel, and on-premises gateway.
  • Protocols: Internet Protocol Security (IPsec) and Internet Key Exchange (IKE)
  • VPN gateway connections: VNet-to-VNet, Site-to-Site, and Point-to-Site
    • Create a secure connection from your on-premises network to an Azure virtual network with a site-to-site VPN.
    • VNet-to-VNet connection automatically routes to the updated address space, if you updated the address space on the other VNet.
    • If you need to establish a connection to your virtual network from a remote location, you can use a point-to-site (P2S) VPN.
  • You can also have one VPN gateway with more than one on-premises network using a Multi-Site connection.


  • Policy-based gateway
  • IT Certification Category (English)728x90
    • Implements a policy-based VPN.
    • Policy-based VPNs are used to encrypt and direct packets to IPsec tunnels. 
    • The policy or traffic selector is defined as an access list in the VPN configuration.
    • You cannot change a policy-based VPN to a route-based VPN, and vice versa. 
  • Route-based gateway
    • Implements a route-based VPN.
    • Route-based VPNs use routes in the routing table to direct packets to tunnel interfaces.
    • Tunnel interfaces can encrypt and decrypt packets.
    • The policy or traffic selector are configured as wild cards (any-to-any).

Connection Resiliency

  • In an active-active configuration, each Azure VPN gateway instance will establish S2S VPN tunnels and the traffic will be routed to multiple tunnels.
  • For active-passive configuration, the standby instance would only take over if a disruption happens on the active instance.




Supported Services

Cloud Services and Virtual Machines

Cloud Services and Virtual Machines


Typically < 1 Gbps aggregate

Based on the gateway SKU



Secure Sockets Tunneling Protocol (SSTP), OpenVPN and IPsec


We support PolicyBased (static routing) and RouteBased (dynamic routing VPN)

RouteBased (dynamic)

Connection resiliency

active-passive or active-active


Use case

Dev / test / lab scenarios and small scale production workloads for cloud services and virtual machines

Prototyping, dev / test / lab scenarios for cloud services and virtual machines


  • You are billed hourly for the compute costs of the VNet gateway.
  • You are charged for the egress data transfer from the virtual network gateway.
  • You are only charged by the VPN Gateway when you transfer data between two different regions, except with Point-to-Site VPN.

Want to learn more about Azure? Watch the official Microsoft Azure YouTube channel’s video series called Azure Tips and Tricks.


Pass your AWS and Azure Certifications with the Tutorials Dojo Portal

Tutorials Dojo portal

Our Bestselling AWS Certified Solutions Architect Associate Practice Exams

AWS Certified Solutions Architect Associate Practice Exams

Enroll Now – Our AWS Practice Exams with 95% Passing Rate

AWS Practice Exams Tutorials Dojo

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Tutorials Dojo Study Guide and Cheat Sheets eBooks

Tutorials Dojo Study Guide and Cheat Sheets-2

FREE Intro to Cloud Computing for Beginners

FREE AWS Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts