Ask Downloads
Domain 2 β€” Module 1 of 6 17%
8 of 26 overall
Domain 2: Connectivity Services Free ⏱ ~14 min read

Site-to-Site VPN: Connecting On-Premises

Build secure IPsec tunnels between Azure and on-premises with VPN Gateway β€” SKU selection, policy vs route-based, custom IKE policies, and high-availability designs.

Site-to-Site VPN: Connecting On-Premises

A Site-to-Site (S2S) VPN creates an encrypted tunnel between your Azure VNet and on-premises network over the public internet. It’s the most common hybrid connectivity starting point.

Simple explanation

A site-to-site VPN is a secure tunnel between your office and Azure β€” like an underground passage connecting two buildings. Your on-premises network has a VPN device. Azure has a VPN Gateway. They negotiate encryption, share a secret key, and create an encrypted tunnel over the public internet.

Three Components of S2S VPN

πŸͺ Sam’s scenario: Harbour Retail’s head office in Auckland needs to connect to Azure for accessing VMs and databases. He needs three things:

On-Premises       ←── IPsec Tunnel ──→         Azure
[VPN Device]                               [VPN Gateway]
                                           in GatewaySubnet
        ↑                                       ↑
  Local Network                          Virtual Network
  Gateway (LNG)                            Gateway (VNG)
  (tells Azure your                     (deployed by Azure
   on-prem IP + ranges)                  in your VNet)
  1. Virtual Network Gateway (VNG): Azure-managed gateway deployed in the GatewaySubnet. Takes 30-45 minutes to provision.
  2. Local Network Gateway (LNG): A logical resource representing your on-premises VPN device β€” contains its public IP and the on-prem address ranges.
  3. Connection: Links the VNG to the LNG with a shared key (pre-shared key for IKEv2) or certificates.

VPN Gateway SKUs

VPN Gateway SKU Comparison
SKUThroughputS2S TunnelsP2S ConnectionsBGPZone-Redundant
VpnGw1650 Mbps30250YesNo
VpnGw1AZ650 Mbps30250YesYes
VpnGw21.25 Gbps30500YesNo
VpnGw2AZ1.25 Gbps30500YesYes
VpnGw32.5 Gbps301000YesNo
VpnGw3AZ2.5 Gbps301000YesYes
VpnGw45 Gbps1005000YesNo
VpnGw4AZ5 Gbps1005000YesYes
VpnGw510 Gbps10010000YesNo
VpnGw5AZ10 Gbps10010000YesYes

Exam Tip β€” Choosing the SKU: The exam often presents a throughput requirement and asks which SKU to choose. Remember: VpnGw1/2/3 support 30 S2S tunnels, while VpnGw4/5 support 100. AZ variants are zone-redundant and required for production SLA. The Basic SKU (legacy) is not shown above β€” it doesn’t support BGP, active-active, or custom IPsec/IKE policies, and should never be used for new deployments.

Policy-Based vs Route-Based

Policy-Based vs Route-Based VPN
FeaturePolicy-BasedRoute-Based
IKE versionIKEv1 onlyIKEv2 (and IKEv1 for legacy)
Tunnel count1 tunnel onlyUp to 100 (SKU dependent)
P2S supportNoYes
BGP supportNoYes
Active-activeNoYes
Coexistence with ExpressRouteNoYes
Traffic selectorsDefined by policy (ACLs)Any-to-any (virtual tunnel interface)
Use caseLegacy devices that require itEverything else β€” this is the default

Exam Tip: Route-based VPN is the correct choice for 99% of deployments. The only reason to use policy-based is if your on-premises device doesn’t support route-based (very rare with modern equipment). If the exam doesn’t specifically mention a legacy device requirement, choose route-based.

Custom IPsec/IKE Policies

πŸ”’ Aisha’s scenario: Sentinel Banking’s compliance team requires specific encryption algorithms that exceed Azure defaults. She configures custom IPsec/IKE policies:

Phase 1 (IKE SA) parameters:

ParameterOptions
EncryptionAES256, AES192, AES128, DES3
IntegritySHA384, SHA256, SHA1, MD5
DH GroupDHGroup24, ECP384, ECP256, DHGroup14, DHGroup2
SA Lifetime300 - 86,400 seconds (default 28,800 = 8 hours)

Phase 2 (IPsec SA) parameters:

ParameterOptions
EncryptionGCMAES256, GCMAES192, GCMAES128, AES256, AES192, AES128
IntegrityGCMAES256, GCMAES192, GCMAES128, SHA256, SHA1
PFS GroupPFS24, ECP384, ECP256, PFS2048, PFS14, PFS2, None
SA Lifetime300 - 27,000 seconds (default 3,600 = 1 hour)

Aisha configures AES256 encryption, SHA256 integrity, DHGroup14, and PFS2048 to meet her banking compliance requirements. Both sides (Azure and on-prem VPN device) must use identical parameters.

High-Availability Designs

Active-Standby (default): Every VPN Gateway deploys as two instances. One is active, one is standby. Failover happens automatically in 10-15 seconds (planned) or 60-90 seconds (unplanned). This is the default configuration.

Active-Active: Both gateway instances are active simultaneously, each with its own public IP. You create tunnels from your on-premises device to both IPs. Benefits:

  • Load balancing across both tunnels
  • Faster failover (seconds instead of a minute)
  • Better throughput (both tunnels carry traffic)

Dual-Redundancy (4 tunnels): For maximum availability, combine active-active Azure gateway with two on-premises VPN devices:

On-Prem Device 1 ──→ Azure GW Instance 1
On-Prem Device 1 ──→ Azure GW Instance 2
On-Prem Device 2 ──→ Azure GW Instance 1
On-Prem Device 2 ──→ Azure GW Instance 2

This gives you 4 IPsec tunnels with no single point of failure on either side.

Azure Extended Network

Azure Extended Network is a niche feature that lets you stretch a Layer 2 subnet from on-premises into Azure. VMs keep their on-premises IP addresses after migration.

When it’s used: During migration, when you can’t change VM IPs (applications with hardcoded IPs, licensing tied to IPs, complex interdependencies).

Requirements:

  • VPN or ExpressRoute connection
  • Windows Server 2019 as the host OS
  • Azure Extended Network Windows Admin Center extension

Limitations: Not for permanent use β€” it’s a migration bridge. Performance overhead from L2 encapsulation. Rarely tested on the exam but good to know exists.

Key Takeaways

  • S2S VPN needs three components: VNG, LNG, and Connection
  • Route-based VPN is the default β€” supports BGP, P2S, active-active, multiple tunnels
  • Choose SKU based on throughput needs; AZ variants for zone redundancy
  • Custom IPsec/IKE policies must match on both sides
  • Active-active with dual on-prem devices gives maximum availability (4 tunnels)

Test Your Knowledge

Question

What are the three components needed for a Site-to-Site VPN?

Click or press Enter to reveal answer

Answer

1. Virtual Network Gateway (VNG) β€” Azure-side gateway in GatewaySubnet. 2. Local Network Gateway (LNG) β€” represents on-premises (public IP + address ranges). 3. Connection β€” links VNG to LNG with shared key.

Click to flip back
Question

When should you use policy-based instead of route-based VPN?

Click or press Enter to reveal answer

Answer

Only when your on-premises VPN device requires it (very rare with modern equipment). Route-based is the default and supports BGP, P2S, active-active, multiple tunnels, and ExpressRoute coexistence.

Click to flip back
Question

How many S2S tunnels do VpnGw1-3 SKUs support vs VpnGw4-5?

Click or press Enter to reveal answer

Answer

VpnGw1, 2, 3: up to 30 S2S tunnels. VpnGw4, 5: up to 100 S2S tunnels. AZ variants add zone redundancy but have the same tunnel limits.

Click to flip back
Question

What is dual-redundancy in VPN design?

Click or press Enter to reveal answer

Answer

Combining an active-active Azure VPN Gateway (2 instances) with 2 on-premises VPN devices, creating 4 tunnels total. No single point of failure on either side.

Click to flip back
Knowledge Check

Sam needs a VPN Gateway that supports BGP, zone redundancy, and at least 1.25 Gbps throughput. Which SKU should he choose?
Knowledge Check

Aisha configures custom IPsec/IKE policies on her Azure VPN connection. What must be true about the on-premises VPN device?

Next up: Point-to-Site VPN: Remote Access β€” Connect individual devices to Azure with P2S VPN using certificates, RADIUS, or Entra ID authentication.