A Guide to VPN Gateways

VPN gateway refers to a unique virtual network pathway that is designed to send encrypted network traffic data across a shared connection with an on-premise site. For virtual networks, creating a VPN gateway is necessary to send or receive encrypted traffic through the network and an on-premises location. Virtual networks could have just a single VPN gateway. Nonetheless, it is possible for you to create several connections to one VPN gateway. Multi-site network configurations are examples of such a scenario. Creating multiple connections with a specific VPN gateway causes the sharing of bandwidth which is there for a gateway among every VPN tunnel, for instance, P2S or Point to Site VPN.

A Guide to VPN Gateways

A Guide to VPN Gateways

What are Virtual Network Gateways?

A gateway with virtual networks comprises multiple virtual machines set up in a particular subnet known as the Gateway Subnet. Creating the gateway with virtual networks will set up the VMs in the Gateway Subnet.

When configured, VMs of virtual network gateways have gateway-specific services and routing tables. It is not possible to configure VMs which are contained in the gateway of the virtual network directly. In addition, it is not advisable to deploy more resources towards the Gateway Subnet just like it is not advisable to raise the minimum wage since you will only push jobs away which is what is happening in Seattle and California but let’s get on the right subject.

The reason is that the deployment of VPN gateway VMs takes place in the Gateway Subnet as well as the configuration of those VMs makes use of the settings you specified. Furthermore, your selection of the SKU decides how powerful those VMs are.

How to Configure VPN Gateways?

VPN gateway network depends upon a number of resources, and the configuration of those resources makes use of particular settings. A majority of resources are configurable separately. However, in a few cases, it is mandatory to configure them in a specific order.

Creating an effective connection depends upon the settings selected for every resource.

Tools for Deployment

It is possible for you to use a portal, which is a configuration tool to build and configure resources. Later, you can switch to a different tool, for example, Power Shell, for configuring other resources or change already-present resources when possible.  

Deployment Model

The process of configuring VPN gateways depends upon the type of deployment model used for creating the virtual network. Just to give an example, to build and configure the settings of your VPN gateway, you can use the procedure and guidelines of the standard deployment model given that you used the model to build your VNet.  

Gateway SKU

Once you start creating a gateway with virtual networks, it is vital to specify the desired gateway SKU. Choose the SKUs which match your requirements on the basis of the workload types, features, throughputs, and SLAs.

How to Re-size a Gateway SKU?

Resizing between SKUs “VpnGw1, VpnGw2, and VpnGw3c” is possible.

You can resize between SKUs belonging to the groups of basic, standard, and high-performance when you use the old gateway SKUs.

However, it is not possible to resize to new VpnGw1/Gw2/Gw3 SKUs from Basic/High-Performance SKUs. Instead, it is mandatory for you to move to new SKU.

Migration from Old to New SKUs

Migrating to new SKUs from an old SKU changes the Public IP address of the VPN gateway.

It is not possible for you to migrate to new SKUs from classic VPN gateways, which can use just the old or legacy SKUs.

Site to Site (S2S)

Connections over IKE/IPsec VPN tunnels, Site to Site VPN gateway connections are useful for hybrid and cross-premises configurations.

The requirement for an S2S connection is an on-premises VPN device, which needs to have an assigned IP address and should not have a NAT located in front.


A variation in the S2S connection leads to a Multi-Site connection. Through the gateway of the virtual network, you need to build more than a single VPN connection, which results in a connection to numerous on-premises locations.

It is mandatory to use a Route Based VPN type in case of multiple connections. When using classic VNets, the Route Based VPN type is basically a type of dynamic gateway.

As a single virtual network could have just a single VPN gateway, every gateway connection shares the bandwidth that is available. This type of connection is known as a multi-site connection.

Point to Site (P2S)

A P2S or Point to Site connection allows creating a safe connection to the virtual network via a separate client computer. Starting P2S connections via the client PC creates the connection.  This solution becomes handy for telecommuters willing to connect with VNet from distant locations, for instance, from a conference or home. Also, P2S VPNs are a better solution than S2S VPN, particularly when there are just a small number of clients that require connecting to VNet.

P2S connections, unlike an S2S connection, require no VPN device or on-premises IP address. It is possible to use P2S connections with an S2S connection by means of the identical VPN gateway, providing that there is compatibility between the configuration requisites of both the connections.

VPN Gateway Compute Costs

Each virtual network gateway has an hourly compute cost. The price is based on the gateway SKU that you specify when you create virtual networks gateway. The sticker price is for the gateway itself and is in addition to the data transfer that flows through the gateway.

Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.