Azure supports different types of VPN Gateway. This article discusses the types of VPNs that you can use with Azure.
Checkout this video:
VPN types
Azure supports different types of VPNs. To help you decide which one to use, here is a brief overview of the types of VPNs that are available and the benefits of each type.
Static Routing
Static routing is a form of routing that occurs when a router uses a manually-configured routing entry, rather than information from Dynamic Routing Protocols, to forward traffic. Static routing is typically used in small networks or when there is only one routable path between any two machines on the network.
If more than one path exists between any two machines, static routing typically isn’t used, as it would require significant administrative overhead to ensure that all possible routes were configured correctly. Additionally, static routes don’t automatically adapt if a network changes, which can lead to outages.
Azure supports static routing for both site-to-site and point-to-site VPNs.
Dynamic Routing
Dynamic routing is a type of VPN that uses routing protocols to update the routes between sites. Azure supports BGP, OSPF, and RIP for dynamic routing.
Protocols
Azure supports different types of VPN protocols such as IKEv2, SSTP, and PPTP. You can use any of these protocols to connect to Azure. Azure also supports point-to-site VPNs, which enable you to connect to Azure from anywhere.
IKEv2
IKEv2 (Internet Key Exchange version 2) is a tunneling protocol developed by Microsoft and Cisco, which was first introduced in 2006. It builds upon the strengths of its predecessor IKEv1, while allowing for greater flexibility and security. IKEv2 is available on most major operating systems and is considered one of the most secure VPN options currently available.
SSTP
SSTP (Secure Socket Tunneling Protocol) is a PPP over HTTPS protocol which was introduced in Windows Vista Service Pack 1 and Windows Server 2008. Due to the fact that it uses HTTPS for transport, SSTP can pass TOP most enterprise firewall and proxy solutions without difficulty. SSTP uses port 443, the same port used by SSL/TLS, meaning that any firewall or proxy solution which allows outbound SSL/TLS traffic will generally allow SSTP-based VPN traffic.
L2TP/IPsec
Layer 2 Tunneling Protocol/Internet Protocol Security (L2TP/IPsec) is a protocol that uses UDP port 500 and Encapsulating Security Payload (ESP)-transformed security protocol data units (SPDUs). L2TP/IPsec tunnels Layer 2 traffic through an IPsec tunnel. This type of tunnel doesn’t require a certificate for authentication but does require a pre-shared key.
Microsoft recommends that you use certificate-based authentication for all types of IPsec tunnels, including L2TP/IPsec tunnels, whenever possible. To learn more about why you should use certificate-based authentication, see Certificate-based authentication for IKEv2 IPsec VPN connections in Azure.
Supported VPN types
VPN types that are supported by Azure include Point-to-Site, Site-to-Site, and VNet-to-VNet. Point-to-Site (P2S) creates a secure connection to an Azure virtual network from individual computer. Site-to-Site (S2S) creates a secure connection between on-premises network and Azure virtual network. VNet-to-VNet creates a secure connection between Azure virtual networks.
Static Routing
Static routing is a type of routing that occurs when a router uses a manually-configured routing entry, rather than information from any dynamic routing protocols. In most cases, static routing is configured by a network administrator. Static routes are most often used in smaller networks or when there is a need for extra security. In some cases, static routes can also be used to increase performance or minimize overhead if the network topology is well known.
Dynamic Routing
Dynamic Routing Gateways support the following VPN types:
– Point-to-Site VPNs
– Site-to-Site VPNs
Point-to-Site (P2S) VPNs are used to connect an individual client computer to a VNet. P2S connections are established by installing a VPN client on the client computer. To learn more, see What is Point-to-Site VPN?
Site-to-Site (S2S) VPNs are used to connect an entire network ( Site) to a VNet. S2S connections require a VPN device or RRAS set up at the on premises gateway. To learn more, see What is Site-to-Site VPN?
Protocols
There are a few different types of protocols that are supported by Azure VPN. These include SSTP, IKEv2, and Point-to-Site. Let’s take a look at each one of these VPN types in more detail.
IKEv2
IKEv2 (Internet Key Exchange version 2) is a secure protocol that uses IPsec for key exchange. IKEv2 was introduced in 2006 and is supported by a wide variety of clients and devices.
Here are some of the benefits of using IKEv2:
-IKEv2 is more secure than IKEv1.
-IKEv2 eliminates many of the potential vulnerabilities associated with IKEv1 (e.g., NAT traversal, aggressive mode).
-IKEv2 supports EAP authentication methods, allowing you to use certificates, smart cards, and RADIUS authentication.
-IKEv2 uses MOBIKE, which allows the client to change IP addresses without interrupting the VPN connection.
SSTP
SSTP uses a SSL/TLS tunnel to encapsulate IP traffic and transport it over an HTTPS connection. SSTP uses port 443, which is allowed in almost all firewall configurations. This makes it ideal for use in scenarios where other VPN types are blocked by a firewall, such as public Wi-Fi hotspots. SSTP is only available on Windows Vista and later versions of Windows.
L2TP/IPsec
L2TP/IPsec is a popular VPN protocol built-in to most modern platforms including Microsoft Windows 10. L2TP/IPsec uses UDP port 500, so make sure your firewall or security appliance is configured to allow this. L2TP itself does not provide any encryption or confidentiality to traffic that passes through it, so it is usually implemented with the IPsec encryption suite. When used together, L2TP/IPsec provides strong security and performance.