Connecting VNets using a VPN gateway connection

In Azure, the second option for connecting Virtual Networks (VNets) is by using a VPN gateway connection. Unlike the simplicity of VNet peering, this method involves leveraging Azure VPN Gateway, which establishes a secure IPsec/IKE (Internet Key Exchange) tunnel between two VNets. While this approach offers advanced security features, it introduces additional complexity in its setup, configuration, and operational requirements.

One of the primary distinctions between VPN gateway connectivity and VNet peering is the underlying infrastructure. While VNet peering facilitates private, low-latency connectivity over the Microsoft backbone, VPN gateway connections route traffic over the public internet. As a result, VPN gateway connections inherently introduce higher latency compared to VNet peering. Moreover, the setup process is more intricate and time-consuming, as deploying a VPN gateway requires provisioning a public IP address for the gateway in each VNet.

Provisioning a VPN gateway can take up to 40 minutes, depending on the size and complexity of the VNets and the gateway SKUs selected. This longer deployment time should be factored into any project planning where VPN gateway connectivity is necessary.

Despite the added complexity and the fact that traffic flows over the public internet, VPN gateway connections remain a valuable option in specific scenarios, especially when security and compliance are of paramount importance. The key advantage of VPN gateway connections is the encryption provided by the IPsec/IKE tunnel. This encryption ensures that data transferred between the VNets is secure, meeting requirements for industries that adhere to strict compliance regulations such as HIPAA, PCI-DSS, or GDPR.?

By default, traffic between VNets in a VPN gateway connection is encrypted using IKE (Internet Key Exchange), which offers robust protection against unauthorized access or data breaches. This makes VPN gateways a preferred solution when encryption is non-negotiable for business or regulatory reasons.

When implementing a VPN gateway connection to link two VNets, Azure provides two primary connection types, each suited for different networking needs.

1. VNet-to-VNet Connection: This option is most applicable when both VNets reside within the same Azure subscription or Azure Active Directory (AD) tenant. The VNet-to-VNet connection type simplifies configuration by automatically generating the necessary settings for the remote gateway and associated networks. A notable feature of VNet-to-VNet connectivity is its ability to dynamically update routing when the address space of one of the VNets changes. This automatic propagation reduces the operational overhead of manually reconfiguring the routes every time a VNet address space is updated. From a configuration perspective, the VNet-to-VNet connection is generally faster and more straightforward to deploy than the alternative Site-to-Site connection, as Azure handles much of the underlying setup automatically. This connection type is ideal for intra-subscription VNets that require a simple, secure, and reliable connection between them.
2. Site-to-Site (IPsec) Connection: For more complex network setups, such as when the VNets reside in different subscriptions or across different Azure AD tenants, the Site-to-Site IPsec connection becomes the preferred solution. Unlike the VNet-to-VNet connection, this method requires manual configuration of the local network gateways in each VNet. In a Site-to-Site setup, each VNet is treated as a local on-premises site by the counterpart VNet. As a result, the local network gateway for each VNet must be manually defined, including specifying the IP address ranges and associated routing rules for the connection. This manual configuration makes the Site-to-Site connection more suitable for environments where multiple network segments, complex routing rules, or overlapping address spaces are present. While the setup process is more involved, it provides greater control over network routing, security policies, and resource isolation.?

In addition to the inherent encryption and security benefits, VPN gateway connections offer several unique features and advantages over VNet peering, making them suitable for specific use cases.?

1. Support for Overlapping Address Spaces: One of the most compelling features of VPN gateway connections is the ability to connect VNets that have overlapping IP address spaces. By leveraging NAT (Network Address Translation) rules, VPN gateways can facilitate connectivity between overlapping subnets, which would otherwise be impossible with traditional VNet peering. This is particularly useful in scenarios where IP address ranges are difficult to modify, such as when integrating legacy systems, merging multiple networks, or establishing hybrid cloud connectivity.?
2. Configurable Bandwidth and Performance: The performance of a VPN gateway connection is largely dictated by the SKU of the deployed VPN gateway. Azure offers a range of VPN gateway SKUs, each supporting different bandwidth thresholds and performance capabilities. For example, the Basic SKU provides limited throughput and is suited for small-scale or test environments, while the HighPerformance and UltraPerformance SKUs support significantly higher bandwidth, making them suitable for production environments with heavy traffic loads. Organizations must carefully select the appropriate VPN gateway SKU based on their bandwidth requirements and expected network traffic. It's important to note that VPN gateway connections inherently introduce higher latency and lower throughput compared to VNet peering due to the encryption overhead and public internet routing.?
3. Network Security Groups (NSGs) for Traffic Filtering: Similar to VNet peering, VPN gateway connections allow the use of Network Security Groups (NSGs) to enforce traffic filtering and access control policies. NSGs can be applied at the subnet level to block or allow specific types of traffic, providing an additional layer of security beyond the encrypted tunnel. NSGs are particularly useful for controlling east-west traffic between VNets connected via a VPN gateway, ensuring that only authorized traffic can traverse the connection. This becomes critical in multi-VNet architectures where different environments or workloads may require varying levels of access control and isolation.

From a performance perspective, the bandwidth and throughput of a VPN gateway connection are restricted by the SKU of the VPN gateway. High-traffic environments may require premium SKUs to meet their performance demands. Additionally, traffic latency will inherently be higher compared to VNet peering due to the involvement of the public internet in the routing path.

On the security front, VPN gateway connections offer the advantage of encrypted traffic flows via IPsec/IKE, making them suitable for use cases where compliance with stringent security standards is required. However, organizations must still ensure proper configuration of NSGs, routing tables, and NAT rules to prevent unauthorized access and optimize traffic flow.