If you’re looking to set up a VPN on your Azure account, you’ll want to make sure you’re using a supported VPN type. In this blog post, we’ll go over the different VPN types supported by Azure so that you can choose the right one for your needs.
Checkout this video:
VPN Types
Azure supports certain types of VPN, each with its own capabilities and benefits. The type of VPN you use will be determined by your organization’s needs. The most common types of VPN are site-to-site, point-to-site, and multi-site.
Point-to-Site
Point-to-Site (P2S) creates a secure connection to an Azure virtual network from an individual computer. P2S is available for the following VPN gateways:
– Route-based gateways
– Policy-based gateways
P2S VPNs are used to connect an individual computer to an Azure virtual network over the Internet. A P2S connection requires a VPN client installed on the user computer. The Microsoft Azure platform uses SSTP for point-to-site VPN connections. SSTP uses SSL channels and certificates to provide a secure connection.
When you connect to a P2S VPN gateway, you create a secure connection between your computer or device and the gateway in your Azure VNet. Traffic between your computer or device and resources in the VNet traverses this single, encrypted connection. You can use P2S connections with both multi factor authentication (MFA) and certificates for more security.
Site-to-Site
Site-to-Site connections are the most common type of VPN configuration. They connect your on-premises network to an Azure virtual network over an IPSec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. Site-to-Site connections can be used to create a hybrid solution, or they can be used to connect disparate networks together, providing enhanced connectivity capabilities between those networks.
Multi-Site
A multi-site configuration requires multiple on-premises VPN devices and an Azure route-based gateway for each site. Azure supports Policy-Based and Route-Based gateways. A Policy-Based gateway uses IP security (IPSec) to encrypt traffic; traffic is encrypted using policies and filters that are configured on the on-premises VPN device and the Azure VPN gateway. A Route-Based gateway uses Border Gateway Protocol (BGP) to route traffic; traffic is encrypted using a single IKEv2 policy with null encryption.
Protocols
Azure supports multiple VPN types and protocols. The three main types are Point-to-Site (P2S), Site-to-Site (S2S), and VNet-to-VNet. P2S is the simplest and most common type, and uses Secure Socket Tunneling Protocol (SSTP) or Internet Protocol security (IPsec) IKEv2 to connect. S2S requires a VPN device, and uses IPsec IKEv2. VNet-to-VNet uses IPsec IKEv2 to connect virtual networks in Azure, and doesn’t require a VPN device. Each type has its own benefits and trade-offs, and we’ll go over them in more detail below.
IKEv2
IKEv2 (Internet Key Exchange version 2) is a tunneling protocol that is used to set up Virtual Private Network (VPN) connections. It is an improvement over its predecessor, IKEv1, and was standardized by the Internet Engineering Task Force (IETF). IKEv2 uses User Datagram Protocol (UDP), and supports both IPv4 and IPv6.
IKEv2 provides strong security for VPN connections. It uses strong encryption algorithms, which makes it difficult for hackers to intercept data being sent over the VPN connection. IKEv2 also supports perfect forward secrecy, which means that even if a session is compromised, the data cannot be decrypted.
IKEv2 is supported by Azure VPN Gateways.
SSTP
SSTP (Secure Socket Tunneling Protocol) is a form of VPN tunnel that provides a mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel. SSTP uses port 443, which allows it to pass through most firewalls and web proxies.
SSTP was developed by Microsoft and introduced in Windows Server 2008. It is the preferred protocol for Windows VPN clients because it provides the highest level of security and is compatible with the widest range of devices and operating systems.
Unfortunately, SSTP is not available on all devices and operating systems. In particular, it is not available on iOS or Android devices. If you need to support these platforms, you will need to use another VPN protocol such as IKEv2 or OpenVPN.
L2TP/IPSec
L2TP/IPSec is a popular VPN protocol built-in to most modern platforms including Microsoft Windows 10. L2TP alone does not provide any encryption or confidentiality to traffic that passes through it. In order for L2TP to be secure, it must be combined with IPSec. When L2TP is paired with IPSec, the traffic passing through the tunnel is encrypted and authenticated. This provides a high level of security for VPN traffic.
Supported Devices
Azure supports both IKEv2 and SSTP VPN types. You can use either type with your on-premises VPN gateway or with a Site-to-Site VPN gateway in Azure. If you want to use IKEv2, you must use a VPN gateway that supports IKEv2.
Windows
Windows 10, 8.1, 7, and Windows Server 2016, 2012 R2, 2012, and 2008 R2 (64-bit only) are supported. Mobile Device Management for Azure VPNGateway is notsupported for Windows 10 in S mode.
Mac
Azure supports two types of VPN connections. The first, and recommended, is an IKEv2 VPN connection. IKEv2 is supported on macOS 10.13 and higher. The second type of VPN connection is an L2TP/IPsec VPN connection. L2TP/IPsec connections are supported on macOS 10.12 and higher.
Linux
Linux is a family of open source operating systems. There are many different distributions of Linux, each with its own advantages. You can find a complete list of supported Linux distributions on the Azure website.
Azure supports two types of VPN connections for Linux: point-to-site and site-to-site. Point-to-site connections are typically used by individual users who want to connect to an Azure virtual network. Site-to-site connections are used to connect an on-premises network to an Azure virtual network.
iOS
Azure supports a wide range of iOS devices, including the iPhone and iPad. You can connect to Azure using the built-in VPN client on your device, or you can use a third-party client.
The built-in VPN client on iOS supports IKEv2 and IPSec. IKEv2 is the recommended protocol for connections to Azure. IPSec is also supported for compatibility with some older devices and software.
Third-party VPN clients for iOS are also available. These clients support a variety of protocols, including IKEv2, IPSec, and OpenVPN.
Android
Android devices running Android 5.0 or later are supported.