Cloud Routing & Networking Learning Center
Learn the Fundamentals

Learning Objectives

After reading this article you will:

  • Site to Site connectivity using IPsec
  • Point-to-Site connectivity using SSTP

Azure Virtual Private Network (VPN)

Microsoft Azure gives you the possibility to work in a hybrid work environment with which you can integrate the servers and physical equipment of your company with the cloud. To carry out this task, our proposal is based on the use of a virtual private network (azure Virtual Private Network or VPN) that works as a gateway.

Local network

To begin with, this architecture is based on the private local area network that runs inside your company.

Virtual Private Network (VPN) device

It is a device or service that provides external connectivity to the local area network. The Virtual Private Network (or VPN) device can be a hardware device or a software solution such as the Routing and Remote Access Service (RRAS) in Windows Server 2012.

Virtual network

The application in the cloud and the components of Azure VPN Gateway are in the same virtual network.

Azure VPN Gateway

The VPN Gateway service allows you to connect the virtual network to the local area network using a VPN device. This service includes the following elements:

  • Virtual network gateway. The resource that provides a virtual VPN device for the virtual network. It is responsible for routing traffic from the local area network to the virtual network.
  • Local area network gateway. Abstraction of the local VPN device. Network traffic from the application in the cloud to the local area network is routed through this gateway.
  • Connection. The connection has properties that specify the type of connection (IPSec) and the shared key with the local VPN device to encrypt traffic.
  • Gateway subnet. The virtual network gateway is maintained on its own subnet.

Cloud application

The application hosted on Azure. It can include several levels, with several subnets that are connected through load balancers.

Internal load balancer

VPN Gateway network traffic is routed to the cloud application through an internal load balancer that is located in the front-end subnet of the application.

Types of Connections between Environments

Conceptually there are 2 types of connections between possible environments using Networks and Azure Gateway.

Site to Site (Site-To-Site)

This type of VPN connection is made through IPsec (IKE v1 and IKE v2). It allows creating a secure connection between a virtual network and a local site.

Once this connection has been created and linked, the resources located behind the local Gateway can communicate directly with the resources located in Azure, in a secure manner.

In comparison with the next option (Point to Site) it is not necessary for each team in our local network to make a connection to the Azure virtual network to access its resources.

Point-to-Site (Point-To-Site)

This type of connection is made through SSTP (Secure Sockets Tunnel Protocol). It allows you to configure an interconnection to the Azure Network individually, from a specific Client Team, in order to access its resources.

Point-to-Site connections do not need a VPN dial-up device but work with a VPN client installed on the Device. However, only such equipment can connect to Azure resources. In the case that there are several teams that need access to these resources, each of them must mark a Point-to-Site VPN.

Multi-Site (Multi-Site)

This type of configuration is of the "VPN Site to Site" type. Conceptually, a Multi-Site network allows linking several external locations to the same Microsoft Azure virtual network.