2.1 Site-to-Site (S2S) VPN Connectivity
📘Microsoft Azure Networking Solutions (AZ-700)
1. What Is a Virtual Network Gateway?
A Virtual Network Gateway (VNet Gateway) is an Azure resource that allows an Azure Virtual Network (VNet) to connect to other networks securely.
In the context of Site-to-Site (S2S) VPN, the virtual network gateway:
- Acts as the VPN endpoint in Azure
- Encrypts traffic using IPsec/IKE
- Sends and receives traffic between:
- Azure Virtual Network
- On-premises network (via a VPN device)
For the AZ-700 exam, remember:
A Site-to-Site VPN cannot work without a Virtual Network Gateway.
2. Why Do We Need a Virtual Network Gateway?
A virtual network gateway is required when:
- You want secure communication between Azure and on-premises networks
- Traffic must travel through an encrypted tunnel
- Azure must exchange routes with another network
Without this gateway:
- Azure VNets cannot create VPN tunnels
- Secure hybrid connectivity is not possible
3. Types of Virtual Network Gateways
When creating a virtual network gateway, you must choose a gateway type.
3.1 VPN Gateway (Important for S2S)
Used for:
- Site-to-Site VPN
- Point-to-Site VPN
- VNet-to-VNet VPN
AZ-700 Focus:
👉 Site-to-Site VPN always uses a VPN gateway
3.2 ExpressRoute Gateway
Used only for:
- ExpressRoute connections (private circuits)
⚠️ Not used for Site-to-Site VPN
⚠️ If the exam mentions S2S VPN → choose VPN gateway
4. VPN Types: Route-Based vs Policy-Based
When creating a VPN gateway, you must select the VPN type.
4.1 Route-Based VPN (Most Important)
- Uses IP routing (routes)
- Supports:
- Multiple tunnels
- Dynamic routing (BGP)
- IKEv2
- Required for:
- Most Azure VPN scenarios
- Active-active gateways
- VNet-to-VNet connections
✅ Recommended and default choice in Azure
4.2 Policy-Based VPN
- Uses static IPsec policies
- Limited functionality
- No dynamic routing
- Not recommended for new deployments
📌 Exam Tip:
Always prefer Route-based VPN unless explicitly stated otherwise.
5. Gateway SKU (Performance and Capacity)
A Gateway SKU defines:
- Throughput
- Number of tunnels
- Supported features
Common VPN Gateway SKUs:
- VpnGw1
- VpnGw2
- VpnGw3
- VpnGw4
- VpnGw5
Important Notes for Exam:
- Higher SKU = higher throughput and more tunnels
- SKU cannot be changed instantly (gateway recreation may be required)
- SKU affects cost and performance
6. Gateway Subnet (Very Important Exam Topic)
6.1 What Is GatewaySubnet?
- A special subnet inside the VNet
- Dedicated only to the virtual network gateway
- Required before creating the gateway
6.2 Rules for GatewaySubnet
- Name must be exactly:
GatewaySubnet - Cannot host:
- Virtual machines
- Any other Azure resources
- Recommended size:
- /27 or larger
- Must be created before the gateway
📌 Exam Warning:
If the GatewaySubnet is missing or incorrectly named, the gateway creation fails.
7. Public IP Address for the Gateway
A Public IP address is required for:
- Establishing the VPN tunnel
- Communication with the on-premises VPN device
Key Points:
- Must be Static
- Assigned during gateway creation
- Used as the Azure VPN endpoint
8. Active-Active vs Active-Passive Gateway
8.1 Active-Passive (Default)
- One active instance
- One standby instance
- Failover occurs if active instance fails
8.2 Active-Active Gateway
- Two active instances
- Requires:
- Route-based VPN
- Two public IP addresses
- Supports higher availability
📌 Exam Tip:
Active-active configuration improves availability and supports multiple tunnels.
9. BGP (Border Gateway Protocol)
BGP is an optional feature during gateway creation.
What BGP Does:
- Automatically exchanges routes
- Reduces manual route configuration
- Improves scalability
Exam Focus:
- BGP requires route-based VPN
- Commonly used in large or complex networks
- Uses ASN (Autonomous System Number)
10. Steps to Create a Virtual Network Gateway (Conceptual)
For exam understanding, know the logical order:
- Create a Virtual Network
- Create a GatewaySubnet
- Create a Public IP address
- Create a Virtual Network Gateway:
- Gateway type: VPN
- VPN type: Route-based
- SKU selected
- Public IP attached
- (Optional) Enable BGP
11. Configuration After Creation
After the gateway is created, it is used with:
- Local Network Gateway
- Represents on-premises network
- Connection
- Links Azure gateway and local gateway
- Defines shared key (PSK)
- Specifies S2S connection type
⚠️ The virtual network gateway alone does not create the VPN tunnel.
It must be connected to a local network gateway.
12. Limitations and Important Facts (Exam Gold)
- Only one VPN gateway per VNet
- Gateway deployment can take 30–45 minutes
- GatewaySubnet cannot be deleted while gateway exists
- VPN gateways are region-specific
- Gateway must be recreated to change:
- VPN type
- Active-active setting
13. Common Exam Mistakes to Avoid
❌ Using ExpressRoute gateway for S2S VPN
❌ Forgetting GatewaySubnet
❌ Choosing policy-based VPN unnecessarily
❌ Incorrect subnet naming
❌ Assuming gateway alone creates the VPN tunnel
14. Key Exam Summary
- Virtual Network Gateway is mandatory for S2S VPN
- Always use:
- VPN gateway
- Route-based VPN
- GatewaySubnet is required and must be named correctly
- Public IP must be static
- SKU affects performance and cost
- Gateway works together with:
- Local Network Gateway
- Connection resource
