2.1 Site-to-Site (S2S) VPN Connectivity
📘Microsoft Azure Networking Solutions (AZ-700)
1. What Is a Policy-Based VPN?
A policy-based VPN uses defined policies to decide which traffic is encrypted and sent through the VPN tunnel.
How It Works
- The VPN uses static rules (policies).
- Each policy defines:
- Source network
- Destination network
- Protocol
- Only traffic that matches these policies is allowed through the VPN.
Key Characteristics
- Uses static IP address ranges
- Does not support dynamic routing protocols
- Each network pair must be manually defined
- Traffic selection is policy-driven
Azure Support
- Azure supports policy-based VPN, but with many limitations
- Mostly kept for legacy compatibility
2. Limitations of Policy-Based VPN (Very Important for Exam)
Policy-based VPNs have several restrictions that make them not suitable for modern Azure environments.
Major Limitations
- ❌ No support for:
- Virtual Network peering
- Point-to-Site (P2S) VPN
- ExpressRoute
- BGP (Border Gateway Protocol)
- ❌ Limited scalability
- ❌ Difficult to manage when networks grow
- ❌ Limited to one tunnel
- ❌ Manual configuration required for each network
Because of these limitations, Azure recommends avoiding policy-based VPN whenever possible.
3. What Is a Route-Based VPN?
A route-based VPN uses routing tables to decide how traffic flows through the VPN tunnel.
How It Works
- The VPN tunnel acts like a network interface
- Routes decide:
- Which traffic goes to the VPN
- Which traffic stays within Azure
- Supports dynamic routing
Key Characteristics
- Uses IP routing (routes) instead of policies
- Supports multiple tunnels
- Works with dynamic protocols
- Scales easily as networks grow
4. Advantages of Route-Based VPN (Exam Critical)
Route-based VPNs are the recommended and default choice in Azure.
Benefits
- ✅ Supports BGP
- ✅ Supports multiple tunnels
- ✅ Works with:
- Virtual network peering
- Point-to-Site VPN
- ExpressRoute
- ✅ Easier to manage and expand
- ✅ Better performance and flexibility
5. Policy-Based vs Route-Based VPN (Comparison Table)
| Feature | Policy-Based VPN | Route-Based VPN |
|---|---|---|
| Traffic selection | Policies | Routes |
| Supports BGP | ❌ No | ✅ Yes |
| Supports multiple tunnels | ❌ No | ✅ Yes |
| Scalability | Low | High |
| Azure recommendation | Not recommended | Recommended |
| Use case | Legacy systems | Modern Azure networks |
6. When Should You Use a Policy-Based VPN?
You should use a policy-based VPN only when:
- The on-premises VPN device supports only policy-based VPN
- You are working with legacy firewall or VPN hardware
- The network design is simple and static
- No requirement for:
- BGP
- Multiple tunnels
- Advanced Azure networking features
⚠️ Exam Tip:
If a question mentions legacy VPN devices or static traffic rules, the answer is policy-based VPN.
7. When Should You Use a Route-Based VPN?
You should use a route-based VPN when:
- You want a modern, scalable VPN design
- You need dynamic routing
- You plan to use:
- BGP
- Virtual network peering
- Point-to-Site VPN
- ExpressRoute
- The network may grow or change
- High availability or multiple tunnels are required
✅ Exam Tip:
If the question mentions BGP, scalability, multiple connections, or Azure best practices, the correct answer is route-based VPN.
8. Azure Exam-Focused Summary (Must Remember)
- Route-based VPN is the default and recommended option in Azure
- Policy-based VPN is only for legacy compatibility
- Route-based VPN supports advanced Azure networking features
- Policy-based VPN uses static traffic rules
- Route-based VPN uses routing tables
9. One-Line Exam Memory Trick
Policy-based = Static, legacy, limited
Route-based = Dynamic, scalable, Azure-recommended
