2.1 Site-to-Site (S2S) VPN Connectivity
📘Microsoft Azure Networking Solutions (AZ-700)
1. What is an Azure Virtual Network (VNet) Gateway?
An Azure VNet Gateway is a managed virtual network device that allows an Azure Virtual Network (VNet) to securely connect to:
- An on-premises network (Site-to-Site VPN)
- Another Azure VNet (VNet-to-VNet VPN)
- A client computer (Point-to-Site VPN)
For Site-to-Site (S2S) VPN, the VNet gateway creates an encrypted IPsec/IKE VPN tunnel between Azure and the on-premises VPN device.
2. What is a VNet Gateway SKU?
A SKU defines the performance and capability level of the VNet gateway.
The SKU controls:
- VPN throughput (speed)
- Number of VPN tunnels supported
- Reliability and SLA
- Supported features (like zone redundancy)
Important exam rule:
You do not choose SKUs randomly.
You select a SKU based on performance, scale, and availability requirements.
3. Types of VNet Gateways (Important for the Exam)
Azure has two main gateway types, but for S2S VPN we focus on VPN gateways.
| Gateway Type | Used For |
|---|---|
| VPN Gateway | Site-to-Site, Point-to-Site, VNet-to-VNet |
| ExpressRoute Gateway | ExpressRoute circuits |
👉 AZ-700 S2S VPN = VPN Gateway
4. VPN Gateway SKUs – Exam-Relevant List
Azure VPN Gateway SKUs are divided into Generation 1 and Generation 2.
❌ Legacy / Old SKUs (Know but don’t recommend)
- Basic
- VpnGw1 (Gen1)
✅ Modern / Recommended SKUs (Exam Focus)
- VpnGw1
- VpnGw2
- VpnGw3
- VpnGw4
- VpnGw5
All modern SKUs are route-based VPN gateways.
5. Generation 1 vs Generation 2 (Very Important)
| Feature | Gen1 | Gen2 |
|---|---|---|
| Performance | Lower | Higher |
| Maximum throughput | Limited | Much higher |
| Supported SKUs | Basic, VpnGw1 | VpnGw1–VpnGw5 |
| Exam preference | ❌ Avoid | ✅ Preferred |
👉 Exam tip:
When asked to design a new solution, choose Generation 2 unless stated otherwise.
6. Key Factors to Select the Right SKU (Core Exam Concept)
When selecting a VNet Gateway SKU, you must evaluate five key factors:
1️⃣ Required VPN Throughput
Throughput means how much data can pass through the VPN tunnel per second.
| SKU | Approx. Throughput |
|---|---|
| VpnGw1 | ~650 Mbps |
| VpnGw2 | ~1 Gbps |
| VpnGw3 | ~1.25 Gbps |
| VpnGw4 | ~5 Gbps |
| VpnGw5 | ~10 Gbps |
Exam rule:
- Low traffic → lower SKU
- High traffic → higher SKU
2️⃣ Number of VPN Tunnels
Each S2S connection uses a VPN tunnel.
| SKU | Max S2S Tunnels |
|---|---|
| VpnGw1 | Up to 30 |
| VpnGw2 | Up to 30 |
| VpnGw3 | Up to 30 |
| VpnGw4 | Up to 100 |
| VpnGw5 | Up to 100 |
Exam rule:
- Many branch connections → higher SKU
3️⃣ High Availability & SLA
All modern VPN Gateway SKUs:
- Are active-active capable
- Support 99.95% SLA
- Automatically run on multiple Azure VMs
Basic SKU does NOT support SLA
👉 Never choose Basic for production in exam scenarios
4️⃣ Zone Redundancy (Availability Zones)
Some SKUs support Availability Zones, which protect against Azure datacenter failures.
| Feature | Requirement |
|---|---|
| Zone-redundant gateway | VpnGw2 or higher |
| Mission-critical workloads | Zone-redundant SKU |
Exam clue words:
- “High availability”
- “Datacenter failure”
- “Business-critical”
➡️ Choose zone-redundant VPN Gateway SKU
5️⃣ Cost Considerations
Higher SKUs = higher cost.
Exam principle:
Select the lowest SKU that meets the requirements
If a scenario mentions:
- “Cost-effective”
- “Minimize cost”
➡️ Do not over-size the gateway.
7. SKU Selection Based on Common Exam Scenarios
Scenario 1: Small environment, few VPN connections
- Low traffic
- Few S2S tunnels
- Cost sensitive
✅ VpnGw1
Scenario 2: Medium workload, multiple branch sites
- Moderate traffic
- Multiple S2S tunnels
- Needs reliability
✅ VpnGw2 or VpnGw3
Scenario 3: High throughput, enterprise environment
- Large data transfers
- Many S2S tunnels
- High availability required
✅ VpnGw4 or VpnGw5
Scenario 4: Business-critical system with uptime requirement
- Mentions availability zones
- Zero tolerance for downtime
✅ Zone-redundant VpnGw2+
8. Exam Traps to Avoid
❌ Choosing Basic SKU for production
❌ Ignoring throughput requirements
❌ Selecting higher SKU when cost optimization is mentioned
❌ Forgetting zone redundancy when high availability is required
9. Key Exam Takeaways (Memorize This)
- Always use VPN Gateway for S2S VPN
- Prefer Generation 2 SKUs
- Select SKU based on throughput, tunnels, and availability
- Higher SKU = more performance and scale
- Choose the lowest SKU that meets requirements
- Zone-redundant SKUs for mission-critical workloads
10. One-Line Exam Summary
Selecting an appropriate VNet gateway SKU means choosing the correct VPN Gateway performance tier based on required throughput, number of Site-to-Site VPN tunnels, availability needs, and cost constraints.
