Select an appropriate VNet gateway SKU

2.2 Point-to-Site (P2S) VPN Connectivity

📘Microsoft Azure Networking Solutions (AZ-700)

A Point-to-Site VPN allows individual devices (like laptops or desktops) to securely connect to an Azure Virtual Network (VNet) over the internet. Unlike Site-to-Site VPNs (which connect entire networks), P2S is client-to-Azure, meaning one device at a time.

Key features of P2S VPN:

Securely connects remote users to Azure VNets.
Uses encryption to keep traffic safe.
Supports multiple authentication methods:
- Azure certificate-based authentication
- Azure Active Directory (AAD) authentication
- RADIUS authentication

VNet Gateway and SKUs

A VNet gateway is a special Azure resource that allows VPN connections (both P2S and Site-to-Site). It acts like a gate between your Azure network and the remote device or network.

When you create a VNet gateway, you must choose a SKU (Stock Keeping Unit). This SKU defines:

Maximum number of connections
Maximum throughput (data speed)
Supported VPN protocols
Features like BGP support or high availability

P2S VPN Requirements for Gateway SKU

For Point-to-Site VPN, the main considerations are:

Number of concurrent users: How many devices will connect at the same time?
Protocol support: Which VPN protocols are needed? (IKEv2, OpenVPN, SSTP, or ExpressRoute-based)
Throughput needs: How much data do your users typically transfer?

Available VNet Gateway SKUs

Azure VNet gateway SKUs are divided into Basic, VpnGw1, VpnGw2, VpnGw3, VpnGw4, VpnGw5.

Here’s a simplified breakdown:

SKU	Max P2S Connections	Max Throughput	Protocols Supported	Notes
Basic	128	~100 Mbps	SSTP, IKEv2	Only supports SSTP and IKEv2. No OpenVPN. Cheapest option, small-scale use.
VpnGw1	250	~650 Mbps	SSTP, IKEv2, OpenVPN	Supports OpenVPN. Good for small to medium teams.
VpnGw2	500	~1 Gbps	SSTP, IKEv2, OpenVPN	Higher throughput and connections. Medium teams.
VpnGw3	1000	~1.25 Gbps	SSTP, IKEv2, OpenVPN	Large teams or high-throughput requirements.
VpnGw4 / VpnGw5	2000+	1.25–10 Gbps	SSTP, IKEv2, OpenVPN	Enterprise-grade, very high connections and speed.

Important notes for exams:

Basic SKU cannot support OpenVPN, only SSTP/IKEv2.
Higher SKUs allow more concurrent P2S connections and higher throughput.
SKUs scale up but not automatically; you choose the SKU when creating the gateway.
Some SKUs also support Active-Active configurations for high availability.

Step-by-Step Guide to Select a P2S Gateway SKU

Identify the number of users who will connect at the same time.
- If <128 users → Basic SKU may work.
- If 200+ users → VpnGw1 or higher.
Check protocol requirements.
- If your users require OpenVPN, do not use Basic SKU.
Estimate bandwidth/throughput needs.
- Heavy data transfers require higher SKUs (VpnGw2+).
Check for additional features.
- Need BGP or Active-Active VPN? Choose VpnGw2+.
Choose the SKU in the Azure portal or via PowerShell/CLI.

Example (exam-style scenario):

You have 300 remote users connecting to Azure via P2S VPN. Users must use OpenVPN. Which gateway SKU should you choose?

Basic → ❌ Too few connections & no OpenVPN
VpnGw1 → ✅ Supports 250–500 connections and OpenVPN
VpnGw2 → ✅ Higher throughput if needed

Answer: VpnGw2 (because it handles 500 concurrent users and OpenVPN protocol).

Key Exam Tips

Remember the Basic SKU limits: 128 users, SSTP/IKEv2 only, no OpenVPN.
Higher SKUs = more connections + higher throughput + OpenVPN support.
Always match SKU to user numbers, protocol, and bandwidth.
P2S VPN is always client-to-Azure. This differentiates it from Site-to-Site VPN.

✅ Summary Table for Students

Step	Question to Ask	SKU Hint
Step 1	How many concurrent users?	Basic, VpnGw1–5
Step 2	Which VPN protocols needed?	OpenVPN requires VpnGw1+
Step 3	How much data will users transfer?	Choose higher SKU for more throughput
Step 4	Any special features?	Active-Active or BGP → VpnGw2+

This covers everything you need for exam preparation about selecting a VNet gateway SKU for Point-to-Site VPNs. It’s simple, precise, and IT-focused.