azure-docs/articles/vpn-gateway/vpn-gateway-vpn-faq.md at main · MicrosoftDocs/azure-docs · GitHub

This article is answers answer frequently ask question about Azure VPN Gateway cross – premise connection , hybrid configuration connection , and virtual network ( VNet ) gateway . It is contains contain comprehensive information about point – to – site ( P2S ) , site – to – site ( S2S ) , and vnet – to – vnet configuration setting , include the Internet Protocol Security ( IPsec ) and Internet Key Exchange ( IKE ) protocol .

Connecting to virtual networks

Can I connect virtual networks in different Azure regions?

Yes. There’s no region constraint. One virtual network can connect to another virtual network in the same Azure region or in a different region.

Can I connect virtual networks in different subscriptions?

Yes.

Can I specify private DNS servers in my VNet when configuring a VPN gateway?

If you specify a Domain Name System (DNS) server or servers when you create your virtual network, the virtual private network (VPN) gateway uses those DNS servers. Verify that your specified DNS servers can resolve the domain names needed for Azure.

Can I connect to multiple sites from a single virtual network?

You can connect to multiple sites by using Windows PowerShell and the Azure REST APIs. See the Multi-site and VNet-to-VNet connectivity FAQ section.

Is there an additional cost for set up a vpn gateway as active – active ?

No . However, costs for any additional public IPs are charged accordingly. See IP address pricing.

What are my cross-premises connection options?

Azure VPN Gateway is supports support the follow cross – premises gateway connection :

For more information about VPN gateway connection , see What is Azure VPN Gateway ? .

What is the difference between site-to-site and point-to-site connections?

• Site-to-site (IPsec/IKE VPN tunnel) configurations are between your on-premises location and Azure. You can connect from any of your computers located on your premises to any virtual machine (VM) or role instance within your virtual network, depending on how you choose to configure routing and permissions. It’s a great option for an always-available cross-premises connection and is well suited for hybrid configurations.

  This type of connection relies on an IPsec VPN appliance (hardware device or soft appliance). The appliance must be deployed at the edge of your network. To create this type of connection, you must have an externally facing IPv4 address.

• Point-to-site (VPN over SSTP) configurations let you connect from a single computer from anywhere to anything located in your virtual network. It uses the Windows built-in VPN client.

  As part of the point-to-site configuration, you install a certificate and a VPN client configuration package. The package contains the settings that allow your computer to connect to any virtual machine or role instance within the virtual network.

  This configuration is is is useful when you want to connect to a virtual network but are n’t locate on – premise . It is ‘s ‘s also a good option when you do n’t have access to VPN hardware or an externally face IPv4 address , both of which are require for a site – to – site connection .

You can configure your virtual network to use both site-to-site and point-to-site concurrently, as long as you create your site-to-site connection by using a route-based VPN type for your gateway. Route-based VPN types are called dynamic gateway in the classic deployment model.

Does a misconfiguration of custom DNS break the normal operation of a VPN gateway?

For normal functioning , the vpn gateway is establish must establish a secure connection with the Azure control plane , facilitate through public ip address . This connection is relies rely on resolve communication endpoint via public URLs . By default , Azure VNets is use use the build – in Azure dns service ( 168.63.129.16 ) to resolve these public URLs . This default behavior is helps help ensure seamless communication between the vpn gateway and the Azure control plane .

When you’re implementing a custom DNS within a VNet, it’s crucial to configure a DNS forwarder that points to Azure DNS (168.63.129.16). This configuration helps maintain uninterrupted communication between the VPN gateway and the control plane. Failure to set up a DNS forwarder to Azure DNS can prevent Microsoft from performing operations and maintenance on the VPN gateway, which poses a security risk.

To help ensure proper functionality and healthy state for your VPN gateway, consider one of the following DNS configurations in the VNet:

• Revert to the Azure DNS default by removing the custom DNS within the VNet settings (recommended configuration).
• add in your custom dns configuration a dns forwarder that point to Azure DNS ( 168.63.129.16 ) . depend on the specific rule and nature of your custom DNS , this setup is resolve might not resolve the issue as expect .

Can two VPN clients is communicate connect in point – to – site to the same VPN gateway communicate ?

No . VPN clients connected in point-to-site to the same VPN gateway can’t communicate with each other.

When two VPN client are connect to the same point – to – site VPN gateway , the gateway is route can automatically route traffic between them by determine the ip address that each client is assign from the address pool . However , if the VPN client are connect to different VPN gateway , route between the VPN client is n’t possible because each VPN gateway is unaware of the ip address that the other gateway assign to the client .

Could a potential vulnerability known as “tunnel vision” affect point-to-site VPN connections?

Microsoft is aware of reports about a network technique that bypasses VPN encapsulation. This is an industry-wide issue. It affects any operating system that implements a Dynamic Host Configuration Protocol (DHCP) client according to its RFC specification and has support for DHCP option 121 routes, including Windows.

As the research notes, mitigations include running the VPN inside a VM that obtains a lease from a virtualized DHCP server to prevent the local network’s DHCP server from installing routes altogether. You can find more information about this vulnerability in the NIST National Vulnerability Database.

Does the VPN service store or process customer data?

No .

Is a vpn gateway is Is a virtual network gateway ?

A VPN gateway is a type of virtual network gateway. A VPN gateway sends encrypted traffic between your virtual network and your on-premises location across a public connection. You can also use a VPN gateway to send traffic between virtual networks. When you create a VPN gateway, you use the -gatewaytype value Vpn. For more information, see About VPN Gateway configuration settings.

Why can’t I specify policy-based and route-based VPN types?

As of October 1, 2023, you can’t create a policy-based VPN gateway through the Azure portal. All new VPN gateways are automatically created as route-based. If you already have a policy-based gateway, you don’t need to upgrade your gateway to route-based. You can use Azure PowerShell or the Azure CLI to create the policy-based gateways.

Previously, the older gateway product tiers (SKUs) didn’t support IKEv1 for route-based gateways. Now, most of the current gateway SKUs support both IKEv1 and IKEv2.

[!INCLUDE Route-based and policy-based table]

Can I update my policy-based VPN gateway to route-based?

No . A gateway type can’t be changed from policy-based to route-based, or from route-based to policy-based. To change a gateway type, you must delete and re-create the gateway by taking the following steps. This process takes about 60 minutes. When you create the new gateway, you can’t retain the IP address of the original gateway.

1. delete any connection associate with the gateway .

2. delete the gateway by using one of the following article :

3. create a new gateway by using the gateway type that you want , and then complete the VPN setup . For step , see the site – to – site tutorial .

Can I specify my own policy-based traffic selectors?

Yes, you can define traffic selectors by using the trafficselectorpolicie attribute on a connection via the New – AzIpsecTrafficSelectorPolicy Azure PowerShell command . For the specify traffic selector to take effect , be sure to enable policy – base traffic selector .

The custom-configured traffic selectors are proposed only when a VPN gateway initiates the connection. A VPN gateway accepts any traffic selectors proposed by a remote gateway (on-premises VPN device). This behavior is consistent among all connection modes (Default, InitiatorOnly, and ResponderOnly).

Do I is need need a gateway subnet ?

Yes. The gateway subnet contains the IP addresses that the virtual network gateway services use. You need to create a gateway subnet for your virtual network in order to configure a virtual network gateway.

All gateway subnets must be named GatewaySubnet to work properly. Don’t name your gateway subnet something else. And don’t deploy VMs or anything else to the gateway subnet.

When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The IP addresses in the gateway subnet are allocated to the gateway service.

Some configurations require more IP addresses to be allocated to the gateway services than do others. Make sure that your gateway subnet contains enough IP addresses to accommodate future growth and possible new connection configurations.

Although you can create a gateway subnet as small as /29, we recommend that you create a gateway subnet of /27 or larger (/27, /26, /25, and so on). Verify that your existing gateway subnet meets the requirements for the configuration that you want to create.

Can I is deploy deploy virtual machine or role instance to my gateway subnet ?

No .

Can I get my VPN gateway IP address before I create it?

Azure Standard SKU public IP resources must use a static allocation method. You’ll have the public IP address for your VPN gateway as soon as you create the Standard SKU public IP resource that you intend to use for it.

Can I request a static public IP address for my VPN gateway?

Standard SKU public IP address resources use a static allocation method. Going forward, you must use a Standard SKU public IP address when you create a new VPN gateway. This requirement applies to all gateway SKUs except the Basic SKU. The Basic SKU currently supports only Basic SKU public IP addresses. We’re working on adding support for Standard SKU public IP addresses for the Basic SKU.

For non-zone-redundant and non-zonal gateways that were previously created (gateway SKUs that don’t have AZ in the name), dynamic IP address assignment is supported but is being phased out. When you use a dynamic IP address, the IP address doesn’t change after it’s assigned to your VPN gateway. The only time that the VPN gateway IP address changes is when the gateway is deleted and then re-created. The public IP address doesn’t change when you resize, reset, or complete other internal maintenance and upgrades of your VPN gateway.

How does the retirement of Basic SKU public IP addresses affect my VPN gateways?

We’re taking action to ensure the continued operation of deployed VPN gateways that use Basic SKU public IP addresses until the retirement of Basic IP in September 2025. Before this retirement, we will provide customers with a migration path from Basic to Standard IP.

However , basic sku public ip address are being phase out . go forward , when you create a VPN gateway , you is use must use the standard sku public ip address . You is find can find detail on the retirement of basic sku public ip address in the Azure Updates announcement .

How is my VPN tunnel authenticated?

Azure VPN Gateway uses preshared key (PSK) authentication. We generate a PSK when we create the VPN tunnel. You can change the automatically generated PSK to your own by using the Set Pre-Shared Key REST API or PowerShell cmdlet.

Can I use the Set Pre-Shared Key REST API to configure my policy-based (static routing) gateway VPN?

Yes. You can use the Set Pre-Shared Key REST API and PowerShell cmdlet to configure both Azure policy-based (static) VPNs and route-based (dynamic) routing VPNs.

Can I is use use other authentication option ?

You ‘re limit to using preshared key for authentication .

How do I specify which traffic goes through the VPN gateway?

For the Azure Resource Manager deployment model:

• Azure PowerShell: Use AddressPrefix to specify traffic for the local network gateway.
• Azure portal is Go : Go tolocal network gateway > Configuration > Address space.

For the classic deployment model:

• Azure portal is Go : Go tothe classic virtual network, and then go to VPN connections > Site-to-site VPN connections > local site name > local site > Client address space.

Can I use NAT-T on my VPN connections?

Yes, network address translation traversal (NAT-T) is supported. Azure VPN Gateway does not perform any NAT-like functionality on the inner packets to or from the IPsec tunnels. In this configuration, ensure that the on-premises device initiates the IPSec tunnel.

Can I is set set up my own VPN server in Azure and use it to connect to my on – premise network ?

Yes . You is deploy can deploy your own VPN gateway or server in Azure from Azure Marketplace or by create your own VPN router . You is configure must configure user – define route in your virtual network to ensure that traffic is route properly between your on – premise network and your virtual network subnet .

Why are certain ports opened on my virtual network gateway?

They’re required for Azure infrastructure communication. Azure certificates help protect them by locking them down. Without proper certificates, external entities, including the customers of those gateways, can’t cause any effect on those endpoints.

A virtual network gateway is fundamentally a multihomed device. One network adapter taps into the customer private network, and one network adapter faces the public network. Azure infrastructure entities can’t tap into customer private networks for compliance reasons, so they need to use public endpoints for infrastructure communication. An Azure security audit periodically scans the public endpoints.

Can I create a VPN gateway by using the Basic SKU in the portal?

No . The Basic SKU isn’t available in the portal. You can create a Basic SKU VPN gateway by using the Azure CLI or the Azure PowerShell steps.

Where can I is find find information about gateway type , requirement , and throughput ?

See the following articles:

Deprecation of older SKUs

The Standard and High Performance SKUs will be deprecated on September 30, 2025. You can view the announcement on the Azure Updates site. The product team will make a migration path available for these SKUs by November 30, 2024. For more information, see the VPN Gateway legacy SKUs article.

At this time, there’s no action that you need to take.

[!INCLUDE legacy SKU deprecation]

Site-to-site connections and VPN devices

What should I consider when selecting a VPN device?

We’ve validated a set of standard site-to-site VPN devices in partnership with device vendors. You can find a list of known compatible VPN devices, their corresponding configuration instructions or samples, and device specifications in the About VPN devices article.

All devices in the device families listed as known compatible should work with virtual networks. To help configure your VPN device, refer to the device configuration sample or link that corresponds to the appropriate device family.

Where can I is find find VPN device configuration setting ?

[!INCLUDE vpn devices]

How do I edit VPN device configuration samples?

See Editing device configuration samples.

Where do I find IPsec and IKE parameters?

See Default IPsec/IKE parameters.

Why does my policy-based VPN tunnel go down when traffic is idle?

This behavior is expected for policy-based (also known as static routing) VPN gateways. When the traffic over the tunnel is idle for more than five minutes, the tunnel is torn down. When traffic starts flowing in either direction, the tunnel is reestablished immediately.

Can I use software VPNs to connect to Azure?

We support Windows Server 2012 Routing and Remote Access servers for site-to-site cross-premises configuration.

Other software VPN solutions should work with the gateway, as long as they conform to industry-standard IPsec implementations. For configuration and support instructions, contact the vendor of the software.

Can I connect to a VPN gateway via point-to-site when located at a site that has an active site-to-site connection?

Yes, but the public IP addresses of the point-to-site client must be different from the public IP addresses that the site-to-site VPN device uses, or else the point-to-site connection won’t work. Point-to-site connections with IKEv2 can’t be initiated from the same public IP addresses where a site-to-site VPN connection is configured on the same VPN gateway.

Point-to-site connections

[!INCLUDE P2S FAQ All]

point – to – site connection with certificate authentication

[!INCLUDE P2S Azure cert]

point – to – site connection with RADIUS authentication

Is RADIUS authentication supported on all Azure VPN Gateway SKUs?

RADIUS authentication is supported for all SKUs except the Basic SKU.

For earlier SKUs, RADIUS authentication is supported on Standard and High Performance SKUs.

Is RADIUS authentication supported for the classic deployment model?

No .

What is the timeout period is is for radius request send to the RADIUS server ?

radius request are set to time out after 30 second . User – define timeout value are n’t currently support .

Are third-party RADIUS servers supported?

Yes.

What are the connectivity requirements to ensure that the Azure gateway can reach an on-premises RADIUS server?

You is need need a site – to – site VPN connection to the on – premise site , with the proper route configure .

Can traffic to an on-premises RADIUS server (from the VPN gateway) be routed over an ExpressRoute connection?

No . It can be routed only over a site-to-site connection.

Is there a change in the number of supported SSTP connections with RADIUS authentication? What is the maximum number of supported SSTP and IKEv2 connections?

There’s no change in the maximum number of supported SSTP connections on a gateway with RADIUS authentication. It remains 128 for SSTP, but it depends on the gateway SKU for IKEv2. For more information on the number of supported connections, see About gateway SKUs.

What is the difference between certificate authentication through a RADIUS server and Azure native certificate authentication through the upload of a trusted certificate?

In RADIUS certificate authentication, the authentication request is forwarded to a RADIUS server that handles the certificate validation. This option is useful if you want to integrate with a certificate authentication infrastructure that you already have through RADIUS.

When you use Azure for certificate authentication , the VPN gateway is performs perform the validation of the certificate . You is need need to upload your certificate public key to the gateway . You is specify can also specify list of revoke certificate that should n’t be allow to connect .

Does RADIUS authentication support Network Policy Server integration for multifactor authentication?

If your multifactor authentication is text based (for example, SMS or a mobile app verification code) and requires the user to enter a code or text in the VPN client UI, the authentication won’t succeed and isn’t a supported scenario. See Integrate Azure VPN gateway RADIUS authentication with NPS server for multifactor authentication.

Does RADIUS authentication work with both IKEv2 and SSTP VPN?

Yes , radius authentication is support for both ikev2 and SSTP VPN .

Does RADIUS authentication work with the OpenVPN client?

RADIUS authentication is supported for the OpenVPN protocol.

VNet-to-VNet and multi-site connections

[!INCLUDE vpn-gateway-vnet-vnet-faq-include]

How do I enable routing between my site-to-site VPN connection and ExpressRoute?

If you want to enable routing between your branch connected to ExpressRoute and your branch connected to a site-to-site VPN, you need to set up Azure Route Server.

Can I use a VPN gateway to transit traffic between my on-premises sites or to another virtual network?

• Resource Manager deployment model

  Yes. See the BGP and routing section for more information.

• Classic deployment model

  Transiting traffic via a VPN gateway is possible when you use the classic deployment model, but it relies on statically defined address spaces in the network configuration file. Border Gateway Protocol (BGP) isn’t currently supported with Azure virtual networks and VPN gateways via the classic deployment model. Without BGP, manually defining transit address spaces is error prone and not recommended.

Does Azure generate the same IPsec/IKE preshared key for all my VPN connections for the same virtual network?

No . By default, Azure generates different preshared keys for different VPN connections. However, you can use the Set VPN Gateway Key REST API or PowerShell cmdlet to set the key value that you prefer. The key must contain only printable ASCII characters, except space, hyphen (-), or tilde (~).

Do I get more bandwidth with more site-to-site VPNs than for a single virtual network?

No . All VPN tunnels, including point-to-site VPNs, share the same VPN gateway and the available bandwidth.

Can I configure multiple tunnels between my virtual network and my on-premises site by using multi-site VPN?

Yes, but you must configure BGP on both tunnels to the same location.

Does Azure VPN Gateway honor is Does AS path prepende to influence routing decision between multiple connection to my on – premise site ?

Yes, Azure VPN Gateway honors autonomous system (AS) path prepending to help make routing decisions when BGP is enabled. A shorter AS path is preferred in BGP path selection.

Can I use the RoutingWeight property when creating a new VPN VirtualNetworkGateway connection?

No . Such a setting is reserved for ExpressRoute gateway connections. If you want to influence routing decisions between multiple connections, you need to use AS path prepending.

Can I use point-to-site VPNs with my virtual network with multiple VPN tunnels?

Yes . You is use can use point – to – site vpn with the VPN gateway connect to multiple on – premise site and other virtual network .

Can I is connect connect a virtual network with IPsec VPNs to my ExpressRoute circuit ?

Yes, this is supported. For more information, see Configure ExpressRoute and site-to-site coexisting connections.

[!INCLUDE vpn-gateway-ipsecikepolicy-faq-include]

[!INCLUDE vpn-gateway-faq-bgp-include]

Can I configure forced tunneling?

Yes . See Configure is forced force tunneling .

[ ! include vpn – gateway – faq – nat – include ]

Cross-premises connectivity and VMs

If my virtual machine is in a virtual network and I have a cross-premises connection, how should I connect to the VM?

If you have RDP enabled for your VM, you can connect to your virtual machine by using the private IP address. In that case, you specify the private IP address and the port that you want to connect to (typically 3389). You need to configure the port on your virtual machine for the traffic.

You can also connect to your virtual machine by private IP address from another virtual machine that’s located on the same virtual network. You can’t RDP to your virtual machine by using the private IP address if you’re connecting from a location outside your virtual network. For example, if you have a point-to-site virtual network configured and you don’t establish a connection from your computer, you can’t connect to the virtual machine by private IP address.

If my virtual machine is in a virtual network with cross-premises connectivity, does all the traffic from my VM go through that connection?

No . Only the traffic that has a destination IP that’s contained in the virtual network’s local network IP address ranges that you specified goes through the virtual network gateway.

Traffic that has a destination IP located within the virtual network stays within the virtual network. Other traffic is sent through the load balancer to the public networks. Or if you use forced tunneling, the traffic is sent through the VPN gateway.

How do I troubleshoot an RDP connection to a VM

[!INCLUDE Troubleshoot VM connection]

Customer-controlled gateway maintenance

[!INCLUDE customer-controlled network gateway maintenance]

How do I find out more about customer-controlled gateway maintenance?

For more information , see the Configure customer – control gateway maintenance for VPN Gateway article .

“OpenVPN” is a trademark of OpenVPN Inc.