Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors

Azure Virtual Private Network (VPN)

Microsoft Azure’s Virtual Private Network (VPN) offers a hybrid work environment, enabling seamless integration of on-premises servers and equipment with cloud services. To carry out this task, our proposal is based on the use of a virtual private network (azure Virtual Private Network or VPN) that works as a gateway.

Azure VPN Architecture

Local Area Network (LAN)

The foundation of this architecture is your company’s private local area network (LAN), which forms the internal backbone of your network infrastructure.

Virtual Private Network (VPN) device

A crucial component, the VPN device, offers external connectivity to the LAN. This can be a hardware-based solution or a software service like the Routing and Remote Access Service (RRAS) in Windows Server 2012.

Virtual network

In Azure, the cloud application and Azure VPN Gateway components reside within the same virtual network, ensuring streamlined connectivity and security.

Azure VPN Gateway

The VPN Gateway service allows you to connect the virtual network to the local area network using a VPN device. This service includes the following elements:

  • Virtual Network Gateway: Acts as a virtual VPN device for the virtual network, routing traffic from the LAN to the virtual network.
  • Local Network Gateway: Represents the on-premises VPN device abstraction, routing cloud application traffic to the LAN.
  • Connection: Holds properties specifying the connection type (e.g., IPSec) and the shared key for encrypting traffic.
  • Gateway Subnet: A dedicated subnet for maintaining the virtual network gateway.
  • Internal Load Balancer: Routes VPN Gateway network traffic to the cloud application through an internal load balancer located in the application’s front-end subnet.

Types of Azure VPN Connections

Conceptually there are 2 types of connections between possible environments using Networks and Azure Gateway.

Site to Site (S2S)

This connection uses IPsec (IKE v1 and IKE v2) to establish a secure link between a virtual network and a local site. Once established, resources behind the local gateway can securely communicate with Azure resources. This option is ideal for allowing entire local networks to access Azure resources without individual device connections.

In comparison with the next option (Point to Site), each team in our local network doesn’t need to make a connection to the Azure virtual network to access its resources.

Point-to-Site (P2S)

Leveraging SSTP (Secure Sockets Tunnel Protocol), P2S allows individual client devices to connect to the Azure network. It requires a VPN client on each device, making it suitable for scenarios where only specific devices need access to Azure resources.

Point-to-Site connections do not need a VPN dial-up device but work with a VPN client installed on the Device. However, only such equipment can connect to Azure resources. In the case that several teams need access to these resources, each of them must mark a Point-to-Site VPN.


A variation of the S2S type, Multi-Site VPN enables linking multiple external locations to the same Azure virtual network. It’s particularly useful for organizations with several branches or remote sites needing access to shared Azure resources.

Azure VPN offers a versatile and secure way to extend your on-premises networks into the cloud. Whether it’s a single remote user needing access to Azure resources (P2S), an entire local network (S2S), or multiple external sites (Multi-Site), Azure VPN provides tailored solutions for various business requirements. By harnessing these capabilities, businesses can achieve greater operational agility, enhanced security, and seamless integration between their on-premises and cloud environments.

Become the cloud networking hero of your business.

See how Aviatrix can increase security and resiliency while minimizing cost, skills gap, and deployment time.