Day 19: Azure Az-900: Azure Virtual Networking

In today’s interconnected business world, the ability to securely access and share information across locations is really important. Microsoft Azure, a leading cloud computing platform, offers a robust solution known as Azure Virtual Private Network (VPN) to help organisations achieve this. Let’s delve into the details of Azure VPNs, understanding how they function, their benefits, and how they can be leveraged to enhance your network infrastructure.

What is an Azure Virtual Private Network (VPN)?

At its core, a virtual private network (VPN) creates a secure, encrypted tunnel over a public network, such as the internet. This tunnel enables the safe transmission of data between two or more private networks, effectively extending your on-premises network into the Azure cloud or connecting multiple Azure virtual networks together.

In the context of Azure, a VPN gateway acts as the crux of this secure connection. It is a virtual network appliance responsible for encrypting and decrypting traffic as it flows between your on-premises network and Azure, or between different Azure virtual networks.

How Azure VPNs Work

Azure VPNs operate based on well-established networking protocols:

• IPsec/IKE (Internet Protocol Security/Internet Key Exchange): These protocols form the foundation of the secure tunnel. IPsec handles the encryption of data packets, ensuring confidentiality, while IKE negotiates the secure exchange of keys used for encryption and authentication.
• BGP (Border Gateway Protocol): This protocol is commonly used in site-to-site configurations to exchange routing information between networks. This ensures that traffic is efficiently routed between your on-premises and Azure networks.

Azure VPN Gateways

An Azure VPN gateway is a specialised type of virtual network gateway that is deployed within a dedicated subnet of your Azure virtual network. It serves as the central point for establishing and managing VPN connections. A single VPN gateway can facilitate multiple types of connections:

• Site-to-Site (S2S): Connects your on-premises datacentres to your Azure virtual networks.

• Point-to-Site (P2S): Connects individual devices, such as laptops or smartphones, to your Azure virtual network.
• Network-to-Network (VNet-to-VNet): Connects different Azure virtual networks together.

While you can only deploy one VPN gateway per virtual network, each gateway can handle multiple connections to different locations, making it a versatile solution for diverse networking needs.

Policy-Based vs. Route-Based VPN Gateways

When setting up a VPN gateway in Azure, you must choose between two types: policy-based and route-based. Both use pre-shared keys for authentication, but they differ in how they determine which traffic to encrypt:

• Policy-Based: These gateways explicitly define the IP addresses of the traffic that needs to be encrypted for each tunnel. They evaluate every data packet against these statically defined IP addresses to determine the appropriate tunnel.

• Route-Based: These gateways treat IPSec tunnels as virtual tunnel interfaces. The decision of which tunnel interface to use is made dynamically based on IP routing tables (either statically configured or learned through dynamic routing protocols). Route-based VPNs are generally preferred for their adaptability and are recommended for most scenarios, including connections between virtual networks, point-to-site connections, multi-site connections, and when used in conjunction with Azure ExpressRoute gateways.

Why Use Azure VPNs?

Azure VPNs offer several key advantages:

• Security: VPNs encrypt data in transit, protecting it from unauthorized access and interception as it travels across public networks. This is crucial for safeguarding sensitive information like financial data or customer records.
• Extensibility: VPNs allow you to seamlessly extend your on-premises network into the Azure cloud. This is invaluable for organizations with hybrid environments, enabling them to access and manage resources in both locations as if they were part of a single network.
• Flexibility: Azure VPNs offer multiple deployment options, catering to different needs and scenarios. You can establish site-to-site connections between on-premises networks and Azure, point-to-site connections for individual users to connect securely from remote locations, and even multi-site configurations for complex network topologies.
• Cost-Effectiveness: VPNs can be a cost-effective alternative to dedicated private lines, especially for organisations with limited budgets or those looking for more flexible connectivity options.

Ensuring High Availability for Your Azure VPN Gateways

In networking, security and reliability are the two most important things. When you’re relying on a Virtual Private Network (VPN) to protect your data, you need to be confident that it’s not only secure but also highly available. In the Azure cloud environment, there are several strategies you can implement to maximize the resiliency and fault tolerance of your VPN gateways. Let’s explore these high-availability scenarios in detail.

Understanding the Importance of High Availability

High availability (HA) is the ability of a system to continue operating even when one or more of its components fail. In the context of VPN gateways, HA ensures that your secure connection remains intact, even during planned maintenance or unexpected disruptions. This is critical for organisations that rely on continuous access to their resources in the cloud.

Active/Standby Configuration

By default, Azure VPN gateways are deployed in an active/standby configuration. This means that even though you only see one VPN gateway resource in the Azure portal, there are actually two instances running behind the scenes. When planned maintenance or an unplanned issue affects the active instance, the standby instance automatically takes over, ensuring minimal disruption to your connections. While there might be a brief interruption during the failover process, connections are typically restored within seconds for planned maintenance and within 90 seconds for unplanned issues.

Active/Active Configuration

For even greater resilience, you can configure your Azure VPN gateways in an active/active configuration. This requires support for the Border Gateway Protocol (BGP), a routing protocol used to exchange routing information between networks. In this configuration, each gateway instance is assigned a unique public IP address, and you create separate tunnels from your on-premises device to each IP address. By distributing traffic across both instances, you not only increase the overall throughput but also ensure that if one instance fails, the other can continue to handle connections.

ExpressRoute Failover

ExpressRoute circuits are a dedicated, private connection to Azure, offering higher reliability than internet-based connections. However, even ExpressRoute isn’t completely immune to physical cable problems or outages affecting entire ExpressRoute locations. To mitigate this risk, you can configure a VPN gateway as a secure failover path for your ExpressRoute connection. If the ExpressRoute circuit experiences an issue, the VPN gateway will automatically take over, ensuring uninterrupted connectivity to your virtual networks.

Zone-Redundant Gateways

For regions that support Azure Availability Zones, you can deploy VPN gateways (and ExpressRoute gateways) in a zone-redundant configuration. Availability Zones are physically and logically separate locations within an Azure region. By deploying gateways across multiple zones, you protect your on-premises network connectivity from zone-level failures. This configuration offers enhanced resiliency, scalability, and higher availability. However, it requires different gateway SKUs (Stock Keeping Units) and the use of Standard public IP addresses instead of Basic on

s.

The optimal HA strategy for your Azure VPN gateways will depend on your specific requirements and budget. If cost is a major concern and brief interruptions are acceptable, the default active/standby configuration may be sufficient. For higher levels of availability and continuous connectivity, active/active configurations or ExpressRoute failover with a VPN gateway backup might be more suitable. If your Azure region supports it, zone-redundant gateways offer the highest level of protection against regional outages.