Internet, such as for a web service.
Once your virtual networks are created in Microsoft Azure, it’s easy to enable the site-
to-site VPN feature to bring cross-premises connectivity. A subnet is added to the
virtual network for the gateway VMs that are automatically created and managed to
leverage, and then the actual gateway is created and your local network space is
defined, which enables Azure to know the IP address space used on premises to allow
it to route traffic correctly that should be sent via the site-to-site VPN connection.
Once the Azure side of the gateway is created, it has the option to generate a script
that contains information such as its IP address and key that is used for the IPsec-
based encryption of the traffic, which is used to configure the VPN gateway device on
your network to complete the connection. Microsoft has a full walk-through of the
process at https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-
howto-site-to-site-resource-manager-portal/.
The standard VPN gateway has a theoretical maximum speed of 100Mbps, but I’ve
never seen an implementation reach higher than 80Mpbs. This is not a connectivity
limitation but rather, on the Azure side, a pair of VMs is used in an active-passive
configuration. These VMs are single-core VMs, and IPsec is heavily computationally
expensive, which maxes out the CPU, and this is where the bandwidth maximum
originates. There is also a High-Performance gateway option, which increases the
throughput to 200Mbps by leveraging bigger VMs. It is possible to connect a gateway
to multiple on-premises locations and/or multiple other virtual networks, but there is
only one gateway per virtual network, which means that when multiple partners are
added, they share the throughput. If 10 site-to-site partnerships are created for a
single gateway, each VPN would have only 8Mbps of bandwidth if all were running at
maximum capacity. This may change in the future, but at the time of this writing, the
one gateway per virtual network is a hard limit. For a basic gateway, 10 is the
maximum number of IPsec tunnels, and for a high-performance gateway, 30 is the
maximum.
The site-to-site VPN is a good first step to establish connectivity between on-premises
and the Azure virtual network, and it makes Azure an extension of your datacenter.
Nevertheless, there are challenges with the site-to-site VPN, including the following:
The maximum available bandwidths may not be fast enough.
The latency can be high and unpredictable, because the connection is over the
Internet and the actual route packets change and the equipment between your
location and the Azure datacenter is unknown.
The connection is over the Internet, which although secure through the use of
IPsec is still a challenge for some organizations due to compliance requirements.
Only services in a virtual network can be accessed over the connection and not
other services such as Azure Storage.To address these challenges, Microsoft also offers an ExpressRoute connectivity
option. ExpressRoute offers a private layer 3 connection between an organization’s