virtual network gateway- VPN type?

Donald Muncy

I started creating a route-based VPN today. After building the virtual gateway, someone tells me that a policy-based VPN connection is better.
When creating a virtual network gateway, is it best to use a route-based or policy-based VPN?

When I select policy-based VPN, I see a pop-up stating that the policy-based VPN is only compatible with IKEv1, and the only SKU choice I have is basic. The public IP address automatically switches to dynamic and is grayed out.

Looking at the gateway SKU table, I see that the basic SKU is limited to 100 Mbps. I do not appear to have the option to select a static IP when I create a VPN gateway using policy-based routing. Do I need to create a static public IP before creating the policy-based VPN so I can choose to use the existing public IP?

Could a route-based VPN gateway with a custom IPsec/IKE policy perform similarly to a policy-based VPN gateway?

I have read:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps?WT.mc_id=Portal-Microsoft_Azure_HybridNetworking
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-download-vpndevicescript
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways?WT.mc_id=Portal-Microsoft_Azure_HybridNetworking
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways

Adam Gordon

@Donald-Muncy , I hope all is well. Lets start with some basics about both Route based & Policy based VPNs...

ROUTE-based VPN (Sometimes called Dynamic Routing):

Allows for multiple VPNs via a single vNet Gateway. This is critical if you want to set up a VPN-based mesh topology in Azure or to/from multiple on-premise sites.

Requires supported edge device.

Built-in Active-Active redundant VPN possible. This is critical for redundancy.

Can perform VPN Diagnostics in Azure.

POLICY-based VPN (Sometimes called Static Routing):

Only allows a single S2S VPN connection, either with an on-premise firewall or with another vNet in Azure. No S2S mesh-type topologies possible. (Although vNet peering is an option, but only within Azure. Your vNet Gateway can still only connect to a single on-premise endpoint.)

Just about every firewall supports policy-based VPNs.

Active-Active VPN not possible. No redundancy.

Cannot perform VPN Diagnostics in Azure.

In terms of which one is better, it depends on what the need(s) that you are addressing is/are, and what the architecture calls for as a result, taking into account the potential for growth across the solution over time, and therefore flexibility from the beginning if at all possible.

Take a look at the following, as it provides a good overview of both soloutions:

Connect Azure VPN gateways to multiple on-premises policy-based VPN devices using PowerShell:

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

This will also provide some context and good basic information fr you:

About cryptographic requirements and Azure VPN gateways:

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-compliance-crypto

There are defrinately limitations depending on which direction you choose to go, but traditionally, while route based VPNs are a bit harder to setup, they are a better choice if you are able to use them and you have edge devices that will support them.

Good Luck !!!

Cheers,

Adam