Azure supports different types of VPNs. Site-to-Site, Point-to-Site, and VNet-to-VNet are the three types of VPNs that can be configured in Azure.
Checkout this video:
Introduction
Azure supports the following VPN types:
Point-to-Site (P2S): A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. P2S connections are used when you need to connect to your VNet from a remote location, such as from home, a hotel, or an airport.
A P2S connection requires the following:
* A dynamic or static public IP address for the client computer.
* A client certificate that authenticates the client to the VPN gateway. Client certificates are generated and installed locally on each client computer. For more information, see Configure certificates for point-to-site connections.
* If you use Azure AD Authentication, you also need to configure Azure AD in order to connect to the VNet using P2S connections with SSTP or IKEv2/IPSec protocols. The following authentication types can be configured for Azure AD authentication:
o Certificate authentication
o Radius authentication
Point-to-Site VPN
Point-to-Site VPN is a remote access VPN connection that lets you connect to your VNet from anywhere in the world, using Secure Socket Tunneling Protocol (SSTP) encapsulated in an SSL/TLS session. You can use Point-to-Site VPNs to establish secure connections with your on-premises network or VNet without having to use a public facing IPv4 address for each VPN client.
There are three types of Point-to-Site VPNs:
1. SSTP VPN: Uses SSL/TLS protocols and Internet Key Exchange version 2 (IKEv2) for key management to provide encrypted and secure connection between an on premise network and Azure VNet. Requires installation of a VPN client on individual client machines. Supported on Windows 10, 8.1, 7, and Windows Server 2012 R2 or later versions. The SSTP based Point-to SiteVPN gateway uses common Public Key Infrastructure (PKI) certificates to authenticate the connecting clients through the IKEv2 Internet Key Exchange version 2 protocol for a mutually authenticated, symmetric encrypted connection using Transport Layer Security (TLS) encryption with Perfect Forward Secrecy (PFS). For additional security hardening, require strong cryptographics algorithms, such as SHA256 or greater for authentication and key exchange, AES256 or greater for data encryption, and DH group 14 or greater for PFS key exchange. These settings are the current defaults used by the Azure Point-to Site gateway and cannot be changed by customers. For more information about how to use these settings in Azure Policy see Require strong cryptography algorithms for SSTP based Point-to site connections
2. IKEv2 VPN: Uses Internet Protocol security (IPsec) protocols and Internet Key Exchange version 2 (IKEv2)for key management to provide encrypted traffic between an on premise network and Azure VNet . Requires installation of a VPN client on individual client machines . Supported on Windows 10 Enterprise and Education SKUs , Windows Server 2016 , 2019 , version 1709 of Windows Server 2016 Datacenter , can be enabled using PowerShell . The IKEv2 based Point – to – siteVPN gateway uses common Public Key Infrastructure (PKI) certificates to authenticate the connecting clients through IKEv2 protocol for mutually authenticated , symmetric encrypted connection using Transport Layer Security ( TLS ) encryption with Perfect Forward Secrecy ( PFS ) . For additional security hardening , require strong cryptographics algorithms , such as SHA256 or greater authentication and key exchange , AES256 or greater data encryption ,and DH group 24 or greater fro PFS key exchange .These settings are not currently supported by Azure Policy but may be in future releases .
3. RADIUS Authentication: Uses Remote Authentication Dial In User Service (RADIUS) server configured with industry standard protocols–Packet Origination Authorization Protocol(POAP),EAPoL(Extensible Authentication Protocol over LAN), MS CHAP v2–for user authentication before accessing Azure VNet resources through SSTP tunneled connection . Requires installation of Network Policy Server role service on Windows Server 2012 R12 Datacenter edition or later versions followed by creation of network policies that define conditions under which users are allowed / denied access to the network . Supported only on NPS servers deployed in HA pairs using failover clustering or NLB .The RADIUS authentication based Point – to – Siteconnection uses industry standard 802.1X Supplicant authenticator model where a user / machine is authenticated against an Identity Provider(IdP), such as Active Directory Domain Services(AD DS ),using credentials like username / password before accessing AzureVNet resources through SSTPDialed In User Service(Tunneledconnection ).For more information about configuring RADIUS Authentication -basedPointsite Gateway refer Configure RADIUS Authentication
Site-to-Site VPN
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located at each site, with two VPN devices necessary for each cloud-based virtual network you want to connect to. Site-to-Site connections can be used to connect Azure Virtual Networks over the Internet, eliminating the need for expensive, private cross-premises connectivity.
ExpressRoute
ExpressRoute is a private connection that you can use to connect your on-premises network to Azure. With ExpressRoute, you can create high-bandwidth, low-latency, private connections between your network and Azure. You can use ExpressRoute to connect your datacenter to Azure, or connect your office network to Azure.
Conclusion
When you deploy a VPN gateway, you must first decide which VPN type you want to deploy. Azure supports the following VPN types:
– Point-to-Site (P2S): A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. P2S is deployed when you need to connect individual clients, such as employees or contractors, to a VNet. This type of connection does not require a VPN device or a public-facing IP address.
– S2S: Site-to-Site (S2S) connections are the classic connectivity model for bridging remote locations and your main site. S2S connections can be used for cross-premises and hybrid configurations. When using S2S connections, IT Pros configure each on-premises VPN device with the settings required for the Azure Virtual Network Gateway. These settings include a shared key (IKE phase 1 policy), authentication method (IKE phase 2 policy), and other options like encryption, hashing algorithms, and Diffie Hellman group settings.
If you have more than one on-premises location, you can connect them using multiple S2S VPN tunnels. You do not need to deploy separate gateways for each on-premises location unless there is a business or technical reason to do so. We recommend that you allow Azure to automatically generate new IP addresses for the gateways at each location to avoid address conflicts that might occur if you manually configure static IP addresses.
Azure also offers these additional types of VPN gateway connections:
VNet peering: You can connect VNets without deploying gateways by using VNet peering. For more information about VNet peering, see What is VNet peering?
ExpressRoute circuits: You can establish private connectivity from your on-premises network to your Microsoft Cloud resources without going over the public Internet by using ExpressRoute circuits. For more information about ExpressRoute circuits and how they differ from site-to-site VPNs, see ExpressRoute overview and FAQs.