virtual network gateway- VPN type?
-
I started creating a route-based VPN today. After building the virtual gateway, someone tells me that a policy-based VPN connection is better.
When creating a virtual network gateway, is it best to use a route-based or policy-based VPN?When I select policy-based VPN, I see a pop-up stating that the policy-based VPN is only compatible with IKEv1, and the only SKU choice I have is basic. The public IP address automatically switches to dynamic and is grayed out.
Looking at the gateway SKU table, I see that the basic SKU is limited to 100 Mbps. I do not appear to have the option to select a static IP when I create a VPN gateway using policy-based routing. Do I need to create a static public IP before creating the policy-based VPN so I can choose to use the existing public IP?
Could a route-based VPN gateway with a custom IPsec/IKE policy perform similarly to a policy-based VPN gateway?
I have read:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps?WT.mc_id=Portal-Microsoft_Azure_HybridNetworking
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-download-vpndevicescript
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways?WT.mc_id=Portal-Microsoft_Azure_HybridNetworking
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways -
@Donald-Muncy , I hope all is well. Lets start with some basics about both Route based & Policy based VPNs...
ROUTE-based VPN (Sometimes called Dynamic Routing):
Allows for multiple VPNs via a single vNet Gateway. This is critical if you want to set up a VPN-based mesh topology in Azure or to/from multiple on-premise sites.
Requires supported edge device.
Built-in Active-Active redundant VPN possible. This is critical for redundancy.
Can perform VPN Diagnostics in Azure.
POLICY-based VPN (Sometimes called Static Routing):
Only allows a single S2S VPN connection, either with an on-premise firewall or with another vNet in Azure. No S2S mesh-type topologies possible. (Although vNet peering is an option, but only within Azure. Your vNet Gateway can still only connect to a single on-premise endpoint.)
Just about every firewall supports policy-based VPNs.
Active-Active VPN not possible. No redundancy.
Cannot perform VPN Diagnostics in Azure.
In terms of which one is better, it depends on what the need(s) that you are addressing is/are, and what the architecture calls for as a result, taking into account the potential for growth across the solution over time, and therefore flexibility from the beginning if at all possible.
Take a look at the following, as it provides a good overview of both soloutions:
Connect Azure VPN gateways to multiple on-premises policy-based VPN devices using PowerShell:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps
This will also provide some context and good basic information fr you:
About cryptographic requirements and Azure VPN gateways:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-compliance-crypto
There are defrinately limitations depending on which direction you choose to go, but traditionally, while route based VPNs are a bit harder to setup, they are a better choice if you are able to use them and you have edge devices that will support them.
Good Luck !!!
Cheers,
Adam