What is VPN?
The abbreviation VPN stands for Virtual Private Network, which provides an encrypted tunnel between two devices. On one side there is always a VPN server, in this case Azure VPN.
means that the other side is a client computer (e.g. laptop, tablet, smartphone). This is called a point-to-site VPN or P2S in short. In this case, the VPN software is installed on each client.
is used when it comes to connecting corporate sites, it is easier to connect corporate router with Azure VPN. All devices that connect to the Internet through this router are also connected to the VPN network.
Both sides of a VPN usually contain networks, so it is also called site-to-site VPN or S2S for short.
If for the client is set VPN server as a gateway, then internet browsing will also take place with this 'foreign' IP. This is a popular method to surf 'allegedly anonymously' (more so in private). For companies, the VPN is usually configured so that Internet surfing is local (faster) and only the target network is routed via VPN.
Azure VPN Properties
Azure VPN can use one of the following protocols:
- OpenVPN is an SSL/TLS based VPN protocol. It can use TCP port 443 and thus pass firewalls, as firewalls are opened for this port. OpenVPN is widely used and available for Windows, Linux, Mac-OS, iOS, Android.
- SSTP (Secure Socket Tunneling Protocol) uses TCP port 443 like OpenVPN, but SSTP is only supported on Windows devices. Azure supports all versions of Windows that have SSTP (Windows 7 and later).
- IKEv2 is a standards-based IPsec VPN solution. IKEv2-VPN can be used to connect Windows and macOS devices, and for many other firewalls for S2S VPN.
Azure-AD or (on-prem) Windows-AD can be used for authentication. As seen in the image above, a Radius server is required for the on-prem network.
In case a network exists on the Azure VPN side, like VNET1 with 10.10.0.0/16 in the picture on the left, the VPN connection automatically exists to this Azure network as well. You can find more information about VPN under Microsoft Docs
OpenVPN and MFA
If you want users to be prompted for a second factor authentication before access is granted, you can configure Azure AD Multi-Factor Authentication (MFA).
You can configure MFA on a per-user basis or for all users, preferably through Azure Conditional Access. Conditional Access can also be configured individually so that MFA is required for a Specific User Group while exempting another group.
Azure VPN Cost
If your company can deal with up to 128 Windows 10 computers, up to 10 company locations and with a total throughput of 100 Mbps, then Azure VPN Basic at 22 EUR per month is all you need.
Be aware that Azure VPN Basic has further protocol restrictions, SSTP is only usable for Windows 10 and IKEv2 only for S2S VPN.
The next bigger Azure VPN is VpnGw1 and costs EUR 117 per month with a throughput of 650 Mbps. VpnGw1 offers 256 P2S tunnels for OpenVPN or IKEv2, another 128 P2S tunnels for SSTP and 30 S2S tunnels for IKEv2.
For more information about other VPN versions (SKUs) and pricing, see. Azure VPN calculator
Support for Azure VPN
We support if you don't have a VPN or your existing VPN is unreliable, costly, user-unfriendly or offers too low throughput. We can also temporarily set up a VPN environment so you can test usability and throughput.
We have been delivering P2S and S2S VPN solutions with Linux RouterOS, Ubiquiti EdgeRouter, pfSense and OPNsense for more than 10 years. Cost effective and high performance hardware that we often use as a gateway to Azure VPN.
An S2S VPN to Azure VPN can also be implemented with other firewall hardware, see the Microsoft compatibility list
There are also other individual options that can be considered for your company. If you need support to plan, implement or troubleshoot an Azure VPN, please write to us, you can use the contact form below.