Implementing Azure：Putting Modern DevOps to Use

上QQ阅读APP看书，第一时间看更新

Azure VPN gateways

Azure VPN gateways are basically your core routers and firewalls within your Azure environment.

An Azure gateway can serve different purposes:

Internet gateway
Site-to-site VPN gateway
Point-to-site VPN gateway
ExpressRoute gateway
VNet-to-VNet gateway

We won't be able to cover the deployments of point-to-site VPN gateways in this book but you can find a detailed guide in the Microsoft documentation at https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-howto-point-to-site-rm-ps/.

The following screenshot shows the Azure service you need to look for when you want to implement an Azure VPN gateway:

Every VNet can have at least one VPN gateway. VPN gateways are available in different service offerings with different features and available services.

The following table shows a short summary:

Since Ignite 2018, Microsoft extended his offering around network gateways. The address customer needs regarding better SLAs on gateways, they started to offer Zone-redundant virtual network gateways for ExpressRoute and VPN. Those gateways are placed into different Azure data center with separated power supply, cooling and datacenter environments. That prevents those gateways from datacenter outages and failures. Those Gateways are marked with AZ within der SKU Friendly Name.

The following diagram shows how the basic VPN gateway is connected to your Azure network:

With the standard or performance gateway it would look like the following diagram:

When you start the setup of a gateway, you need to decide what kind of gateway you want to deploy. The basic offering can be deployed via Azure GUI; for the other offerings, you need to do some PowerShell. The following screenshot shows the GUI version:

Depending on your WAN solution, you choose either VPN or ExpressRoute. For ExpressRoute, you need an MPLS solution in place. I will explain that later. For the VPN solution, you need to decide between a Route-based or Policy-based VPN, which means you need to decide if you want to enable dynamic routing with IPSEC IKEv2 or static IPSEC IKEv1.

The decision as to which VPN type you need must be done based on your on-premises VPN device. Not every device can speak Route-based VPN. Microsoft has published a list of supported devices. You can see them here at https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/.

There are also some more additional requirements you need to think of when choosing your VPN gateway in Azure. The following table shows you those provided by Microsoft:

In summary, you can basically have the following gateway configurations:

The policy-based basic VPN Gateway with site-to-site VPN is shown in the following diagram:

Looking on the current WAN developments and most of the customer infrastructures, a policy-based VPN gateway should only be used if there is absolutely no other option. Most enterprise grade Firewalls are able to work with route-based VPN. Otherwise you can switch to a virtual network device in Azure. Behind the following link you will find a list of devices with information about their available VPN options. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices.

Route-based standard VPN gateway with ExpressRoute shown in the following diagram:

Route-based basic VPN Gateway with a Site 2 Site VPN and Point 2 Site VPN or a Route-based standard or performance VPN gateway with a Site 2 Site VPN and Point 2 Site VPN in shown in the following diagram:

Route-based standard or performance VPN gateway with Site to Site or ExpressRoute in shown in the following diagram:

Route-based standard or performance VPN gateway with a site-to-site VPN and ExpressRoute:

Later in the chapter, you will learn how to configure a VPN gateway with ExpressRoute and a basic VPN with a site-to-site VPN and how to upgrade that VPN to standard or performance. You will also learn what you need to do to implement a point-to-site VPN.