Ends in

Get up to $10 DISCOUNT on our AWS Solutions Architect Associate Reviewers!

Azure VPN Gateway

  • A secured hybrid cloud architecture.
  • It is composed of gateway subnet, tunnel, and on-premises gateway.
  • Protocols: Internet Protocol Security (IPsec) and Internet Key Exchange (IKE)
  • VPN gateway connections: VNet-to-VNet, Site-to-Site, and Point-to-Site
    • Create a secure connection from your on-premises network to an Azure virtual network with a site-to-site VPN.
    • VNet-to-VNet connection automatically routes to the updated address space, if you updated the address space on the other VNet.
    • If you need to establish a connection to your virtual network from a remote location, you can use a point-to-site (P2S) VPN.
  • You can also have one VPN gateway with more than one on-premises network using a Multi-Site connection.


  • Policy-based gateway
    • Implements a policy-based VPN.
    • Policy-based VPNs are used to encrypt and direct packets to IPsec tunnels. 
    • The policy or traffic selector is defined as an access list in the VPN configuration.
    • You cannot change a policy-based VPN to a route-based VPN, and vice versa. 
  • Tutorials dojo strip
  • Route-based gateway
    • Implements a route-based VPN.
    • Route-based VPNs use routes in the routing table to direct packets to tunnel interfaces.
    • Tunnel interfaces can encrypt and decrypt packets.
    • The policy or traffic selector are configured as wild cards (any-to-any).

Connection Resiliency

  • In an active-active configuration, each Azure VPN gateway instance will establish S2S VPN tunnels and the traffic will be routed to multiple tunnels.
  • For active-passive configuration, the standby instance would only take over if a disruption happens on the active instance.




Supported Services

Cloud Services and Virtual Machines

Cloud Services and Virtual Machines


Typically < 1 Gbps aggregate

Based on the gateway SKU



Secure Sockets Tunneling Protocol (SSTP), OpenVPN and IPsec


We support PolicyBased (static routing) and RouteBased (dynamic routing VPN)

RouteBased (dynamic)

Connection resiliency

active-passive or active-active


Use case

Dev / test / lab scenarios and small scale production workloads for cloud services and virtual machines

Prototyping, dev / test / lab scenarios for cloud services and virtual machines


  • You are billed hourly for the compute costs of the VNet gateway.
  • You are charged for the egress data transfer from the virtual network gateway.
  • You are only charged by the VPN Gateway when you transfer data between two different regions, except with Point-to-Site VPN.

Want to learn more about Azure? Watch the official Microsoft Azure YouTube channel’s video series called Azure Tips and Tricks.

Validate Your Knowledge

Question 1

Question Type: Single-choice

Your company is planning to migrate some of its servers to Azure. You need to recommend a solution wherein users can work remotely by having a secure connection to your Azure virtual machines.

What should you include in the recommendation?

  1. ExpressRoute
  2. Point-to-Site VPN Connection
  3. Site-to-Site VPN Connection
  4. Traffic Manager

Correct Answer: 2

Point-to-Site (P2S) VPN connection allows you to create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client’s computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet.

As part of the Point-to-Site configuration, you install a certificate and a VPN client configuration package, which contains the settings that allow your computer to connect to any virtual machine or role instance within the virtual network.

Hence, the correct answer is: Point-to-Site VPN connection.

ExpressRoute is incorrect because this service simply lets you create private connections between Azure datacenters and infrastructure that’s on your premises or in a co-location environment. ExpressRoute connections do not go over the public Internet and offer better reliability, faster speeds, lower latencies, and higher security than typical connections over the Internet. You cannot use this to provide a secure connection to your virtual machines from a user working remotely.

Site-to-Site VPN Connection is incorrect because this is simply used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it.

Traffic Manager is incorrect because this is primarily a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across global Azure regions while providing high availability and responsiveness.



Note: This question was extracted from our AZ-900 Microsoft Azure Fundamentals Practice Exams.

Question 2

Question Type: Multiple-choice

Your company is currently hosting a mission-critical application in an Azure virtual machine that resides in a virtual network named TDVnet1. You plan to use Azure ExpressRoute to allow the web applications to connect to the on-premises network.

Due to compliance requirements, you need to ensure that in the event your ExpressRoute fails, the connectivity between TDVnet1 and your on-premises network will remain available.

The solution must utilize a site-to-site VPN between TDVnet1 and the on-premises network. The solution should also be cost-effective.

Which three actions should you implement? Each correct answer presents part of the solution.

  1. Configure a gateway subnet.
  2. Configure a VPN gateway with VpnGw1 as its SKU.
  3. Configure a VPN gateway with Basic as its SKU.
  4. Configure a local network gateway.
  5. Configure a connection.

Correct Answer: 2, 4, 5

A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. Each virtual network can have only one VPN gateway. However, you can create multiple connections to the same VPN gateway. When you create multiple connections to the same VPN gateway, all VPN tunnels share the available gateway bandwidth.

AWS Exam Readiness Courses

A site-to-site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it.

Configuring Site-to-Site VPN and ExpressRoute coexisting connections has several advantages:

– You can configure a Site-to-Site VPN as a secure failover path for ExpressRoute.

– Alternatively, you can use Site-to-Site VPNs to connect to sites that are not connected through ExpressRoute.

To create a site-to-site connection, you need to do the following:

– Provision a virtual network

– Provision a VPN gateway

– Provision a local network gateway

– Provision a VPN connection

– Verify the connection

– Connect to a virtual machine

Take note that since you have already deployed an ExpressRoute, you do not need to create a virtual network and gateway subnet as these are prerequisites in creating an ExpressRoute.

Hence, the correct answers are:

– Configure a VPN gateway with a VpnGw1 SKU.

– Configure a local network gateway.

– Configure a connection.

The option that says: Configure a gateway subnet is incorrect. As you already have an ExpressRoute connecting to your on-premises network, this means that a gateway subnet is already provisioned.

The option that says: Configure a VPN gateway with Basic as its SKU is incorrect. Although one of the requirements is to minimize costs, the coexisting connection for ExpressRoute and site-to-site VPN connection does not support a Basic SKU. The bare minimum for a coexisting connection is VpnGw1.


Note: This question was extracted from our AZ-104 Microsoft Azure Administrator Practice Exams.

For more Azure practice exam questions with detailed explanations, check out the Tutorials Dojo Portal:

Microsoft Azure Practice Exams Tutorials Dojo


Tutorials Dojo portal

FREE AWS Exam Readiness Digital Courses

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?