VPN and ExpressRoute

Virtual Private Networks (VPN) provide a secure connection between an endpoint or site. An endpoint is a single device with the VPN client installed. A site is a location connected by a VPN device. Azure VPN Gateways support both Point-to-Site and Site-to-Site VPNs for supported devices.

Point-to-Site VPN

  • A Dynamic Routing (aka Route-based) VPN gateway is required
  • A Standard or High Performance VPN gateway may be provisioned
    • Standard = 80Mbps, 10 S2S Tunnels
    • High Performance = 200Mbps, 30 S2S Tunnels
  • A client certificate must be created and installed on VPN clients
  • A configuration package can be downloaded from Azure for client setup
  • VPN clients are assigned an IP address from the user configured range
  • Utilises the Secured Socket Tunnelling Protocol (SSTP)

Site-to-Site VPN

  • A Static Routing (aka Policy-based) or Dynamic Routing VPN gateway is required
    • Some VPN devices only support Static Routing however this limits you to a single connection
  • Supported VPN devices are listed here
  • Providing Dynamic Routing is used Site-to-Site and Point-to-Site VPNs can coexist
  • Multiple sites can be connected to a single VPN Gateway, this is known as a Multi-site VPN


  • ExpressRoute provides a reliable, resilent and private connection of up to 10 Gbps into the customer network
  • There are 2 ways to connect
    • Exchange Service Provider – up to 10 Gbps
    • Network Service Provider – up to 1 Gbps
  • Connections into Office 365 are also possible using ExpressRoute
  • ExpressRoute Fridays archived webinars and

vNet-to-vNet VPN

  • Connect 2 Azure Virtual Networks
  • Supports georedundancy and geopresence

Virtual Network Services

Virtual Networks on Azure are broken down into Address Spaces and Subnets:

  • Virtual Networks (VNets) provide network connectivity for Azure resources both internally and externally via a VPN Gateway.
  • Address spaces define the IP ranges in CIDR format which will be used within the VNet.
  • Subnets are defined within Address spaces, from which resources are assigned IP addresses.

Virtual Machines have at least 2 IP addresses:

  • Virtual IP (VIP) is a public facing IP address, dynamically assigned by default though up to 20 (default subscription limit) can be reserved
  • Dynamic IP (DIP) is a private IP address, dynamically or statically assigned within a subnet

A third type of IP address also exists:

  • Instance-Level Public IP (IL-PIP) is assigned directly to a VM rather than the Cloud Service in which it resides up to 5 (default subscription limit) can be assigned

Name resolution and DNS:

  • VMs on the same network can resolve each other using the DIP address
  • A DNS service is required for name resolution beyond this
  • Role instances within a Cloud Service are set as the name of the VM appended with a 2 digit role number e.g. MyServer01, MyServer02, etc.
  • The DNS name of a Cloud Service will be cloudservicename.cloudapp.net
  • A custom domain can be associated with the Cloud Service using CNAME or A records

Access Control Lists (ACLs) and Network Security Groups (NSGs) control traffic.

  • VM Endpoints map a Public Port to a Private Port
  • RDP (TCP 3389) and SSH (TCP 22) are automatically set as endpoints for VMs
  • The Public Port is associated with the VIP assigned to the Azure Load Balancer
  • The Private Port is associated with the DIP assigned to the VM
  • ACLs are applied to Endpoints to control traffic
  • NSGs allow more granular rules to be defined to control traffic and can be associated with a VM or Subnet whereas ACLs are associated with an Endpoint

The following resource is available as an aid when designing a network architecture on Azure:

Microsoft Cloud Networking for Enterprise Architects is available in PDF and Visio format on Microsoft Technet.