Recently Microsoft introduced a new generation of VPN gateways that offer a 6-times better performance, reliability, and scalability at the same price. These features are highly beneficial for mission-critical workloads as well as for cross-premises and cross-region VPN performance. Re-engineered VPN gateway service is ultimately backed by an even stricter SLA.
Furthermore, in order to ensure control over the VPN policies to meet compliance regulations, custom IPsec/IKE policy selection is now available. That gives the required flexibility to choose the encryption policy. The new gateways also allow accommodating both route-based and policy-based VPNs. Even though it is easier to manage route-based VPNs with BGP, more and more customers switch to policy-based VPNs which allow for multiple sites to be connected to the same VPN gateway.
As the new VPN gateways, called VpnGw1, VpnGw2, and VpnGw3 are now released, it is strongly recommended to select or migrate to the new VPN Gateways that have a 99.95% SLA for production services. The existing basic VPN gateway is unchanged with the same 80-100 Mbps performance and a 99.9% SLA and should be used for development/testing only.
The new Azure VPN Gateways provide single tunnel performance of up to 1 Gbps and aggregate up to 1.25 Gbps with multiple tunnels. Enabling the active-active VPN gateway allows for even better performance with multiple flows. See the table below for comparison:
It has become a common practice to deploy an S2S VPN to connect branch offices to the same Azure VNet while the main corporate WAN is accessed via ExpressRoute.
New VPN Capabilities
Among the new features are improvements to VPN manageability:
Custom IPsec/IKE policy allows to set the exact cryptographic algorithms and key strengths on S2S or VNet-to-VNet connections:
Also, it is now possible to connect multiple on-premises policy-based VPN devices to an Azure VPN gateway utilizing the custom policy:
See the below articles to get started with the new VPN gateways: