Netreo is now BMC. Read theBlog

Improved performance in Azure VPN Gateways

By: Netreo
June 11, 2018

Recently Microsoft introduced a new generation of VPN gateways that offer a 6-times better performance, reliability, and scalability at the same price. These features are highly beneficial for mission-critical workloads as well as for cross-premises and cross-region VPN performance. Re-engineered VPN gateway service is ultimately backed by an even stricter SLA.

Furthermore, in order to ensure control over the VPN policies to meet compliance regulations, custom IPsec/IKE policy selection is now available. That gives the required flexibility to choose the encryption policy. The new gateways also allow accommodating both route-based and policy-based VPNs. Even though it is easier to manage route-based VPNs with BGP, more and more customers switch to policy-based VPNs which allow for multiple sites to be connected to the same VPN gateway.

As the new VPN gateways, called VpnGw1, VpnGw2, and VpnGw3 are now released, it is strongly recommended to select or migrate to the new VPN Gateways that have a 99.95% SLA for production services. The existing basic VPN gateway is unchanged with the same 80-100 Mbps performance and a 99.9% SLA and should be used for development/testing only.

Improved Performance

The new Azure VPN Gateways provide single tunnel performance of up to 1 Gbps and aggregate up to 1.25 Gbps with multiple tunnels. Enabling the active-active VPN gateway allows for even better performance with multiple flows. See the table below for comparison:

Improved performance in Azure VPN Gateways Table

It has become a common practice to deploy an S2S VPN to connect branch offices to the same Azure VNet while the main corporate WAN is accessed via ExpressRoute.

Express Route - Improved performance in Azure VPN Gateways

New VPN Capabilities

Among the new features are improvements to VPN manageability:

  • support for custom IPsec/IKE connection policies;
  • ability to connect multiple on-premises networks using policy-based firewall devices

Custom IPsec/IKE policy allows to set the exact cryptographic algorithms and key strengths on S2S or VNet-to-VNet connections:

Also, it is now possible to connect multiple on-premises policy-based VPN devices to an Azure VPN gateway utilizing the custom policy:

See the below articles to get started with the new VPN gateways:

About new VPN gateway SKUs & migration

Connect multiple policy-based VPN devices to Azure VPN gateway

About cryptographic requirements and Azure VPN gateways

Find out how Netreo can help with all Azure monitoring needs. Request a Demo Today

Ready to get started?

Get in touch or schedule a demo

Get Started Learn More