At TechEd Europe 2014, we announced several improvements to the Azure Virtual Network Gateway:
- High Performance gateway SKU
- Operation logs for Azure Virtual Network Gateways
- Support for PFS (Perfect Forward Secrecy)
- Support for No Encryption option for S2S tunnels
We will provide an overview of each new capability, and also the instructions for using these features.
Azure Virtual Network Gateway serves as the cross premises gateway connecting your workloads in Azure Virtual Network to your on premises sites. It is required to connect to on premises sites through IPsec S2S VPN tunnels, or through ExpressRoute circuits. For IPsec/IKE VPN tunnels, the gateways perform IKE handshakes, and establish the IPsec S2S VPN tunnels between the Virtual Networks and on premises sites. For ExpressRoute, the gateways advertise the prefixes in your virtual networks via the peering circuits, and also forward packets from your ExpressRoute circuits to your VMs inside your virtual networks.
High Performance Gateway
To offer higher throughput and more S2S VPN tunnels for cross premises connectivity, we released a new Azure Virtual Network gateway SKU, High Performance gateway. The following table shows the preliminary measurements of aggregate throughput and the specifications of S2S VPN tunnels for the current gateway and the High Performance gateway:
||S2S VPN Throughput*
||Max. number of S2S Tunnels
* Note that the actual throughput will vary based on the traffic conditions and application behavior
The pricing for High Performance gateway:
- $0.49 per gateway-hour
- Data transfer and inter-VNet traffic rates remains unchanged
High Performance gateway is available for both the Azure Dynamic Routing gateway and Azure ExpressRoute. Static Routing gateway is not supported. The following cmdlets can be used to create a new High Performance gateway, or upgrade an existing gateway to the new SKU:
Create a High Performance Gateway
A new option is added to the Azure PowerShell cmdlet, New-AzureVNetGateway, to specify the SKU. The following example will create a High Performance gateway for the virtual network, “MyAzureVNet”:
PS D:\> New-AzureVNetGateway –VNetName MyAzureVNet –GatewayType DynamicRouting –GatewaySKU HighPerformance
Note that DynamicRouting is the GatewayType for both the DynamicRouting gateway and the dedicated (ExpressRoute) gateway. Therefore the cmdlet example can also be used to create the Virtual Network gateway to connect to an ExpressRoute circuit.
Update the Gateway SKU
The following cmdlet, Resize-AzureVNetGateway, can update the SKU of an Azure Virtual Network Gateway:
PS D:\> Resize-AzureVNetGateway –VNetName MyAzureVNet –GatewaySKU HighPerformance
This cmdlet example changes the gateway for MyAzureVNet from Default to High Performance. You also change the gateway SKU from High Performance back to Default:
PS D:\> Resize-AzureVNetGateway –VNetName MyAzureVNet –GatewaySKU Default
Gateway Operation Logs
Azure Portal provides a “Management Services” tab to allow Azure services and components to report operation logs. We have added Azure Virtual Network Gateway logs into the framework. Now you will be able to get the following set of events on both Azure VPN Gateways and Azure ExpressRoute:
- Gateway creation and deletion
- ExpressRoute circuit creation and deletion
- ExpressRoute circuit link authorization, creation, and deletion
- ExpressRoute BGP session creation, deletion, and update
The following screenshots show a simple example:
Please note that the initial set of events listed above is just a start. We will continue to add other gateway events into the logs.
More Custom Options for IPsec/IKE VPNs
We added two more custom options for configuring your IPsec/IKE S2S VPN tunnels – PFS (Perfect Forward Secrecy) and No Encryption.
With this feature, now you can specify PFS with IKE on a per tunnel basis. No Encryption is a new option for the S2S VPN tunnel. This is targeted at the VNet-to-VNet communication within Azure. The traffic between Azure Virtual Network gateways will stay within the Microsoft operated networks, including cross-region communication. This traffic today is encrypted by default. For customers that would like better throughput, we offer the No Encryption option that removes the encryption and decryption overhead. Please note that for traffic that is going through the Internet, this option is not recommended as it will cause the packets to be sent without encryption. It is only recommended for Azure VNet-to-VNet communication.
We are working on the PowerShell cmdlet support to enable these two features. Please stay tuned.