What Does VPN Gateway Design Mean?
Also known as: VPN Gateway Design, Azure VPN gateway design, AZ-305 networking, site-to-site VPN Azure, policy-based vs route-based VPN
On This Page
Quick Definition
VPN Gateway Design means deciding how to build a secure tunnel between your office or data center and the cloud. It involves choosing the right gateway size, connection type, and routing method so your data travels safely and efficiently. Think of it as planning a secure, private highway from your building to a remote facility. A proper design keeps your data private and your connection reliable.
Must Know for Exams
The AZ-305 exam, Designing Microsoft Azure Infrastructure Solutions, includes VPN Gateway Design as a key part of the design for network infrastructure objective. The exam expects you to be able to recommend a VPN gateway solution based on requirements for connectivity, performance, security, and high availability. You might be asked to choose between different gateway SKUs, VPN types, or connection types for a given scenario.
The exam objectives explicitly cover designing and implementing a site-to-site VPN connection, a point-to-site VPN, and VNet-to-VNet connectivity. You need to understand when to use a route-based versus policy-based VPN, and how BGP can be used for dynamic routing with route-based gateways. The exam also tests your knowledge of active-active gateways, zone-redundant gateways, and forced tunneling.
Questions on VPN Gateway Design often appear in the context of larger case studies. For example, you might be given a company with multiple branch offices and a primary data center, and asked how to connect each branch to Azure most cost-effectively while maintaining redundancy. Or you might be asked which gateway SKU supports the required number of tunnels and throughput. The exam also tests your understanding of the relationship between VPN Gateway, Local Network Gateway, and Connection resources.
Because the AZ-305 is an architect-level exam, you are not expected to memorize command-line syntax, but you must know the design trade-offs. For instance, you should know that policy-based VPNs only support one tunnel and have lower throughput, while route-based VPNs are more flexible and support BGP. You should also know that VPN gateways can take up to 45 minutes to provision, which is a realistic design constraint.
Other related exams that cover VPN gateway concepts include AZ-700 (Designing and Implementing Microsoft Azure Networking Solutions) and AZ-104 (Microsoft Azure Administrator), though those are more operational. The AZ-305 is the top-level design exam, so the questions are more about strategy and architecture than configuration steps. Mastering VPN Gateway Design will help you answer scenario-based questions with confidence.
Simple Meaning
Imagine you have a private office building with many rooms and computers, and you also have a branch office across town that needs to share files and databases with the main office. You could send data over the public internet, but that would be like mailing private documents on postcards—anyone could read them. What you really need is a secure, armored tunnel between the two buildings that nobody else can enter.
VPN Gateway Design is the planning work you do before building that tunnel. You need to decide where the tunnel starts and ends, how wide it should be (bandwidth), what kind of encryption lock to use, and how to route traffic once it enters the tunnel. In Microsoft Azure, the tunnel starts and ends at a special piece of software called a VPN gateway. This gateway sits at the edge of your Azure virtual network, like a secure gatekeeper at a castle wall.
When you design a VPN gateway, you first choose the gateway SKU, which determines how fast and how many tunnels it can handle. You also choose between a policy-based or route-based VPN. Policy-based is like a strict post office that only sends certain types of mail through the tunnel. Route-based is more flexible—it uses routing tables to decide where each packet should go, just like a smart traffic system. You also plan for high availability: what happens if the gateway fails? You might add a second gateway in an active-passive or active-active setup, much like having a backup generator.
A good VPN Gateway Design also considers security protocols like IPsec and IKE, which lock and unlock the tunnel. And you must plan for the on-premises side—your local router or firewall needs to support the same settings. If you get the design wrong, the tunnel might not connect, or your data could be slow or insecure. So, careful planning before building is what VPN Gateway Design is all about: designing a secure, fast, and reliable bridge between your world and the cloud.
Full Technical Definition
VPN Gateway Design in Microsoft Azure refers to the architectural planning, sizing, and configuration of Azure VPN Gateway resources to enable secure site-to-site, point-to-site, or VNet-to-VNet connectivity over the public internet using IPsec and IKE protocols. The VPN gateway is a specific type of virtual network gateway that is deployed in a dedicated subnet (GatewaySubnet) within an Azure virtual network. It acts as the on-premises counterpart to a local network gateway resource, which represents the physical VPN device at the customer site.
The design process involves selecting the appropriate gateway SKU, which determines aggregate throughput (from 100 Mbps to 10 Gbps), maximum number of tunnels (from 10 to 100 for S2S), and support for features like BGP or active-active mode. Azure offers three main gateway types: VPN (for encrypted traffic) and ExpressRoute (for dedicated private connections) are separate—VPN Gateway is the one used for IPsec tunnels. Within VPN gateways, there are two VPN types: policy-based (static routing) and route-based (dynamic routing). Policy-based gateways use traffic selectors to match packets based on source/destination and protocol, while route-based gateways rely on routing tables and can use BGP for dynamic route propagation.
From a protocol perspective, VPN Gateway Design must specify the IKE version (IKEv2 is preferred for modern deployments), the IPsec parameters (encryption algorithm like AES256, integrity algorithm like SHA256, DH group for key exchange), and the SA lifetime settings. For high availability, designers often configure active-active gateways, where two instances share the load, or active-passive with a standby instance. Zone-redundant gateways in supported regions provide resilience within an availability zone.
Implementation involves creating a virtual network, adding a GatewaySubnet with a /27 or larger address range, deploying the VPN gateway (which can take 45 minutes or more), and then configuring the local network gateway and connection resource. For site-to-site VPNs, the on-premises VPN device must have a public IP and support compatible IPsec settings. Connection types include IPsec (S2S), IKEv2 (P2S), and VNet-to-VNet (which is essentially a site-to-site between two Azure gateways). Designers must also plan for split tunneling policies, where some traffic goes through the VPN and some directly to the internet, and for forced tunneling, where all internet-bound traffic is routed through the VPN to on-premises for inspection.
Real-Life Example
Think of a large office building with multiple floors, each floor belonging to a different department. The building has a main entrance with a security guard who checks badges. Now imagine that the company also has a secure vault in a different building downtown where it keeps important records. To allow employees to access that vault without walking there, the company builds a special, secure elevator that connects the two buildings underground. This elevator is private, fast, and only opens for authorized employees with the right keycard.
VPN Gateway Design is like planning that underground elevator. First, you decide where the elevator doors will be in each building. In Azure, that is the GatewaySubnet. Next, you choose the size of the elevator car: a small one for a few employees (lower throughput) or a large one for heavy traffic (higher SKU). You also choose the locking mechanism—the type of encryption and key exchange protocol (IPsec and IKE).
Then you decide who can ride. Policy-based is like only allowing employees from the accounting department to use the elevator, and only between 9 AM and 5 PM. Route-based is like allowing anyone with a valid badge to use it, but the elevator automatically stops at the right floor based on where the employee needs to go. You also plan for backup: if the elevator breaks down, a second elevator (active-passive) takes over. For really busy buildings, both elevators run at the same time (active-active).
Finally, you must ensure the vault building also has a compatible door. That is the on-premises VPN device configuration. If the locks don't match, the elevator won't open. Proper VPN Gateway Design ensures everyone can share files securely, just like that underground elevator keeps the records safe while making them accessible to authorized people.
Why This Term Matters
VPN Gateway Design matters because hybrid cloud architectures—where some resources stay on-premises and some move to the cloud—are very common in real IT environments. Many organizations run critical applications on their own servers but want to use Azure for backup, disaster recovery, or extra compute capacity. Without a secure and well-designed VPN connection, those hybrid setups would be impossible or dangerously insecure.
In real IT work, a poorly designed VPN gateway can cause slow performance, dropped connections, or security vulnerabilities. For example, if you choose a gateway SKU that is too small for the amount of traffic, users will experience latency and timeouts. If you use policy-based VPN when dynamic routing is required, you might not be able to connect multiple sites or failover properly. If you forget to configure high availability, a single gateway failure could cut off all connectivity between the office and the cloud, halting business operations.
For network engineers and cloud architects, VPN Gateway Design is a fundamental skill. It is also important for security: the encryption settings must be strong enough to meet compliance standards like HIPAA or PCI DSS. Many organizations also use VPN gateways as part of a layered defense, routing traffic through firewalls on-premises before reaching Azure.
Additionally, understanding VPN Gateway Design helps with cost management. Different SKUs have different hourly costs, and designing for the right capacity without over-provisioning saves money. It also affects other services: Azure Site Recovery, Azure File Sync, and Azure AD Application Proxy often rely on VPN connectivity. So a solid design supports many other workloads. For anyone studying for the AZ-305 exam, which focuses on designing Microsoft Azure infrastructure solutions, VPN Gateway Design is a core topic that appears in case studies and architectural questions.
How It Appears in Exam Questions
In the AZ-305 exam, VPN Gateway Design appears primarily in scenario-based multiple-choice and case study questions. You will rarely be asked to recall a specific bitrate number. Instead, you must apply your understanding to select the appropriate gateway SKU, VPN type, or high-availability configuration.
One common question pattern gives you a company with a single on-premises site and a requirement for a site-to-site VPN with 200 Mbps throughput and support for BGP routing. The correct answer would be a route-based VPN gateway with a VpnGw2 SKU (which supports up to 1 Gbps and BGP). The distractors might be a policy-based gateway (no BGP) or a lower SKU that cannot handle the throughput.
Another question type involves high availability. You might be told that a company needs to ensure the VPN connection remains available even if one gateway instance fails. The correct design would be an active-active configuration, where two gateway instances are deployed. A common trap is suggesting an active-passive setup, which provides some redundancy but not full load balancing.
You might also see questions about forced tunneling, where all internet-bound traffic from Azure VMs must be routed through the on-premises network for inspection. The correct approach is to configure a user-defined route (UDR) with a default route pointing to the VPN gateway, and to set the gateway's default site to the on-premises network. Exam questions will test whether you understand that forced tunneling requires a route-based VPN gateway.
Another pattern involves VNet-to-VNet connectivity. The question might describe two virtual networks in different regions that need to communicate securely. The correct answer is to create VPN gateways in each VNet and then configure a VNet-to-VNet connection, which is essentially a site-to-site VPN between two Azure gateways. A distractor might be to use VNet peering, which does not use VPN gateways and has different cost and latency characteristics.
Finally, exam questions may test your knowledge of gateway SKU limitations. For example, the Basic SKU does not support BGP or active-active mode. A question might ask which SKU is suitable for a production environment requiring BGP, and the answer would be any of the VpnGw1 and above SKUs. Understanding these nuances is critical for passing the exam.
Practise VPN Gateway Design Questions
Test your understanding with exam-style practice questions.
Example Scenario
Contoso Ltd. is a retail company with a headquarters in Chicago and 50 branch stores across the Midwest. They are migrating their inventory management system to Azure and need a secure connection from each store to the Azure virtual network. The IT team wants to use a single VPN gateway at headquarters that all branches can connect to, but they are worried about bandwidth and reliability.
Here is where VPN Gateway Design comes into play. The team first evaluates the total traffic: each store sends about 5 Mbps of inventory data, and the headquarters itself needs 100 Mbps. They multiply 50 stores by 5 Mbps for 250 Mbps, plus 100 Mbps from HQ, for a total of 350 Mbps. They choose a VpnGw2 SKU, which supports up to 1 Gbps throughput and 30 tunnels. But they need 51 connections (50 stores plus HQ). They realize that a single gateway cannot handle 51 tunnels, so they design a hub-and-spoke topology with two gateways: one at headquarters and one for branch stores. They use a route-based VPN to enable dynamic routing, which simplifies adding new stores. For high availability, they deploy each gateway in active-active mode. They also configure forced tunneling so all store traffic goes through HQ for security inspection. This design ensures secure, reliable, and scalable connectivity for Contoso.
Common Mistakes
Choosing a policy-based VPN for a scenario that requires multiple tunnels or BGP support.
Policy-based VPNs are limited to a single tunnel and do not support BGP or dynamic routing. They are only suitable for very simple, static connections with low throughput.
Always select a route-based VPN unless you have a very simple, single-site connection and do not need BGP or multiple tunnels. Route-based is the default recommendation for enterprise scenarios.
Selecting the Basic VPN gateway SKU for production workloads that need BGP or high availability.
The Basic SKU does not support BGP, active-active mode, or zone-redundancy. It also has a lower throughput (100 Mbps) and fewer features. It is intended for dev/test only.
For any production environment, choose a standard SKU like VpnGw1 or higher. Check the feature matrix to ensure BGP and active-active are supported if needed.
Forgetting to create the GatewaySubnet before deploying the VPN gateway, or using a subnet smaller than /27.
The GatewaySubnet must exist with a minimum size of /27. A smaller subnet will cause the gateway deployment to fail. The subnet also needs to be named exactly 'GatewaySubnet'.
Always create a dedicated subnet named 'GatewaySubnet' with at least a /27 prefix (or larger for high-availability or zone-redundant gateways). Plan your address space accordingly.
Assuming that a site-to-site VPN connection works immediately after creating the gateway and local network gateway without configuring the on-premises VPN device.
The Azure gateway alone does not establish the connection. The on-premises VPN device must be configured with matching IPsec/IKE settings, the correct shared key, and the remote endpoint (Azure gateway public IP). Without this, the tunnel will not come up.
Ensure you configure the on-premises VPN device with the same encryption parameters, shared key, and Azure gateway public IP. Use a known compatible device list from Microsoft documentation.
Exam Trap — Don't Get Fooled
In an exam scenario, you are asked to design a VPN connection between two Azure virtual networks in different regions. One option suggests using VNet peering without a VPN gateway. Another option suggests deploying VPN gateways in both VNets and connecting them with a VNet-to-VNet connection.
Many learners pick VNet peering because it is simpler and cheaper. Read the question for specific requirements. If the scenario requires encrypted traffic, site-to-site VPN, or connectivity to on-premises through the same gateway, VNet peering will not work because it does not provide encryption (though traffic is private within the Azure backbone).
If the question specifies that the traffic must be encrypted or that the connection must go through a VPN gateway for policy enforcement, choose the VNet-to-VNet VPN. Always check for words like 'encrypted', 'IPsec', or 'tunnel'.
Commonly Confused With
VNet peering connects two virtual networks directly over the Microsoft backbone without a VPN gateway or encryption. VPN Gateway Design uses IPsec tunnels for encrypted connections, and it can also connect to on-premises networks. Peering is for Azure-only connectivity and does not provide encryption by default.
Connecting two Azure VNets in the same region to share resources: use VNet peering. Connecting an on-premises data center to an Azure VNet: use a VPN gateway.
ExpressRoute provides a private, dedicated connection to Azure through a service provider, bypassing the public internet entirely. It offers higher reliability, lower latency, and higher bandwidth than a VPN. VPN Gateway Design uses the public internet with encryption. ExpressRoute is preferred for critical workloads with strict performance requirements.
A bank needs ultra-reliable, low-latency connectivity to Azure for transaction processing: use ExpressRoute. A small office connecting to Azure for file backups: use a VPN gateway.
A point-to-site VPN allows individual client computers to connect to an Azure VNet from anywhere, using a VPN client. VPN Gateway Design for site-to-site is different: it connects entire networks (on-premises to Azure). The design considerations for point-to-site involve client certificate management and address pools, while site-to-site design focuses on tunnel counts and routing.
A remote worker connecting their laptop to Azure from a coffee shop: point-to-site. A branch office with 100 computers connecting to Azure: site-to-site.
Step-by-Step Breakdown
Identify Requirements
First, determine the type of connection needed: site-to-site (network to network), point-to-site (individual clients), or VNet-to-VNet. Also gather throughput requirements, number of tunnels, and whether BGP is needed for dynamic routing.
Select Gateway SKU
Choose the appropriate VPN gateway SKU (Basic, VpnGw1, VpnGw2, etc.) based on aggregate throughput, number of tunnels, and required features (BGP, active-active, zone-redundancy). The SKU determines performance and cost.
Choose VPN Type
Select either policy-based (static routing) or route-based (dynamic routing). Route-based is recommended for most scenarios because it supports multiple tunnels, BGP, and features like forced tunneling. Policy-based is limited to one tunnel and lower throughput.
Plan IP Address Space
Design the virtual network address space and create a dedicated GatewaySubnet with a /27 or larger prefix. Ensure the address range does not overlap with on-premises networks to avoid routing conflicts.
Define Encryption and Authentication
Configure IPsec/IKE parameters including IKE version (IKEv2 is preferred), encryption algorithm (AES256), integrity algorithm (SHA256), DH group, and shared key (pre-shared key or certificate). Ensure these match the settings on the on-premises VPN device.
Configure High Availability
Decide on active-passive (one gateway with a standby) or active-active (two gateways load balancing). Consider zone-redundant gateways for resilience across availability zones. This step ensures the connection remains up during failures.
Deploy and Test
Create the virtual network, GatewaySubnet, VPN gateway, local network gateway (for on-premises), and connection resource. After deployment (which can take 45 minutes), configure the on-premises VPN device and test the tunnel for connectivity and performance.
Practical Mini-Lesson
VPN Gateway Design in Azure is not just about clicking a button to create a gateway. It is about making deliberate architectural choices that balance performance, security, cost, and reliability. Let us walk through a practical design for a mid-sized company.
Your company, Fabrikam, has a main office in New York with 500 employees and a data center with critical applications. They also have two branch offices in Chicago and Los Angeles, each with 50 employees. They want to move their backup and disaster recovery to Azure. The requirements are: a site-to-site VPN from each office to Azure, total aggregate throughput of 300 Mbps, support for dynamic routing so that if the New York office goes down, the branches can still reach Azure, and the ability to add more branches in the future.
First, you identify that you need multiple tunnels: three site-to-site connections (NY, Chicago, LA). You need BGP for dynamic routing so that if the NY office fails, traffic from branches can still reach Azure through an alternative path if you later add a VPN gateway in another region. You also want active-active mode to avoid a single point of failure.
You select a route-based VPN type because it supports multiple tunnels and BGP. For the gateway SKU, you calculate that 300 Mbps total is needed. VpnGw2 supports up to 1 Gbps and 30 tunnels, which is more than enough. You could also use VpnGw1 (650 Mbps) to save cost, but you choose VpnGw2 to leave room for growth.
Next, you plan the IP address space. You need a virtual network in the East US region with a range of 10.1.0.0/16. You create a GatewaySubnet with 10.1.0.0/27. You ensure that none of your on-premises ranges (10.0.0.0/16 for NY, 10.2.0.0/16 for Chicago, 10.3.0.0/16 for LA) overlap with the Azure VNet or GatewaySubnet.
You choose IKEv2 and AES256 encryption for strong security. You generate a complex pre-shared key for each connection. For high availability, you deploy the gateway in active-active mode. This creates two instances, each with its own public IP. You then configure three local network gateways, one for each office, and three connection resources.
On the on-premises side, you configure each office's firewall to match the IPsec settings and point to the Azure gateway public IPs. You also enable BGP on the gateways and on the on-premises routers, advertising the on-premises prefixes.
Once everything is deployed, you test the connections. You verify that traffic from Chicago can reach Azure, and that Azure can reach Chicago. You also simulate a failure of the New York office by shutting down its router—the BGP routes withdraw, and the remaining branches continue to work.
This practical design demonstrates the real-world decisions involved in VPN Gateway Design. Professionals need to think about redundancy, routing, scalability, and compatibility. A common mistake is to skip BGP and use static routes, then discover that failover does not work. Another mistake is to use the Basic SKU and then find out BGP is not supported. By following a structured design process, you avoid these pitfalls.
Memory Tip
Remember 'SRTA-P': SKU, Route-based, Tunnel count, Active-active, Pre-shared key. Check each element in your design.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
AZ-305AZ-305 →Related Glossary Terms
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
Frequently Asked Questions
What is the difference between a policy-based and route-based VPN gateway?
A policy-based VPN uses static traffic selectors (like source/destination IP and port) to determine which traffic goes through the tunnel. It only supports one tunnel and no BGP. A route-based VPN uses routing tables to direct traffic, supports multiple tunnels, BGP, and is the recommended choice for modern deployments.
How long does it take to deploy a VPN gateway in Azure?
Deploying a VPN gateway typically takes 45 minutes or more. This is because Azure provisions infrastructure and configures the gateway. Plan your deployment window accordingly, especially for production environments.
Can I change the SKU of a VPN gateway after it is deployed?
Yes, you can resize the gateway SKU (for example, from VpnGw1 to VpnGw2) without deleting the gateway, as long as the new SKU is in the same generation. However, you cannot resize to or from the Basic SKU. Changing SKUs may cause a brief interruption.
What is forced tunneling and how does it relate to VPN gateway design?
Forced tunneling routes all internet-bound traffic from Azure VMs through the VPN gateway to an on-premises network for inspection. To implement it, you need a route-based VPN gateway and a user-defined route with a default route pointing to the gateway. The gateway must also have a default site configured.
Do I need BGP for a simple site-to-site VPN?
No, you can use static routes without BGP for simple single-tunnel connections. However, BGP is recommended if you need automatic failover, multiple tunnels, or complex routing. BGP also supports route propagation, simplifying network management.
What is the GatewaySubnet and why is it required?
The GatewaySubnet is a dedicated subnet inside your virtual network that must be named exactly 'GatewaySubnet' and have a minimum size of /27. It is where Azure deploys the VPN gateway instances. Without it, you cannot create a virtual network gateway.
Summary
VPN Gateway Design is the architectural blueprint for creating secure, encrypted connections between on-premises networks and Azure, or between Azure virtual networks. It involves selecting the right gateway SKU, choosing between policy-based and route-based VPN types, planning IP address spaces to avoid overlap, configuring IPsec/IKE encryption settings, and designing for high availability through active-active or zone-redundant gateways. A well-designed VPN gateway ensures that data remains private and secure while traveling over the public internet, and that the connection remains reliable even during failures.
For IT professionals, mastering VPN Gateway Design is essential for building hybrid cloud solutions that meet performance, security, and compliance requirements. In the AZ-305 exam, you will be tested on your ability to recommend appropriate designs for given scenarios, including multi-site connectivity, BGP routing, and forced tunneling. The common mistakes to avoid are selecting the Basic SKU for production, using policy-based VPN when multiple tunnels are needed, and forgetting to configure the on-premises side.
Remember the memory tip 'SRTA-P' to check your design: SKU, Route-based, Tunnel count, Active-active, Pre-shared key. With a solid understanding of VPN Gateway Design, you will be prepared to both pass the exam and build robust cloud networks in practice.