Azure VPN Connections: P2S, S2S, Multi-Site, and ExpressRoute Explained
Modern enterprises frequently require secure connectivity between on-premises infrastructure, branch offices, remote users, and Azure virtual networks. Azure provides several connectivity options that allow organizations to build hybrid cloud environments securely and reliably. The most common connectivity methods include Point-to-Site VPN, Site-to-Site VPN, Multi-Site VPN, and ExpressRoute. Each option is designed for specific use cases and network architectures.
Understanding the differences between these connection types is essential when designing hybrid cloud environments in Azure.
Overview of Azure Connectivity Options
Azure connectivity solutions allow organizations to extend their on-premises networks into Azure virtual networks. This enables applications running in Azure to communicate securely with internal corporate resources.
The Four Primary Connectivity Models Include:
Point-to-Site VPN
Site-to-Site VPN
Multi-Site VPN
ExpressRoute
These options differ in how connectivity is established, the scale of the deployment, performance characteristics, and cost.
Point-to-Site VPN (P2S)
Point-to-Site VPN allows individual devices to securely connect to an Azure virtual network using a VPN client. This connection type is commonly used by remote users such as developers, administrators, and employees working outside the corporate network.
Users connect directly to the Azure VPN Gateway using VPN protocols such as OpenVPN, IKEv2, or SSTP.
Common use cases include:
Remote administrators managing Azure resources
Developers accessing development environments in Azure
Temporary secure connectivity for contractors
Small organizations without a physical VPN appliance
P2S VPN does not require a dedicated on-premises VPN device, making it easy to deploy.
Site-to-Site VPN (S2S)
Site-to-Site VPN connects an entire on-premises network to an Azure virtual network using a VPN gateway device. Instead of individual users connecting manually, the connection is established between two networks.
This configuration requires a VPN device or firewall at the on-premises location that supports IPsec/IKE VPN tunnels.
Typical use cases include:
Hybrid cloud deployments
Enterprise datacenter connectivity
Migration of applications to Azure
Disaster recovery scenarios
Once configured, all systems in the on-premises network can communicate with Azure resources.
Multi-Site VPN
Multi-Site VPN is an extension of Site-to-Site VPN that allows multiple on-premises locations to connect to the same Azure virtual network through a single Azure VPN gateway.
This configuration is commonly used by organizations that operate multiple branch offices.
Typical architecture includes:
Headquarters datacenter connected to Azure
Multiple branch offices connected through VPN tunnels
Azure acting as a central hub network
Multi-Site VPN enables centralized connectivity and simplifies hybrid network architectures.
ExpressRoute
ExpressRoute provides private dedicated connectivity between an organization's datacenter and Azure. Unlike VPN connections that operate over the public internet, ExpressRoute uses a private connection through a connectivity provider.
This option offers the highest level of performance, reliability, and security.
Common scenarios include:
Mission-critical enterprise workloads
Large-scale hybrid cloud environments
Financial institutions requiring private connectivity
Organizations transferring massive datasets
ExpressRoute connections can provide bandwidth options ranging from hundreds of Mbps to tens of Gbps.
Azure Connectivity Comparison
|
Feature |
P2S VPN |
S2S VPN |
Multi-Site VPN |
ExpressRoute |
|
Connection Type |
Individual device connection |
Network-to-network tunnel |
Multiple networks to Azure |
Private dedicated circuit |
|
Internet Required |
Yes |
Yes |
Yes |
No public internet |
|
Typical Users |
Remote users |
Corporate datacenter |
Multiple branch offices |
Enterprise datacenters |
|
Setup Complexity |
Low |
Medium |
Medium |
High |
|
Performance |
Moderate |
Moderate |
Moderate |
Very high |
|
Security Level |
Strong encryption |
Strong encryption |
Strong encryption |
Private network isolation |
|
Bandwidth |
Limited by VPN gateway |
Limited by VPN gateway |
Limited by VPN gateway |
Up to 100 Gbps depending on provider |
|
Cost |
Low |
Low to medium |
Medium |
Higher cost |
Azure VPN Gateway SKUs by Generation, Algorithm, Throughput, and Packet Rate
|
Generation |
SKU |
Algorithms Used |
Throughput Observed per Tunnel |
Packets per Second per Tunnel Observed |
|
Generation1 |
VpnGw1 |
GCMAES256AES256 & SHA256DES3 & SHA256 |
650 Mbps500 Mbps130 Mbps |
62,00047,00012,000 |
|
Generation1 |
VpnGw2 |
GCMAES256AES256 & SHA256DES3 & SHA256 |
1.2 Gbps650 Mbps140 Mbps |
100,00061,00013,000 |
|
Generation1 |
VpnGw3 |
GCMAES256AES256 & SHA256DES3 & SHA256 |
1.25 Gbps700 Mbps140 Mbps |
120,00066,00013,000 |
|
Generation1 |
VpnGw1AZ |
GCMAES256AES256 & SHA256DES3 & SHA256 |
650 Mbps500 Mbps130 Mbps |
62,00047,00012,000 |
|
Generation1 |
VpnGw2AZ |
GCMAES256AES256 & SHA256DES3 & SHA256 |
1.2 Gbps650 Mbps140 Mbps |
110,00061,00013,000 |
|
Generation1 |
VpnGw3AZ |
GCMAES256AES256 & SHA256DES3 & SHA256 |
1.25 Gbps700 Mbps140 Mbps |
120,00066,00013,000 |
|
Generation2 |
VpnGw2 |
GCMAES256AES256 & SHA256DES3 & SHA256 |
1.25 Gbps550 Mbps130 Mbps |
120,00052,00012,000 |
|
Generation2 |
VpnGw3 |
GCMAES256AES256 & SHA256DES3 & SHA256 |
1.5 Gbps700 Mbps140 Mbps |
140,00066,00013,000 |
|
Generation2 |
VpnGw4 |
GCMAES256AES256 & SHA256DES3 & SHA256 |
2.3 Gbps700 Mbps140 Mbps |
220,00066,00013,000 |
|
Generation2 |
VpnGw5 |
GCMAES256AES256 & SHA256DES3 & SHA256 |
2.3 Gbps700 Mbps140 Mbps |
220,00066,00013,000 |
|
Generation2 |
VpnGw2AZ |
GCMAES256AES256 & SHA256DES3 & SHA256 |
1.25 Gbps550 Mbps130 Mbps |
120,00052,00012,000 |
|
Generation2 |
VpnGw3AZ |
GCMAES256AES256 & SHA256DES3 & SHA256 |
1.5 Gbps700 Mbps140 Mbps |
140,00066,00013,000 |
|
Generation2 |
VpnGw4AZ |
GCMAES256AES256 & SHA256DES3 & SHA256 |
2.3 Gbps700 Mbps140 Mbps |
220,00066,00013,000 |
|
Generation2 |
VpnGw5AZ |
GCMAES256AES256 & SHA256DES3 & SHA256 |
2.3 Gbps700 Mbps140 Mbps |
220,00066,00013,000 |
Azure VPN Gateway SKUs by Tunnel and Connection Limits
|
SKU |
Max S2S VPN Tunnels |
Max P2S VPN Connections |
Max VNet-to-VNet Tunnels |
Aggregate Throughput |
|
Basic |
10 |
128 |
10 |
~100 Mbps |
|
VpnGw1 |
30 |
250 |
30 |
~650 Mbps |
|
VpnGw2 |
30 |
500 |
30 |
~1 Gbps |
|
VpnGw3 |
30 |
1000 |
30 |
~1.25 Gbps |
|
VpnGw4 |
100 |
5000 |
50 |
~5 Gbps |
|
VpnGw5 |
100 |
10000 |
50 |
~10 Gbps |
|
VpnGw1AZ |
30 |
250 |
30 |
~650 Mbps |
|
VpnGw2AZ |
30 |
500 |
30 |
~1 Gbps |
|
VpnGw3AZ |
30 |
1000 |
30 |
~1.25 Gbps |
|
VpnGw4AZ |
100 |
5000 |
50 |
~5 Gbps |
|
VpnGw5AZ |
100 |
10000 |
50 |
~10 Gbps |
Azure VPN Gateway SKUs by Feature Set
|
Feature |
Basic |
VpnGw1 |
VpnGw2 |
VpnGw3 |
VpnGw4 |
VpnGw5 |
AZ SKUs |
|
BGP Support |
No |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Active-Active Mode |
No |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
ExpressRoute Coexistence |
No |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Zone Redundancy |
No |
No |
No |
No |
No |
No |
Yes |
|
Custom IPsec/IKE Policies |
No |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Policy-Based VPN |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
Route-Based VPN |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
NAT Support |
No |
Yes |
Yes |
Yes |
Yes |
Yes |
What to Choose and When
Choosing the correct Azure connectivity method depends on several factors including scale, security requirements, and network architecture.
Choose Point-to-Site VPN when remote users need occasional secure access to Azure resources.
Choose Site-to-Site VPN when connecting a single datacenter or office network to Azure.
Choose Multi-Site VPN when multiple branch offices require connectivity to Azure through a centralized architecture.
Choose ExpressRoute when organizations require private, high-performance connectivity with guaranteed bandwidth and lower latency.
Many enterprises combine these options. For example, a company might use ExpressRoute for datacenter connectivity and P2S VPN for remote employees.
Azure VPN Gateway SKUs
Azure VPN connectivity requires a VPN Gateway deployed inside a virtual network. The gateway provides encryption, routing, and secure tunnel management.
Common VPN Gateway SKUs include:
VpnGw1
VpnGw2
VpnGw3
VpnGw4
VpnGw5
Each SKU provides increasing levels of performance, tunnel capacity, and throughput.
Example Characteristics:
VpnGw1
Up to approximately 650 Mbps throughput
VpnGw2
Up to approximately 1 Gbps throughput
VpnGw3
Up to approximately 1.25 Gbps throughput
VpnGw4 and VpnGw5
Designed for High-Performance Enterprise Connectivity
Generation 2 Gateways Provide Improved Performance and Scalability compared to Older Gateway Models.
Basic Configuration Steps
Deploying Azure VPN connectivity typically involves the following steps.
Create a virtual network in Azure.
Define address spaces and subnets.
Create a dedicated GatewaySubnet inside the virtual network.
Deploy an Azure VPN Gateway resource.
Configure connection type such as P2S or S2S.
Configure the on-premises VPN device or client configuration.
Validate connectivity and routing.
For ExpressRoute, the process includes provisioning a circuit with a connectivity provider and configuring routing through BGP.
Performance Considerations
VPN connections operate over encrypted tunnels using the public internet, which can introduce latency and bandwidth limitations.
ExpressRoute provides significantly higher performance because it uses private circuits and avoids public internet routing.
Performance factors include:
Gateway SKU performance limits
Encryption overhead
Internet latency
Number of concurrent connections
Organizations handling large workloads or high data transfer volumes should consider ExpressRoute.
Security Considerations
Azure VPN connections use strong encryption protocols including IPsec and IKEv2.
Best practices include:
Using strong encryption algorithms
Implementing network segmentation with Azure Network Security Groups
Using Azure Firewall for advanced traffic inspection
Monitoring connections using Azure Monitor
Organizations should also integrate VPN access with Microsoft Entra ID authentication when possible.
Best Practices for Azure Connectivity
When designing Azure hybrid connectivity architectures, organizations should follow several best practices.
Use hub-and-spoke network architectures for scalable network design.
Deploy redundant VPN gateways for high availability.
Use ExpressRoute for mission-critical workloads that require consistent network performance.
Implement monitoring and logging to track connection health.
Plan IP addressing carefully to avoid overlapping address spaces between on-premises networks and Azure.
Test failover scenarios to ensure connectivity during outages.
Conclusion
Azure provides flexible connectivity options that allow organizations to securely connect on-premises networks, branch offices, and remote users to Azure virtual networks. Point-to-Site VPN supports individual remote users, while Site-to-Site and Multi-Site VPN enable hybrid network architectures connecting entire corporate networks.
For organizations requiring the highest levels of performance and reliability, ExpressRoute provides dedicated private connectivity to Azure.
Selecting the right connectivity model depends on organizational size, performance requirements, security needs, and network architecture. By understanding the differences between these connectivity options, organizations can design resilient hybrid cloud environments that support modern enterprise workloads.
If you would like to explore this topic in greater depth, see my book Microsoft Entra ID Azure Compute and Networking Best Practices, where the subject is covered in much greater detail. The guide expands on the concepts discussed in this article with deeper architectural explanations, service capabilities, and step-by-step implementation using Azure Portal, Azure CLI, Terraform, and Bicep. It also includes real-world deployment, configuration, and troubleshooting scenarios designed for IT professionals, administrators, and cloud architects. All of my books include detailed architectural diagrams and practical deployment examples using PowerShell, Azure CLI, Terraform, and Bicep.
0 comments