Networking: VPN Gateway and Application Gateway Flashcards
VPN Gateway
A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet.
You also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network.
The Gateway Subnet
Before creating a virtual network gateway for your virtual network, you first need to create the gateway subnet. The gateway subnet contains the IP addresses that are used by the virtual network gateway.
The gateway subnet must be named GatewaySubnet!!
VPN Gateway Creation: Gateway Type
VPN or ExpressRoute.
VPN Gateway: Route-based VPNs
use routes in the IP forwarding or routing table to direct packets into their corresponding tunnel interfaces.
The tunnel interfaces then encrypt or decrypt the packets in and out of the tunnels.
The policy (or traffic selector) for Route-based VPNs are configured as any-to-any (or wild cards).
VPN Gateway: Route-based VPNs
use routes in the IP forwarding or routing table to direct packets into their corresponding tunnel interfaces.
The tunnel interfaces then encrypt or decrypt the packets in and out of the tunnels.
The policy (or traffic selector) for Route-based VPNs are configured as any-to-any (or wild cards).
Policy-based VPNs.
encrypt and direct packets through IPsec tunnels based on the IPsec policies configured with the combinations of address prefixes between your on-premises network and the Azure VNet.
The policy (or traffic selector) is defined as an access list in the VPN device configuration. When using a Policy-based VPN, keep in mind the following limitations:
VPN Gateway: SKU and Generation
Select the SKU that satisfies your requirements based on the types of workloads, throughputs, features, and SLAs.
Be sure to always consult the documentation for the latest information.
Local Network Gateway
Typically refers to the on-premises location. You give the site a name by which Azure can refer to it, then specify the IP address or FQDN of the on-premises VPN device for the connection.
You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device.
The address prefixes you specify are the prefixes located in the on-premises network.
VPN Gateway : Availability Scenarios (Active/Standby)
Every Azure VPN gateway consists of two instances in an active-standby configuration.
For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet connections.
The switch over will cause a brief interruption.
10 to 15 seconds - planned maintenance
1 min to 1 and half mins - unplanned issues
P2S VPN client connections, the P2S connections will be disconnected and the users will need to reconnect from the client machines.
VPN Gateway: Availability Scheme Active/Active
You can now create an Azure VPN gateway in an active-active configuration, where both instances of the gateway VMs will establish S2S VPN tunnels to your on-premises VPN device.
In this configuration, each Azure gateway instance will have a unique public IP address, and each will establish an IPsec/IKE S2S VPN tunnel to your on-premises VPN
When in active-active configuration, the traffic from your Azure virtual network to your on-premises network will be routed through both tunnels simultaneously.
Application Gateway: Path-based routing
Path-based routing sends requests with different URL paths to different pools of back-end servers.
For example
direct requests with the path /video/* to a back-end pool containing servers that are optimized to handle video streaming
direct /images/* requests to a pool of servers that handle image retrieval.
Application Gateway: Multiple Site Routing
Multiple site routing configures more than one web application on the same application gateway instance.
In a multi-site configuration, you register multiple DNS names (CNAMEs) for the IP address of the Application Gateway, specifying the name of each site.
Application Gateway uses separate listeners to wait for requests for each site.
Each listener passes the request to a different rule, which can route the requests to servers in a different back-end pool.
For example,
direct all requests for http://contoso.com to servers in one back-end pool
requests for http://fabrikam.com to another back-end pool.
Application Gateway Components: Front-end IP Address
Client requests are received through a front-end IP address.
You can configure Application Gateway to have a public IP address, a private IP address, or both.
Application Gateway can’t have more than one public and one private IP address.
Application Gateway: Listeners
Application Gateway uses one or more listeners to receive incoming requests.
A listener accepts traffic arriving on a specified combination of protocol, port, host, and IP address.
Each listener routes requests to a back-end pool of servers following routing rules that you specify.
Listeners also handle TLS/SSL certificates for securing your application between the user and Application Gateway.
Application Gateway: Routing rules
A routing rule binds a listener to the back-end pools.
A rule specifies how to interpret the hostname and path elements in the URL of a request, and then direct the request to the appropriate back-end pool.
A routing rule also has an associated set of HTTP settings.
These HTTP settings indicate whether (and how) traffic is encrypted between Application Gateway and the back-end servers.
