πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-700 Domain 2
Domain 2 β€” Module 1 of 6 17%
8 of 26 overall

AZ-700 Study Guide

Domain 1: Core Networking Infrastructure

  • Virtual Networks: Your Cloud Foundation Free
  • IP Addressing: Public, Private & Prefixes Free
  • Name Resolution: Azure DNS Free
  • Routing: UDRs, Route Server & NAT Gateway Free
  • VNet Peering and Connectivity
  • Network Monitoring and Diagnostics
  • DDoS Protection and Security Posture

Domain 2: Connectivity Services

  • Site-to-Site VPN: Connecting On-Premises
  • Point-to-Site VPN: Remote Access
  • ExpressRoute Fundamentals
  • ExpressRoute: Advanced Features
  • Azure Virtual WAN
  • Choosing Your Hybrid Connection

Domain 3: Application Delivery Services

  • Azure Load Balancer: Layer 4
  • Traffic Manager: DNS-Based Routing
  • Application Gateway: Layer 7
  • Azure Front Door: Global Delivery
  • Choosing the Right Load Balancer

Domain 4: Private Access to Azure Services

  • Private Link and Private Endpoints
  • Private Endpoint DNS
  • Service Endpoints: When and How

Domain 5: Network Security Services

  • NSGs and Application Security Groups
  • Flow Logs, IP Flow Verify & Network Manager Security
  • Azure Firewall: SKUs and Deployment
  • Azure Firewall Manager and Policies
  • Web Application Firewall (WAF)

AZ-700 Study Guide

Domain 1: Core Networking Infrastructure

  • Virtual Networks: Your Cloud Foundation Free
  • IP Addressing: Public, Private & Prefixes Free
  • Name Resolution: Azure DNS Free
  • Routing: UDRs, Route Server & NAT Gateway Free
  • VNet Peering and Connectivity
  • Network Monitoring and Diagnostics
  • DDoS Protection and Security Posture

Domain 2: Connectivity Services

  • Site-to-Site VPN: Connecting On-Premises
  • Point-to-Site VPN: Remote Access
  • ExpressRoute Fundamentals
  • ExpressRoute: Advanced Features
  • Azure Virtual WAN
  • Choosing Your Hybrid Connection

Domain 3: Application Delivery Services

  • Azure Load Balancer: Layer 4
  • Traffic Manager: DNS-Based Routing
  • Application Gateway: Layer 7
  • Azure Front Door: Global Delivery
  • Choosing the Right Load Balancer

Domain 4: Private Access to Azure Services

  • Private Link and Private Endpoints
  • Private Endpoint DNS
  • Service Endpoints: When and How

Domain 5: Network Security Services

  • NSGs and Application Security Groups
  • Flow Logs, IP Flow Verify & Network Manager Security
  • Azure Firewall: SKUs and Deployment
  • Azure Firewall Manager and Policies
  • Web Application Firewall (WAF)
Domain 2: Connectivity Services Premium ⏱ ~14 min read

Site-to-Site VPN: Connecting On-Premises

Build secure IPsec tunnels between Azure and on-premises with VPN Gateway β€” SKU selection, policy vs route-based, custom IKE policies, and high-availability designs.

Site-to-Site VPN: Connecting On-Premises

A Site-to-Site (S2S) VPN creates an encrypted tunnel between your Azure VNet and on-premises network over the public internet. It’s the most common hybrid connectivity starting point.

🎬 Video coming soon

Site-to-Site VPN Deep Dive

Site-to-Site VPN Deep Dive

~14:00
β˜• Simple explanation

A site-to-site VPN is a secure tunnel between your office and Azure β€” like an underground passage connecting two buildings. Your on-premises network has a VPN device. Azure has a VPN Gateway. They negotiate encryption, share a secret key, and create an encrypted tunnel over the public internet.

Azure Site-to-Site VPN creates an IPsec/IKE encrypted tunnel between an on-premises VPN device and an Azure Virtual Network Gateway. Components: Virtual Network Gateway (in GatewaySubnet), Local Network Gateway (represents on-prem), and Connection (links them with shared key and IPsec/IKE parameters).

Three Components of S2S VPN

πŸͺ Sam’s scenario: Harbour Retail’s head office in Auckland needs to connect to Azure for accessing VMs and databases. He needs three things:

On-Premises       ←── IPsec Tunnel ──→         Azure
[VPN Device]                               [VPN Gateway]
                                           in GatewaySubnet
        ↑                                       ↑
  Local Network                          Virtual Network
  Gateway (LNG)                            Gateway (VNG)
  (tells Azure your                     (deployed by Azure
   on-prem IP + ranges)                  in your VNet)
  1. Virtual Network Gateway (VNG): Azure-managed gateway deployed in the GatewaySubnet. Takes 30-45 minutes to provision.
  2. Local Network Gateway (LNG): A logical resource representing your on-premises VPN device β€” contains its public IP and the on-prem address ranges.
  3. Connection: Links the VNG to the LNG with a shared key (pre-shared key for IKEv2) or certificates.

VPN Gateway SKUs

VPN Gateway SKU Comparison
SKUThroughputS2S TunnelsP2S ConnectionsBGPZone-Redundant
VpnGw1650 Mbps30250YesNo
VpnGw1AZ650 Mbps30250YesYes
VpnGw21.25 Gbps30500YesNo
VpnGw2AZ1.25 Gbps30500YesYes
VpnGw32.5 Gbps301000YesNo
VpnGw3AZ2.5 Gbps301000YesYes
VpnGw45 Gbps1005000YesNo
VpnGw4AZ5 Gbps1005000YesYes
VpnGw510 Gbps10010000YesNo
VpnGw5AZ10 Gbps10010000YesYes

Exam Tip β€” Choosing the SKU: The exam often presents a throughput requirement and asks which SKU to choose. Remember: VpnGw1/2/3 support 30 S2S tunnels, while VpnGw4/5 support 100. AZ variants are zone-redundant and required for production SLA. The Basic SKU (legacy) is not shown above β€” it doesn’t support BGP, active-active, or custom IPsec/IKE policies, and should never be used for new deployments.

Policy-Based vs Route-Based

Policy-Based vs Route-Based VPN
FeaturePolicy-BasedRoute-Based
IKE versionIKEv1 onlyIKEv2 (and IKEv1 for legacy)
Tunnel count1 tunnel onlyUp to 100 (SKU dependent)
P2S supportNoYes
BGP supportNoYes
Active-activeNoYes
Coexistence with ExpressRouteNoYes
Traffic selectorsDefined by policy (ACLs)Any-to-any (virtual tunnel interface)
Use caseLegacy devices that require itEverything else β€” this is the default

Exam Tip: Route-based VPN is the correct choice for 99% of deployments. The only reason to use policy-based is if your on-premises device doesn’t support route-based (very rare with modern equipment). If the exam doesn’t specifically mention a legacy device requirement, choose route-based.

Custom IPsec/IKE Policies

πŸ”’ Aisha’s scenario: Sentinel Banking’s compliance team requires specific encryption algorithms that exceed Azure defaults. She configures custom IPsec/IKE policies:

Phase 1 (IKE SA) parameters:

ParameterOptions
EncryptionAES256, AES192, AES128, DES3
IntegritySHA384, SHA256, SHA1, MD5
DH GroupDHGroup24, ECP384, ECP256, DHGroup14, DHGroup2
SA Lifetime300 - 86,400 seconds (default 28,800 = 8 hours)

Phase 2 (IPsec SA) parameters:

ParameterOptions
EncryptionGCMAES256, GCMAES192, GCMAES128, AES256, AES192, AES128
IntegrityGCMAES256, GCMAES192, GCMAES128, SHA256, SHA1
PFS GroupPFS24, ECP384, ECP256, PFS2048, PFS14, PFS2, None
SA Lifetime300 - 27,000 seconds (default 3,600 = 1 hour)

Aisha configures AES256 encryption, SHA256 integrity, DHGroup14, and PFS2048 to meet her banking compliance requirements. Both sides (Azure and on-prem VPN device) must use identical parameters.

High-Availability Designs

Active-Standby (default): Every VPN Gateway deploys as two instances. One is active, one is standby. Failover happens automatically in 10-15 seconds (planned) or 60-90 seconds (unplanned). This is the default configuration.

Active-Active: Both gateway instances are active simultaneously, each with its own public IP. You create tunnels from your on-premises device to both IPs. Benefits:

  • Load balancing across both tunnels
  • Faster failover (seconds instead of a minute)
  • Better throughput (both tunnels carry traffic)

Dual-Redundancy (4 tunnels): For maximum availability, combine active-active Azure gateway with two on-premises VPN devices:

On-Prem Device 1 ──→ Azure GW Instance 1
On-Prem Device 1 ──→ Azure GW Instance 2
On-Prem Device 2 ──→ Azure GW Instance 1
On-Prem Device 2 ──→ Azure GW Instance 2

This gives you 4 IPsec tunnels with no single point of failure on either side.

ℹ️ Azure Extended Network

Azure Extended Network is a niche feature that lets you stretch a Layer 2 subnet from on-premises into Azure. VMs keep their on-premises IP addresses after migration.

When it’s used: During migration, when you can’t change VM IPs (applications with hardcoded IPs, licensing tied to IPs, complex interdependencies).

Requirements:

  • VPN or ExpressRoute connection
  • Windows Server 2019 as the host OS
  • Azure Extended Network Windows Admin Center extension

Limitations: Not for permanent use β€” it’s a migration bridge. Performance overhead from L2 encapsulation. Rarely tested on the exam but good to know exists.

Key Takeaways

  • S2S VPN needs three components: VNG, LNG, and Connection
  • Route-based VPN is the default β€” supports BGP, P2S, active-active, multiple tunnels
  • Choose SKU based on throughput needs; AZ variants for zone redundancy
  • Custom IPsec/IKE policies must match on both sides
  • Active-active with dual on-prem devices gives maximum availability (4 tunnels)

Test Your Knowledge

Question

What are the three components needed for a Site-to-Site VPN?

Click or press Enter to reveal answer

Answer

1. Virtual Network Gateway (VNG) β€” Azure-side gateway in GatewaySubnet. 2. Local Network Gateway (LNG) β€” represents on-premises (public IP + address ranges). 3. Connection β€” links VNG to LNG with shared key.

Click to flip back
Question

When should you use policy-based instead of route-based VPN?

Click or press Enter to reveal answer

Answer

Only when your on-premises VPN device requires it (very rare with modern equipment). Route-based is the default and supports BGP, P2S, active-active, multiple tunnels, and ExpressRoute coexistence.

Click to flip back
Question

How many S2S tunnels do VpnGw1-3 SKUs support vs VpnGw4-5?

Click or press Enter to reveal answer

Answer

VpnGw1, 2, 3: up to 30 S2S tunnels. VpnGw4, 5: up to 100 S2S tunnels. AZ variants add zone redundancy but have the same tunnel limits.

Click to flip back
Question

What is dual-redundancy in VPN design?

Click or press Enter to reveal answer

Answer

Combining an active-active Azure VPN Gateway (2 instances) with 2 on-premises VPN devices, creating 4 tunnels total. No single point of failure on either side.

Click to flip back
Knowledge Check

Sam needs a VPN Gateway that supports BGP, zone redundancy, and at least 1.25 Gbps throughput. Which SKU should he choose?
Knowledge Check

Aisha configures custom IPsec/IKE policies on her Azure VPN connection. What must be true about the on-premises VPN device?

Next up: Point-to-Site VPN: Remote Access β€” Connect individual devices to Azure with P2S VPN using certificates, RADIUS, or Entra ID authentication.

← Previous

DDoS Protection and Security Posture

Next β†’

Point-to-Site VPN: Remote Access

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.