1
00:00:02,140 --> 00:00:05,920
So the Azure VPN gateway can be used for Always On VPN,

2
00:00:05,920 --> 00:00:09,960
but it's not without its kind of drawbacks and limitations.

3
00:00:09,960 --> 00:00:13,990
So first of all, when we're talking about deploying an Azure VPN gateway,

4
00:00:13,990 --> 00:00:16,700
the advantage to using something like that would be,

5
00:00:16,700 --> 00:00:19,380
of course, that it's a fully managed VPN infrastructure.

6
00:00:19,380 --> 00:00:24,740
There's no software to install and configure, no hardware to maintain or manage.

7
00:00:24,740 --> 00:00:27,140
You know, you just basically use it.

8
00:00:27,140 --> 00:00:28,790
It's fantastic in that regard.

9
00:00:28,790 --> 00:00:32,470
It does have some disadvantages in that its support for

10
00:00:32,470 --> 00:00:35,470
Always On VPN specifically is quite limited.

11
00:00:35,470 --> 00:00:37,950
To begin,

12
00:00:37,950 --> 00:00:43,840
the Azure VPN Gateway will support only the device tunnel or the user tunnel.

13
00:00:43,840 --> 00:00:47,000
It will not support both concurrently.

14
00:00:47,000 --> 00:00:49,710
So if you're deploying the Azure VPN Gateway and you're

15
00:00:49,710 --> 00:00:53,100
expecting to use both device tunnel and user tunnel,

16
00:00:53,100 --> 00:00:58,040
the VPN Gateway can only be configured for one authentication mode at a time.

17
00:00:58,040 --> 00:01:03,090
And so you can use either device authentication or user authentication, but

18
00:01:03,090 --> 00:01:07,400
you cannot do both, so that means you have to choose whether you're going

19
00:01:07,400 --> 00:01:10,840
to use the device tunnel or the user tunnel.

20
00:01:10,840 --> 00:01:15,800
In addition, the Azure VPN Gateway has limited support for SSTP.

21
00:01:15,800 --> 00:01:20,520
It only supports 128 concurrent connections if you're using the standard

22
00:01:20,520 --> 00:01:23,500
gateway, or if you're using the active‑active gateway,

23
00:01:23,500 --> 00:01:25,990
you can double that to 256.

24
00:01:25,990 --> 00:01:28,770
So for a smaller deployment that might work well,

25
00:01:28,770 --> 00:01:33,520
but for most enterprise deployments, that simply isn't enough connections.

26
00:01:33,520 --> 00:01:34,280
And again,

27
00:01:34,280 --> 00:01:38,540
as you've heard me mention throughout this course, SSTP really is

28
00:01:38,540 --> 00:01:42,250
the protocol of choice for user‑based connections because of its

29
00:01:42,250 --> 00:01:44,090
obviously firewall friendliness.

30
00:01:44,090 --> 00:01:48,340
So in that case, if you're planning to support the user tunnel,

31
00:01:48,340 --> 00:01:52,290
just know that your upper limit for the number of current connections is going

32
00:01:52,290 --> 00:01:56,420
to be quite limited, and that's regardless of SKU. Also,

33
00:01:56,420 --> 00:02:01,020
there can only be one VPN Gateway per VNet. So some folks have asked,

34
00:02:01,020 --> 00:02:01,520
well, you know,

35
00:02:01,520 --> 00:02:04,820
can I get around this limitation of single‑mode

36
00:02:04,820 --> 00:02:07,230
authentication by just deploying two gateways?

37
00:02:07,230 --> 00:02:08,340
You certainly could,

38
00:02:08,340 --> 00:02:10,710
but they would have to be in separate VNets, and then

39
00:02:10,710 --> 00:02:12,240
you would have to peer those VNets.

40
00:02:12,240 --> 00:02:14,920
So maybe technically possible,

41
00:02:14,920 --> 00:02:19,420
but certainly complex and and rather challenging. I would

42
00:02:19,420 --> 00:02:21,620
probably avoid that type of scenario.

43
00:02:21,620 --> 00:02:22,570
Also,

44
00:02:22,570 --> 00:02:25,630
the Azure VPN Gateway does not provide support for

45
00:02:25,630 --> 00:02:28,390
force tunneling for VPN clients,

46
00:02:28,390 --> 00:02:31,340
so there is no internet egress allowed for force

47
00:02:31,340 --> 00:02:33,840
tunneling when you're using Always On VPN.

48
00:02:33,840 --> 00:02:36,240
There's no support for geographic redundancy,

49
00:02:36,240 --> 00:02:40,430
so you couldn't have multiple gateways and multiple VNets and

50
00:02:40,430 --> 00:02:43,330
then load balance between them geographically.

51
00:02:43,330 --> 00:02:44,980
That's not supported.

52
00:02:44,980 --> 00:02:47,740
And the reason for that is because we don't have control

53
00:02:47,740 --> 00:02:49,710
over the subject name of the gateway,

54
00:02:49,710 --> 00:02:52,800
so each gateway would have its own subject name, and there would

55
00:02:52,800 --> 00:02:56,620
be no way to use like a common name and just use like Azure

56
00:02:56,620 --> 00:02:59,820
Traffic Manager to route between them.

57
00:02:59,820 --> 00:03:02,020
So unfortunately, that's not supported either.

58
00:03:02,020 --> 00:03:06,480
And then finally, you must use a route‑based gateway. Just keep that in

59
00:03:06,480 --> 00:03:09,480
mind. It doesn't support using the policy gateway.

60
00:03:09,480 --> 00:03:11,610
So for all of those reasons,

61
00:03:11,610 --> 00:03:22,000
you'll find that the Azure VPN Gateway is of limited usefulness for an Always On VPN deployment.