About Virtual Network Secure Cross-Premises Connectivity
Updated: March 16, 2015
You can create three types of secure cross-premises connections:
A site-to-site VPN allows you to create a secure connection between your on-premises site and your virtual network. To create a site-to-site connection, a VPN device that is located on your on-premises network is configured to create a secure connection with the Azure Virtual Network Gateway. Once the connection is created, resources on your local network and resources located in your virtual network can communicate directly and securely. Site-to-site connections do not require you to establish a separate connection for each client computer on your local network to access resources in the virtual network.
Use a site-to-site connection when:
You want to create a branch office solution.
You want a connection between your on-premises location and your virtual network that’s available without requiring additional client-side configurations.
|You must have an externally facing IPv4 IP address and a VPN device or RRAS to configure a site-to-site VPN connection.|
For more information about configuring a site-to-site connection, see Configure a Cross-Premises Site-to-Site connection to an Azure Virtual Network. If you want to create a site-to-site VPN and will be using RRAS, see Configure a Site-to-Site VPN using Windows Server 2012 Routing and Remote Access Service (RRAS). This topic includes additional information that you may find helpful when using the PowerShell configuration script. For more information about VPN device requirements and configurations, see About VPN Devices for Virtual Network Connectivity.
A point-to-site VPN also allows you to create a secure connection to your virtual network. In a point-to-site configuration, the connection is configured individually on each client computer that you want to connect to the virtual network. Point-to-site connections do not require a VPN device. They work by using a VPN client that you install on each client computer. The VPN is established by manually starting the connection from the on-premises client computer. You can also configure the VPN client to automatically restart.
Point-to-site and site-to-site configurations can exist concurrently.
Use a point-to-site configuration when:
You only want to configure a few clients to connect to a virtual network site.
You want connect to your virtual network from a remote location. For example, connecting from a coffee shop.
You have a site-to-site connection, but have some clients that need to connect from a remote location.
You do not have access to a VPN device that meets the minimum requirements for a site-to-site connection.
You do not have an externally facing IPv4 IP address for your VPN device.
For more information about configuring a point-to-site connection, see Configure a Point-to-Site VPN connection to an Azure Virtual Network.
Azure ExpressRoute lets you create private connections between Azure datacenters and infrastructure that’s on your premises or in a co-location environment. ExpressRoute connections do not go over the public Internet, and offer more reliability, faster speeds, lower latencies and higher security than typical connections over the Internet. In some cases, using ExpressRoute connections to transfer data between on-premises and Azure can also yield significant cost benefits. With ExpressRoute, you can establish connections to Azure at an ExpressRoute location (Exchange Provider facility) or directly connect to Azure from your existing WAN network (such as a MPLS VPN) provided by a network service provider.
For more information about ExpressRoute, see ExpressRoute Technical Overview.
For a breakdown table of bandwidths, pricing, and connection types, see ExpressRoute or Virtual Network VPN - What's right for me?