Microsoft announced a number of new features for Azure VPN Gateway resource. A couple of them, at least to me, are very important and will make our life easier in the trenches. So, what further ado here’s the list ordered based on my likeness 🙂
Custom IPsec/IKE policy with DPD timeout
Setting IKE DPD (Dead Peer Detection) timeout allows customers to adjust the IKE session timeout value based on their connection latency and traffic conditions to minimize unnecessary tunnel disconnect, improving both reliability and experience. This feature brings the entire custom IPsec/IKE policy configuration experience to Azure Portal.
You can read more here Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections: Azure portal
FQDN support for site-to-site VPN
This feature supports customer branches or locations without static public IP addresses to connect to Azure VPN gateways. Customers can now leverage dynamic DNS services and use their FQDNs instead of IP addresses. Azure VPN gateways will automatically resolve and update the VPN target to establish IPsec/IKE connections.
You can read more here Create the local network gateway (Azure Portal)
Session management & revocation for point-to-site VPN users
Administrators can now list and revoke individual user connections to their VPN gateways from Azure Portal in real-time, addressing a key management task.
You can read more here Point-to-site VPN session management
VPN over ExpressRoute private peering
Financial and health industries, more than often, require double encryption over both their private WANs and Azure WAN for compliance reasons. VPN over ExpressRoute private peering allows customers to use IPsec tunnels over their ExpressRoute private peering to satisfy this need.
Note: this feature is only supported on zone-redundant deployed gateways, to make it simple, any SKU that ends with “AZ” at the end i.e. VpnGw1AZ.
You can read more here Configure a Site-to-Site VPN connection over ExpressRoute private peering (Preview)
High availability for RADIUS servers in point-to-site VPN
This feature enables highly available configuration for customers using RADIUS/AD authentication for their point-to-site VPN.
You can find more information in the FAQ for RADIUS authentication
APIPA support for BGP speaker
This feature supports customers with legacy VPN routers and Amazon Web Service (AWS) VGW, Google Cloud Platform (GCP) VPN which use APIPA addresses (the one we get when DHCP is not assigning an IP to our device, it is like 169.254.xxx.xxx, read more here if you are interested) as their BGP speaker IP addresses. Now they can establish BGP sessions with Azure VPN gateways using APIPA addresses.
You can find more details here Part 1: Configure BGP on the virtual network gateway
Good stuff keep coming on Azure platform! Kudos to all teams.
Hope you enjoyed the brief, and if you did, leave a comment/rate and make sure you don’t forget to subscribe (below) and get the info in your inbox.