I’ve been looking at azure vpn gateway, and it seems like this is something a small VM could do at much lower cost. Am I missing something? Has anyone created a guide or how-to for setting this up?
Yes you can, look into network virtual appliances and route tables.
You are probably missing the redundancy element of the built in vpn gateway offering in your cost considerations.
I’d caution on building your own on this case. Something goes wrong, who will know enough to fix it. VPN gateway will work and be supported by MS so how much is your personal stress and time worth to save x amount for your company. IMO, Go with the stress free option. We have enough to deal with already.
For Azure VPN gateway:
- You don’t have to worry about patching, upgrades, or lifecycle.
- You don’t have to worry about licensing.
- Can scale to reasonably high aggregate bandwidths (tens of gigabits.)
- Single point of support (Microsoft.)
- Native logging and metrics (if limited)
Against Azure VPN gateway:
- Limited features.
- Some operations cause impact.
For your own NVA:
- Commercial firewall NVA has way more features.
- Commercial firewall NVA has much better debugging options.
Against your own NVA:
- Support cases may have to involve Microsoft and vendor.
- You need to sort out licensing.
- You need to sort out HA, which isn’t easy.
- You need to sort out scaling if you need more bandwidth than one box can handle, and this is not trivial at all.
- You need to be on top of updates and patches and maintenance.
- Needs more in-house expertise.
- Probably more expensive.
For building it completely from open source or such:
- Cheap
- All the other benefits of your own NVA.
Against your own build:
- All the scaling and HA challenges of the NVA.
- No support.
- Are you sure you know what you’re doing and aren’t opening major security holes?
You can absolutely do the “same thing” with B-series PFsense VMs and some study.
You just shouldn’t.
What is your need? If it’s just a couple users P2S and you don’t need to worry about HA, etc and want to manage it… you can easily deploy a cheap VPN appliance/VM. If its for anything bigger, just go with the gateway.
Use a OpenVPN solution in the azure marketplace, it is free for 2 simultaneous connections. It runs on a single VM (I think there are some requirements for the VM but can’t remember off the top of my head), perfect for a home lab.
Trust me I learnt the hard way with a Azure VPN that I left running whist studying for the AZ500
Why not roll your own cloud?
The young and hungry.
You could deploy a vm and run pfsense, I have seen customers install sophos gateways and use vpn, but it wasn’t the main reason for having it
You can follow this approach and extend it from wireguard to ikev2 and l2tp if you like:
But in the end the savings won’t be much more than Azure VNet Gateway and you will have to perform hands-on maintenance of these VMs which has a cost associated with it too.
and it seems like this is something a small VM could do at much lower cost.
Not really because by default the Azure VPN gateway is HA where as yes you can technically do this with a marketplace appliance or some shitty VM you make but it’s not going to be HA or true IaaS, and to make it work in HA you would need async routes which is old school shit. Why did you even go cloud at that point? Replacing Azure networking components with Fortigate, Palo, etc is not really 1 to 1 and you’re losing a lot of cloud benefits. I tend to nitpick at this stuff because I was a physical data center network engineer before I moved into cloud. I hate lift and shifting networking gear into cloud.
Opensense + wire guard or Tailscale and be done with it
We use the Meraki appliance, great for doing ldaps to local offices as well
Once you click on openVPN in the azure marketplace it will let you select which VM type and size, then it provisions it all for you.
We have this argument at work all the time for any paas service and we end up in the same situation
Pick the solution provided by Microsoft = more money less stress
Build our own = more stress, more engineering hours, more downtime
Not to say we haven’t had successful solutions we have put together ourselves but for the cost difference we’d rather have an easier life so we can focus on bigger things
I would not call dealing with MS Support the ‘stress free option’. IMO the last few months in particular things have plummeted…
- Agents constantly nagging for calls/screen share sessions instead of asking for more info via email (especially when email is the PREFERRED contact method), then getting on a call a few days later with you and not even knowing what to ask = multiple days wasted because they are literally obsessed with the call having to happen.
- Agents not understanding the product or issue at all and reading from Google while telling you that you are wrong. Even more fun during a Sev A.
- Agents sounding like they WFH with dogs barking/loud noises in the background constantly.
- Weeks between responses when you do manage to get some traction and escalation to devs/product groups (getting longer and longer).
- I’ve had an M365 ticket open for 8 weeks now for a very simple thing which is still going around in circles. Our reseller has escalated this countless times via their contacts who just keeps saying the internal team is restructuring hence the delays (why do I care?).
- Hell we raised a Sev B (4 hour response) nearly 4 days ago and I don’t think have even had an initial response.
Whoever is heading up MS Support, particularly their outsourced teams, is really shitting the bed.
I agree. Unless you require some feature VPN GW does not support, use VPN GW.
Was going to say but seems people here already said everything but right now you are better off fixing stuff or figuring stuff out yourself than relying on Ms support. We’ve only been in azure a year now and support is awful, they have never fixed anything, all they do is gather logs. In the end majority of issues we had to sort out ourselves through a lot of troubleshoot. They don’t even know when there is issue with capacity in an availability zone or they just ignore it
Thanks, this is a very useful response