Azure VPN Gateways are used to send traffic between an Azure virtual network and another network. VPN Gateways support multiple configurations that control the amount of throughput, number of connections, and type of connections allowed through the gateway. Blue Matador monitors VPN Gateways and ExpressRoute Gateways to see if usage is approaching the limits of the gateway.
Throughput
Throughput is the rate that data is sent through the VPN Gateway. VPN Gateways have different throughput benchmarks depending on the gateway type and SKU. Both Site-to-Site (S2S) and Point-to-Site (P2S) connections share the same bandwidth on a VPN gateway, so increased usage from one type of connection can impact the performance of the other type. Hitting the maximum throughput on a VPN Gateway can be an indication that you should look at your network to either decrease throughput requirements, or increase the capacity of the gateway. Blue Matador will detect when you are nearing the throughput benchmarks on your gateways via the AverageBandwidth and P2SBandwidth metrics so that you can take steps to remediate the issue before performance degrades.
VPN Gateway Throughput Benchmarks
|
SKU
|
Throughput
|
|
Basic
|
100 Mbps
|
|
VpnGw1
|
650 Mbps
|
|
VpnGw1AZ
|
650 Mbps
|
|
VpnGw2
|
1 Gbps
|
|
VpnGw2AZ
|
1 Gbps
|
|
VpnGw3
|
1.25 Gbps
|
|
VpnGw3AZ
|
1.25 Gbps
|
Legacy VPN Gateway Throughput Benchmarks
|
SKU
|
Throughput
|
|
Basic
|
100 Mbps
|
|
Standard
|
100 Mbps
|
|
High Performance
|
200 Mbps
|
ExpressRoute Gateway Throughput Benchmarks
|
SKU
|
Throughput
|
|
Basic
|
1 Gbps
|
|
HighPerformance
|
2 Gbps
|
|
UltraPerformance
|
10 Gbps
|
To validate the performance of your gateway, you can follow the instructions provided by Microsoft here.
P2S Connections
Azure VPN Gateways limit the number of Point-to-Site (P2S) connections allowed to a single gateway. Blue Matador monitors the P2SConnectionCount metric to get the current connection count. Depending on their SKU, VPN Gateways can be configured to allow connections using these protocols:
- Secure Socket Tunneling Protocol (SSTP)
- OpenVPN
- IKEv2 VPN
SSTP Connections are limited to 128 concurrent connections for all VPN Gateway SKUs. There is not a way to increase this limit, but most VPN clients will support one of the other protocols so connecting over a different protocol may help avoid the limit. You can follow this tutorial to configure your VPN Gateway for OpenVPN.
OpenVPN and IKEv2 connections are limited together and together have a higher limit than SSTP connections. The connection limits for the various VPN Gateway SKUs is as follows:
|
SKU
|
Limit
|
|
Basic
|
Not Supported
|
|
VpnGw1
|
250
|
|
VpnGw1AZ
|
250
|
|
VpnGw2
|
500
|
|
VpnGw2AZ
|
500
|
|
VpnGw3
|
1000
|
|
VpnGw3AZ
|
1000
|
Hitting the limit on the number of connections will prevent additional connections from succeeding. This can impact your employee by not allowing them access to the network when it is needed. If you are hitting P2S connection limits frequently, you may consider implementing a policy such that your employees only connect when they need access to the virtual network, or you can upgrade your gateway to allow for more connections or set up multiple gateways.
