19 Oct 2019

Pimp your Azure VPN Gateway Performance

A lot of customers are using Azure VPN Gateways to create a hybrid connectivity with Azure and their on-premises data center. Beside Azure Express Route, it’s a widely adopted and robust solution. Azure VPN Gateways are highly available by default and depending on the SKU even zone redundant and active/active. Whereas active/active configurations require BGP, active passive configurations can use static routes.

The performance of the VPN Gateways hardly depends on two factors (beside the ISP connectivity of course), the SKU (size) and the IPSec policy settings.

SKU (Size)

Depending on the SKU size your Azure VPN gateway can handle more or less connections and overall bandwidth.

SKU S2S Connections Aggregated Throughput
Basic 10 100 Mbps
VpnGw1 30 650 Mbps
VpnGw2 30 1 Gbps
VpnGw3 30 1.25 Gbps

Note, that the max throughput is cumulative for all connections, not for each connection.

IPSec Configuration

When configuring S2S-VPN to Azure using 3rd party firewall or routers, you have to pay attention to the IPsec parameters. The profile has to match on both ends, otherwise the tunnel won’t come up or you loose 100% of the packets. On the Azure VPN gateway, you can create a custom IPSec connection profile at creation time of the connection or afterwards. Each connection can have a single IPSec profile attached. IKE/IPSec encryption-, and hashing-algorhythms are crucial from a performance perspective. According to the Microsoft docs, GCMAES256 is the best choice. I can confirm that according to my own tests. The following results where produced using a S2S-VPN Configuration between “westeurope” and “eastus2” regions. For the performance tests I used the ntttcp utility. I was not able to exactly reach the max values as stated in the docs, but as mentioned, the gateways where spread over continents, so a fair amount of latency (~180ms) kicked in.

Max. Throughput
average after 5 measures
VpnGw1 DES3 SHA256 125
VpnGw1 AES256 SHA256 220
VpnGw1 GCMAES256 GCMAES256 300*
VpnGw2 DES3 SHA256 125
VpnGw2 AES256 SHA256 480
VpnGw2 GCMAES256 GCMAES256 650*
VpnGw3 DES3 SHA256 130
VpnGw3 AES256 SHA256 550
VpnGw3 GCMAES256 GCMAES256 880*

*according to the default performance observed if no IPSec policy was attached, I assume GCMAES256 is the default mode

How to configure IPSec policies for your Azure VPN gateways?

IPSec policies are mapped on connection level. Each connection can have a dedicated IPSec policy. In the following example I’m showing how to configure and map the policies using Azure CLI, whereas PowerShell is another option of course.

Create and attach IPSec Policy

az network vpn-connection ipsec-policy add --connection-name myconn1 --resource-group myRG --ipsec-encryption AES256 --ipsec-integrity SHA256 --ike-encryption AES256 --ike-integrity SHA256 --dh-group DHGroup14 --pfs-group PFS2048 --sa-lifetime 600 --sa-max-size 102400000

Remove IPSec Policy (back to defaults)

az network vpn-connection ipsec-policy clear --connection-name myconn1 --resource-group myRG

What now?

Now it’s time to check out the options on your firewall / vpn device and check the available option for IPSec Tunnel encryption and hashing mechanisms so you get the max out of your VPN gateway.