Pimp your Azure VPN Gateway Performance
A lot of customers are using Azure VPN Gateways to create a hybrid connectivity with Azure and their on-premises data center. Beside Azure Express Route, it’s a widely adopted and robust solution. Azure VPN Gateways are highly available by default and depending on the SKU even zone redundant and active/active. Whereas active/active configurations require BGP, active passive configurations can use static routes.
The performance of the VPN Gateways hardly depends on two factors (beside the ISP connectivity of course), the SKU (size) and the IPSec policy settings.
SKU (Size)
Depending on the SKU size your Azure VPN gateway can handle more or less connections and overall bandwidth.
SKU | S2S Connections | Aggregated Throughput |
Basic | 10 | 100 Mbps |
VpnGw1 | 30 | 650 Mbps |
VpnGw2 | 30 | 1 Gbps |
VpnGw3 | 30 | 1.25 Gbps |
Note, that the max throughput is cumulative for all connections, not for each connection.
IPSec Configuration
When configuring S2S-VPN to Azure using 3rd party firewall or routers, you have to pay attention to the IPsec parameters. The profile has to match on both ends, otherwise the tunnel won’t come up or you loose 100% of the packets. On the Azure VPN gateway, you can create a custom IPSec connection profile at creation time of the connection or afterwards. Each connection can have a single IPSec profile attached. IKE/IPSec encryption-, and hashing-algorhythms are crucial from a performance perspective. According to the Microsoft docs, GCMAES256 is the best choice. I can confirm that according to my own tests. The following results where produced using a S2S-VPN Configuration between “westeurope” and “eastus2” regions. For the performance tests I used the ntttcp utility. I was not able to exactly reach the max values as stated in the docs, but as mentioned, the gateways where spread over continents, so a fair amount of latency (~180ms) kicked in.
VPN GW Sku |
IKE/IPSec Encryption |
IKE/IPSec Hashing |
Max. Throughput (Mbps) average after 5 measures |
VpnGw1 | DES3 | SHA256 | 125 |
VpnGw1 | AES256 | SHA256 | 220 |
VpnGw1 | GCMAES256 | GCMAES256 | 300* |
VpnGw2 | DES3 | SHA256 | 125 |
VpnGw2 | AES256 | SHA256 | 480 |
VpnGw2 | GCMAES256 | GCMAES256 | 650* |
VpnGw3 | DES3 | SHA256 | 130 |
VpnGw3 | AES256 | SHA256 | 550 |
VpnGw3 | GCMAES256 | GCMAES256 | 880* |
*according to the default performance observed if no IPSec policy was attached, I assume GCMAES256 is the default mode
How to configure IPSec policies for your Azure VPN gateways?
IPSec policies are mapped on connection level. Each connection can have a dedicated IPSec policy. In the following example I’m showing how to configure and map the policies using Azure CLI, whereas PowerShell is another option of course.
Create and attach IPSec Policy
az network vpn-connection ipsec-policy add --connection-name myconn1 --resource-group myRG --ipsec-encryption AES256 --ipsec-integrity SHA256 --ike-encryption AES256 --ike-integrity SHA256 --dh-group DHGroup14 --pfs-group PFS2048 --sa-lifetime 600 --sa-max-size 102400000
Remove IPSec Policy (back to defaults)
az network vpn-connection ipsec-policy clear --connection-name myconn1 --resource-group myRG
What now?
Now it’s time to check out the options on your firewall / vpn device and check the available option for IPSec Tunnel encryption and hashing mechanisms so you get the max out of your VPN gateway.