Docs

    Azure VPN Gateways are used to send traffic between an Azure virtual network and another network. VPN Gateways support multiple configurations that control the amount of throughput, number of connections, and type of connections allowed through the gateway. Blue Matador monitors VPN Gateways and ExpressRoute Gateways to see if usage is approaching the limits of the gateway.

     

    Throughput


    Throughput is the rate that data is sent through the VPN Gateway. VPN Gateways have different throughput benchmarks depending on the gateway type and SKU. Both Site-to-Site (S2S) and Point-to-Site (P2S) connections share the same bandwidth on a VPN gateway, so increased usage from one type of connection can impact the performance of the other type. Hitting the maximum throughput on a VPN Gateway can be an indication that you should look at your network to either decrease throughput requirements, or increase the capacity of the gateway. Blue Matador will detect when you are nearing the throughput benchmarks on your gateways via the AverageBandwidth and P2SBandwidth metrics so that you can take steps to remediate the issue before performance degrades.

    VPN Gateway Throughput Benchmarks

    SKU

    Throughput

    Basic

    100 Mbps

    VpnGw1

    650 Mbps

    VpnGw1AZ

    650 Mbps

    VpnGw2

    1 Gbps

    VpnGw2AZ

    1 Gbps

    VpnGw3

    1.25 Gbps

    VpnGw3AZ

    1.25 Gbps

    Legacy VPN Gateway Throughput Benchmarks

    SKU

    Throughput

    Basic

    100 Mbps

    Standard

    100 Mbps

    High Performance

    200 Mbps

    ExpressRoute Gateway Throughput Benchmarks

    SKU

    Throughput

    Basic

    1 Gbps

    HighPerformance

    2 Gbps

    UltraPerformance

    10 Gbps

    To validate the performance of your gateway, you can follow the instructions provided by Microsoft here.

     

    P2S Connections


    Azure VPN Gateways limit the number of Point-to-Site (P2S) connections allowed to a single gateway. Blue Matador monitors the P2SConnectionCount metric to get the current connection count. Depending on their SKU, VPN Gateways can be configured to allow connections using these protocols:

    • Secure Socket Tunneling Protocol (SSTP)
    • OpenVPN
    • IKEv2 VPN

    SSTP Connections are limited to 128 concurrent connections for all VPN Gateway SKUs. There is not a way to increase this limit, but most VPN clients will support one of the other protocols so connecting over a different protocol may help avoid the limit. You can follow this tutorial to configure your VPN Gateway for OpenVPN.

    OpenVPN and IKEv2 connections are limited together and together have a higher limit than SSTP connections. The connection limits for the various VPN Gateway SKUs is as follows:

    SKU

    Limit

    Basic

    Not Supported

    VpnGw1

    250

    VpnGw1AZ

    250

    VpnGw2

    500

    VpnGw2AZ

    500

    VpnGw3

    1000

    VpnGw3AZ

    1000

    Hitting the limit on the number of connections will prevent additional connections from succeeding. This can impact your employee by not allowing them access to the network when it is needed. If you are hitting P2S connection limits frequently, you may consider implementing a policy such that your employees only connect when they need access to the virtual network, or you can upgrade your gateway to allow for more connections or set up multiple gateways.

     

    Resources