| Feature | Basic + Policy | Basic + Route | VpnGw1 + Route |
|---|---|---|---|
| Bandwidth | 100 Mbps | 100 Mbsp | 650 Mbps |
| Tunnels | Only one tunnel | max. 10 tunnels | max. 30 tunnels |
| IKE for S2S | Only IKEv1 | Only IKEv2(*) | IKEv1 and IKEv2 |
| P2S | No | Only SSTP | IKEv2 IPSEC, OpenVPN or SSTP |
| P2S auth | - | Certificate | Certificate, RADIUS, AAD |
| IPSEC conf | N/A | N/A | Possible to change ciphers |
Only one P2S connection / pool can be confugured per Virtual Network Gateway
(*)
Documentation and portal tooltips are conflicting: Documentation states following
IKEv1 connections can be created on all RouteBased VPN type SKUs, except the Basic SKU, Standard SKU, and other legacy SKUs.
route-based Basic SKU has no limit on tooptip and both selections are available
IKE protocol used by this connection.
Real-life test result: Invalid ConnectionProtocol IKEv1 specified for gateway /subscriptions/x/resourceGroups/y/providers/Microsoft.Network/virtualNetworkGateways/z1
and meanhwile policy-based Basic SKU has following tooltip
Only IKEv1 protocol is supported with policy based gateway connections.
Real-life test result: Invalid ConnectionProtocol IKEv2 specified for gateway /subscriptions/x/resourceGroups/y/providers/Microsoft.Network/virtualNetworkGateways/z2
- Policy based Virtual Network Gateway is supported for Basic SKU only
- All Virtual network gateways support S2S, Vnet-to-Vnet and/or ExpressRoute tunnels. Only max amount is limited
- IKE/IPsec policy can be defined per-connection on all Azure SKUs except the Basic SKU
- All parameters must be provided
If you enable UsePolicyBasedTrafficSelectors, you need to ensure your VPN device has the matching traffic selectors defined with all combinations of your on-premises network (local network gateway) prefixes to/from the Azure virtual network prefixes, instead of any-to-any.