Secure remote access has become a non-negotiable requirement for UK businesses. Whether your team is working from home, travelling between client sites, or operating from co-working spaces across the country, they need secure, reliable access to your business applications, files, and systems. Azure VPN — Microsoft’s cloud-based virtual private network service — provides exactly this, offering enterprise-grade security without the complexity and cost of traditional on-premise VPN infrastructure.
For businesses already using Microsoft Azure for cloud services, Azure VPN is a natural extension of their existing infrastructure. For those who are new to Azure, it offers a compelling alternative to hardware-based VPN solutions that require expensive appliances, complex configuration, and ongoing maintenance. This guide explains what Azure VPN is, how it works, what it costs, and how to plan and implement a deployment that meets your business needs.
Whether you are a professional services firm in London with twenty consultants who need access to internal systems whilst visiting clients, a manufacturing company in the Midlands with remote engineers who need to connect to design servers, or a growing business with hybrid workers spread across the United Kingdom, Azure VPN can provide the secure connectivity you need.
Understanding Azure VPN: Two Types of Connection
Azure VPN Gateway supports two fundamentally different types of VPN connection, each serving different use cases. Understanding the distinction is essential for planning your deployment.
Point-to-Site (P2S) VPN
A Point-to-Site VPN creates an encrypted connection from an individual device — a laptop, tablet, or desktop PC — directly to your Azure virtual network. This is the type of VPN most people are familiar with. A user launches a VPN client on their device, authenticates, and establishes a secure tunnel to Azure. Once connected, they can access resources in Azure (virtual machines, databases, applications) and, if configured, resources in your on-premise network as well.
P2S VPN is ideal for remote workers and hybrid workers who need to access internal systems from home or whilst travelling. It supports up to 10,000 concurrent connections on the highest-tier gateway, making it suitable for organisations of any size. Authentication can use certificates, Azure Active Directory (Entra ID), or RADIUS, with Entra ID being the recommended option for Microsoft 365 businesses because it integrates with your existing identity management and supports multi-factor authentication.
Site-to-Site (S2S) VPN
A Site-to-Site VPN creates a permanent, encrypted connection between your on-premise network and your Azure virtual network. This is used when you need continuous connectivity between your office and Azure — for example, if you have servers running in Azure that need to communicate with systems in your office, or if you want your office network to extend seamlessly into the cloud.
S2S VPN requires a compatible VPN device or software gateway at your office end. This can be a hardware firewall (such as Fortinet, Cisco, or SonicWall) that supports IPsec VPN, or a software-based solution running on a server. The connection is always on, meaning that your office and Azure networks behave as a single, extended network.
Point-to-Site (P2S) VPN
- Individual device to Azure connection
- Ideal for remote and mobile workers
- User-initiated connection
- Supports Windows, macOS, Linux, iOS, Android
- Authenticates via Entra ID with MFA
- No hardware required at user end
- Scales to 10,000 concurrent users
Site-to-Site (S2S) VPN
- Office network to Azure connection
- Ideal for hybrid cloud architectures
- Always-on persistent connection
- Requires compatible VPN device at office
- Pre-shared key or certificate authentication
- Hardware firewall or gateway needed
- Connects entire office network to Azure
Planning Your Azure VPN Deployment
A successful Azure VPN deployment starts with careful planning. There are several decisions to make before you begin any configuration, and getting these right at the outset avoids costly rework later.
Choose the Right Gateway SKU
Azure VPN Gateway comes in several SKUs (pricing tiers) that differ in throughput, number of supported tunnels, and features. For most UK SMEs, the VpnGw1 or VpnGw2 SKUs provide the right balance of performance and cost. The Basic SKU is tempting due to its low price but lacks important features including support for Entra ID authentication and IKEv2 protocol.
| Gateway SKU | Max Throughput | Max P2S Connections | Max S2S Tunnels | Approx. Monthly Cost (UK South) |
|---|---|---|---|---|
| Basic | 100 Mbps | 128 | 10 | £25–£30 |
| VpnGw1 | 650 Mbps | 250 | 30 | £120–£140 |
| VpnGw2 | 1 Gbps | 500 | 30 | £240–£280 |
| VpnGw3 | 1.25 Gbps | 1,000 | 30 | £500–£560 |
| VpnGw5 | 10 Gbps | 10,000 | 100 | £1,200–£1,400 |
Design Your Network Architecture
Before creating the VPN Gateway, you need to have your Azure virtual network (VNet) properly configured. This includes defining the address space (IP range) for your Azure network, creating subnets for different workloads, creating a dedicated Gateway Subnet (this is mandatory for VPN Gateway), and ensuring your Azure address space does not overlap with your on-premise network.
A common mistake is to use address ranges in Azure that conflict with your office network. For example, if your office uses the 192.168.1.0/24 range and your Azure VNet also uses 192.168.1.0/24, routing will fail. Plan your address spaces carefully and document them to avoid conflicts.
One important consideration is that Azure VPN Gateway takes approximately 30 to 45 minutes to provision. This is not a resource you can spin up instantly when needed. Plan your deployment timeline accordingly, and test the gateway thoroughly before relying on it for production access. If you need to make changes to the gateway SKU later, the gateway must be deleted and recreated, which causes downtime.
Step-by-Step: Setting Up Point-to-Site VPN
Here is the high-level process for setting up a P2S VPN with Azure AD (Entra ID) authentication, which is the recommended approach for businesses using Microsoft 365.
First, create a Virtual Network in the Azure portal with an appropriate address space, and create a Gateway Subnet within it. Second, deploy a VPN Gateway using the VpnGw1 SKU or higher, selecting the appropriate region (UK South or UK West for UK businesses). Third, configure the Point-to-Site settings, specifying the address pool for VPN clients, the tunnel type (OpenVPN recommended), and Azure Active Directory authentication. Fourth, register the Azure VPN Client application in your Azure AD tenant. Fifth, download and distribute the VPN client configuration to your users. Sixth, test the connection from multiple devices and locations before rolling out to all users.
The entire process typically takes two to four hours for an experienced engineer, plus the 30-to-45-minute gateway provisioning time. For businesses without Azure experience, engaging an IT provider to handle the deployment is recommended to ensure the configuration is secure and optimised.
Security Best Practices for Azure VPN
Simply deploying a VPN is not sufficient — you must also configure it securely. Here are the essential security practices for Azure VPN deployments.
Multi-factor authentication is essential. Every VPN connection should require MFA, regardless of where the user is connecting from. With Entra ID authentication, this integrates seamlessly with your existing Conditional Access policies. If a user’s credentials are compromised, MFA prevents the attacker from establishing a VPN connection.
Network Security Groups (NSGs) should be applied to every subnet in your Azure virtual network. NSGs act as virtual firewalls, controlling which traffic is allowed in and out of each subnet. Even though users are authenticated via VPN, you should still restrict their access to only the resources they need — this is the principle of least privilege applied at the network level.
Diagnostic logging should be enabled on the VPN Gateway and all associated resources. Azure Monitor can collect connection logs, tunnel logs, and route table logs, giving you visibility into who is connecting, when, from where, and what they are accessing. These logs are also essential for GDPR compliance and for investigating any security incidents.
Cost Optimisation
Azure VPN costs are based on two components: the hourly cost of the gateway (charged regardless of usage) and the data egress charges (data flowing out of Azure). For most SMEs, the gateway cost is the significant element, with data egress adding only a small additional amount.
To optimise costs, select the smallest gateway SKU that meets your performance and connection requirements. Monitor utilisation and scale up only when needed. Consider using Reserved Instances for the gateway if you are committed to a 12-month or 36-month term — this can reduce costs by up to 30%. And ensure that your VPN is not the only way users access cloud resources — applications like Microsoft 365 should be accessed directly from the internet with Conditional Access policies, not routed through the VPN.
For a typical UK SME with 20 to 50 remote users, a VpnGw1 gateway provides more than adequate capacity. At approximately £130 per month plus minimal data egress charges, it is significantly cheaper than purchasing, maintaining, and managing an on-premise VPN appliance, and it integrates seamlessly with the rest of your Azure and Microsoft 365 environment.
Need Help Setting Up Azure VPN?
Cloudswitched designs and deploys Azure VPN solutions for UK businesses. Whether you need Point-to-Site access for remote workers or Site-to-Site connectivity for hybrid cloud infrastructure, our Azure-certified engineers ensure your VPN is secure, reliable, and optimised. Contact us for a free consultation.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.