Technical Lab: Virtual Network Gateway SKU Selection for Point-to-Site VPN
Questionsβ
Question 1 β Multiple Choiceβ
A security team requires all remote clients to authenticate via Microsoft Entra ID certificate when connecting through Point-to-Site VPN. The gateway needs to support up to 500 simultaneous connections and the OpenVPN protocol.
Which SKU meets these requirements at the lowest cost?
A) Basic
B) VpnGw1
C) VpnGw2
D) VpnGw1AZ
Question 2 β Technical Scenarioβ
An architect is planning a remote connectivity solution and needs to choose among available SKUs for the VPN gateway. He establishes the following premises:
- Authentication via Azure native certificate (not Entra ID, not RADIUS)
- Maximum of 128 simultaneous P2S connections
- No zone redundancy requirement
- Lowest possible operational cost
After reviewing the documentation, he considers the Basic SKU. Which statement correctly describes a critical limitation of the Basic SKU that may force a revision of this choice?
A) The Basic SKU does not support the IKEv2 protocol, preventing native Windows clients from connecting via P2S
B) The Basic SKU cannot be migrated to a higher SKU without recreating the gateway
C) The Basic SKU limits aggregate throughput to 10 Mbps, making any corporate workload unfeasible
D) The Basic SKU requires the VNet to use an address prefix of /24 or larger
Question 3 β True or Falseβ
Statement: The VpnGw1 to VpnGw5 family SKUs support all three P2S authentication types (Azure native certificate, RADIUS, and Microsoft Entra ID) simultaneously on a single gateway, without requiring separate gateways.
True or False?
Question 4 β Technical Scenarioβ
A financial company requires high availability with availability zone redundancy for their P2S VPN. The team chose the VpnGw2 SKU and configured the gateway with a regional zone standard public IP.
After deployment, the team realizes that the zonal resilience requirement was not met. What is the root cause of the problem?
A) The VpnGw2 SKU does not support P2S with zonal redundancy; only VpnGw4AZ and higher support it
B) The zonal redundancy SKU requires the AZ suffix (e.g.: VpnGw2AZ), and the public IP must be of Zone-redundant type
C) Zonal redundancy in VPN gateways requires the P2S protocol to be exclusively OpenVPN
D) The public IP needs to be of Static type instead of Dynamic, regardless of the chosen SKU
Question 5 β Multiple Choiceβ
When comparing VpnGw1 and VpnGw1AZ SKUs for a P2S deployment, which difference is technically accurate?
A) VpnGw1AZ supports more simultaneous P2S connections than VpnGw1
B) VpnGw1AZ offers availability zone redundancy, while VpnGw1 is deployed in a single zone
C) VpnGw1AZ supports authentication via Microsoft Entra ID, while VpnGw1 only supports certificates
D) VpnGw1AZ requires the SSTP protocol, while VpnGw1 is protocol agnostic
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
The VpnGw1 SKU is the smallest SKU in the Generation1 family that supports the OpenVPN protocol and authentication via Microsoft Entra ID. These two requirements immediately eliminate the Basic SKU, which does not natively support OpenVPN or Entra ID authentication. VpnGw1 supports up to 650 simultaneous P2S connections, easily covering the requirement of 500.
The VpnGw2 and VpnGw1AZ SKUs also meet the functional requirements, but at higher cost without technical justification: VpnGw2 offers higher throughput and more connections, and VpnGw1AZ adds zonal redundancy, neither of which was required in the scenario.
The main misconception that the distractors exploit is assuming that more connections or zonal resilience are necessary when the statement doesn't require them.
Answer Key β Question 2β
Answer: B
The critical limitation of the Basic SKU often overlooked is that it cannot be resized to a higher SKU. Unlike VpnGw1 to VpnGw5 SKUs, which allow upgrades without recreation, migrating from Basic requires deleting the gateway and redeploying it, causing unavailability and loss of existing configuration.
Alternative A is false: the Basic SKU supports IKEv2, so Windows clients can connect via P2S. Alternative C distorts the real value: Basic offers aggregate throughput of up to 100 Mbps, not 10 Mbps. Alternative D is completely fictitious; there's no VNet prefix restriction associated with the gateway SKU.
This migration limitation is especially relevant in environments that start small but have growth projections.
Answer Key β Question 3β
Answer: True
The VpnGw1 to VpnGw5 family SKUs (and their AZ variants) allow configuring all three P2S authentication methods simultaneously on the same gateway: Azure native certificate, RADIUS, and Microsoft Entra ID. This means different client groups can use distinct methods without requiring separate gateways.
This characteristic is relevant in hybrid scenarios where some clients use devices not compatible with Entra ID or where RADIUS integration already exists. The Basic SKU, by contrast, does not offer this flexibility of multiple simultaneous methods, being another reason to avoid it in complex corporate environments.
Answer Key β Question 4β
Answer: B
Availability zone redundancy in Azure VPN gateways requires two simultaneous factors: the SKU must belong to the AZ family (e.g.: VpnGw2AZ) and the associated public IP must be of Zone-redundant type (Standard SKU with zone redundant configuration). Using the VpnGw2 SKU without the AZ suffix deploys the gateway in a single logical zone, without protection against zonal failure.
Alternative A is false: zonal redundancy is available starting from VpnGw1AZ, not just in higher SKUs. Alternative C is false: the P2S protocol has no relation to the gateway's availability topology. Alternative D confuses public IP properties with gateway SKU; the Static/Dynamic type is relevant for other scenarios, but is not the determining factor here.
Answer Key β Question 5β
Answer: B
The only real technical difference between VpnGw1 and VpnGw1AZ is the deployment topology: VpnGw1AZ is distributed across availability zones, offering resilience against zone failure, while VpnGw1 resides in a single logical zone.
Alternatives A, C, and D represent common misconceptions. Both SKUs support the same number of simultaneous P2S connections (650 in Generation1). Both support the same authentication methods, including Microsoft Entra ID. And both are protocol agnostic, supporting SSTP, IKEv2, and OpenVPN. The AZ variant doesn't add functional capacity, only architectural resilience, which is an important distinction when justifying the additional cost.