Share via

What is the CIDR range when building a VPN Gateway?

森田 暁子/技術統括/JRI (morita akiko) 0 Reputation points
2025-11-27T06:37:49.5133333+00:00

VPN GatewayでAzure⇔AWS(AWS管理コンソール画面やAWSサービスへのアクセスだけでなくGenUやBedrockからAzure AIの利用も想定)の接続を想定しています。

また、将来的にはGCPとの接続(管理コンソール画面、GoogleAI等)等も考えられます。
VPNGateway自体は/27が最小推奨ではありますが、上記の条件の場合、どのくらい確保しておくのがよいでしょうか。回答をよろしくお願いいたします。
↓English

We are considering using a VPN Gateway to connect between Azure and AWS (using the management console screen, Azure AI from AWS GenU, etc.).
We are also considering connecting with GCP in the future (using the management console screen, Google AI, etc.). The minimum recommended size for a VPN Gateway is /27, but given the above conditions, how much bandwidth should we allocate?
Furthermore, please tell us the range that should be allocated when using a redundant configuration.
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jose Premnath 80 Reputation points Microsoft External Staff Moderator
    2025-11-27T09:46:14.3433333+00:00

    Hi 田 暁子/技術統括/JRI morita akiko

    Welcome to Microsoft Q&A and thank you for your questions!

    To establish a reliable and scalable VPN Gateway connection between Azure, AWS, and potentially GCP, you're right to consider allocating a /27 subnet for the VPN Gateway itself, as that’s the minimum recommended size. However, given that you'll be using the gateway not only for console access but also for AI services (like Azure GenU and AWS Bedrock

    Connections & Tunnels: Each site-to-site VPN (e.g., AWS now, GCP later) uses gateway IPs for tunnels. Active-active HA adds more (2 instances). /27 works for 1-2 basic connections, but 3+ or HA pushes toward /26 (64 IPs).

    AI/Traffic Load: Bedrock/GenU access means potential high throughput—focus on VpnGw2+ SKUs for bandwidth, but subnet needs room for gateway services.

    Future-Proofing: MS recommends /26+ for complex setups (e.g., ExpressRoute coexist needs even larger). No NSGs/UDRs on GatewaySubnet.

    Steps to Implement

    Create VNet > Add GatewaySubnet (/26, e.g., 10.1.255.0/26)—name must be exact.

    https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gateway-subnet

    Deploy VPN Gateway (VpnGw2AZ+ for zones/HA) on it—takes ~45 mins.

    https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal#create-a-vpn-gateway

    Add connections: Local Network Gateway for AWS/GCP public IPs/ranges, then Site-to-Site (IPsec). Match shared keys.

    Test: Portal > Gateway > Connections (aim for "Connected"). Monitor limits. https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-limits

    Key Sizing Factors

    Connections & Tunnels: Each site-to-site VPN (e.g., AWS now, GCP later) uses gateway IPs for tunnels. Active-active HA adds more (2 instances). /27 works for 1-2 basic connections, but 3+ or HA pushes toward /26 (64 IPs).

    AI/Traffic Load: Bedrock/GenU access means potential high throughput—focus on VpnGw2+ SKUs for bandwidth, but subnet needs room for gateway services.

    Futureproofing: MS recommends /26+ for complex setups (e.g., ExpressRoute coexist needs even larger). No NSGs/UDRs on GatewaySubnet.

    We hope the above answers will be of great help to you in resolving the issue. If not, please contact us for any explanation.

    If the provided information answer your query, do click "Upvote" and "Accept Answer", it will help others who might be facing similar challenges.

    Thanks

    Jose Premnath

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.