Organizations everywhere are rapidly adopting Microsoft Azure public cloud infrastructure to extend or replace their existing datacenter. As traditional on-premises workloads are migrated to the cloud, customers are looking for options to host VPN services there as well.
Windows Server
Windows Server with the Routing and Remote Access Service (RRAS) installed is a popular choice for on-premises Always On VPN deployments. Intuitively it would make sense to deploy Windows Server and RRAS in Azure as well. However, at the time of this writing, RRAS is not a supported workload on Windows Server in Azure.
Although explicitly unsupported, it is possible to deploy Windows Server and RRAS in Azure for Always On VPN. In my experience it works well and can be an option for organizations willing to forgo formal support by Microsoft.
Azure Gateway
Options for supporting Always On VPN connections using native Azure VPN infrastructure depend on the type of VPN gateway chosen.
VPN Gateway
The Azure VPN Gateway can be configured to support client-based (point-to-site) VPN. With some additional configuration it can be used to support Windows 10 Always On VPN deployments. Azure VPN gateway supports either IKEv2 or SSTP VPN protocols for client connections. The Azure VPN gateway has some limitations though. Consider the following:
- A route-based VPN gateway is required
- A maximum of 1000 concurrent IKEv2 connections are supported when using the VpnGw3 or VpnGw3AZ SKUs (2000 supported in active/active mode)
- A maximum of 128 concurrent SSTP connections are supported on all gateway SKUs (256 supported in active/active mode)
- The gateway can be configured to support either device or user connections, not both.
Virtual WAN
Azure Virtual WAN is the future of remote connectivity for Azure. It includes support for client-based VPN (currently in public preview at the time of this writing), but only supports IKEv2 and OpenVPN VPN protocols for client connections. SSTP is not supported at all. Further, OpenVPN is not supported for Windows 10 Always On VPN, leaving IKEv2 as the only option, which poses some potential operational challenges. Virtual WAN offer much better scalability though, supporting up to 10,000 concurrent client-based VPN connections. Like the Azure VPN gateway, Azure Virtual WAN can be configured to support either device or user connections, not both.
Virtual Appliance
The most supportable option for hosting VPN services in Azure for Windows 10 Always On VPN is to deploy a third-party Network Virtual Appliance (NVA). They are available from a variety of vendors including Cisco, Check Point, Palo Alto Networks, Fortinet, and many others. To support Windows 10 Always On VPN, the NVA vendor must either support IKEv2 for client-based VPN connections or have a Universal Windows Platform (UWP) VPN plug-in client available from the Microsoft store. Click here to learn more about Always On VPN and third-party VPN devices.
Note: Be careful when choosing an NVA as some vendors support IKEv2 only for site-to-site VPN, but not client-based VPN!
Hybrid Deployments
For organizations with hybrid cloud deployments (infrastructure hosted on-premises and in Azure), there are several options for choosing the best location to deploy VPN services. In general, it is recommended that client VPN connections be established nearest the resources accessed by remote clients. However, having VPN servers hosted both on-premises and in Azure is fully supported. In this scenario Azure Traffic Manager can be configured to intelligently route VPN connections for remote clients.
NetMotion Mobility
The NetMotion Mobility purpose-built enterprise VPN is a popular replacement for Microsoft DirectAccess. It is also an excellent alternative for enterprise organizations considering a migration to Always On VPN. It is a software-based solution that can be deployed on Windows Server and is fully supported running in Microsoft Azure. It offers many advanced features and capabilities not included in other remote access solutions.
Summary
Administrators have many options for deploying VPN servers in Azure to support Windows 10 Always On VPN. Windows Server and RRAS is the simplest and most cost-effective option, but it is not formally supported by Microsoft. Azure VPN gateway is an interesting alternative but lacks enough capacity for larger deployments. Azure Virtual WAN is another option but has limited protocol support. Deploying an NVA is a good choice, and NetMotion Mobility is an excellent alternative to both DirectAccess and Always On VPN that is software-based and fully supported in Azure.
Additional Information
Windows 10 Always On VPN with Azure Gateway
Windows 10 Always On VPN and Third-Party VPN Devices
Windows 10 Always On VPN and Windows Server Routing and Remote Access Service (RRAS)
Windows 10 Always On VPN IKEv2 Features and Limitations
Windows 10 Always On VPN Multisite with Azure Traffic Manager
One of the most important advantages Windows 10 Always On VPN has over DirectAccess is infrastructure independence. That is, Always On VPN does not rely exclusively on a Windows Server infrastructure to support Always On VPN connections. Always On VPN will work with many third-party firewalls and VPN devices, as long as they meet some basic requirements.
Windows 10 Always On VPN hands-on training classes now forming. Details 
Windows servers are required to implement DirectAccess. Always On VPN can be implemented using Windows servers as well, but it isn’t a hard requirement. Always On VPN is implemented entirely on the Windows 10 client, which means any third-party VPN device can be used on the back end, including Cisco, Checkpoint, Juniper, Palo Alto, Fortinet, SonicWALL, F5, strongSwan, and others! This provides tremendous deployment flexibility, making it possible to mix and match backend infrastructure if required. For example, a Windows RRAS VPN server with Palo Alto and SonicWALL firewalls could all be implemented at the same time (using the Windows built-in VPN client). Importantly, making changes to VPN infrastructure is much less impactful and disruptive to clients in the field. VPN devices can be upgraded, replaced, and moved internally without requiring corresponding policy changes on the client.
