Azure Static vs. Dynamic Routing Gateways – What’s the Difference & Which One Should I Chose?

When configuring resources in Microsoft Azure, one of the first decisions you have to make as an organization is how to connect the on-premises environment to Azure. For some organizations ExpressRoute (Azure’s dedicated circuit solution) is the answer, but for many the best choice is to create a site-to-site tunnel using an Azure gateway. In this situation, most people get their networks configured and are ready to create the gateway, when and then you notice that it asks if you want a Static Routing or Dynamic Routing gateway. There is no obvious choice between the two, and in fact the answer to the question can be somewhat complicated. To make it easier, let’s look at the differences between the two gateways:

Static Routing Gateway

The Static Routing Gateway is the “default” option in that almost any firewall device that can create an IPSec tunnel can connect to a Static Routing Gateway. This is because the following configuration is used for this gateway type:

  • A Static Routing Gateway uses IKEv1 for its tunnel connections. This type of tunnel is available on all devices and is the most globally compatible. IKEv2 is also available on many devices but if your firewall does not support it you will need to use a Static Routing Gateway.
  • As the name suggests, a Static Routing gateway uses static routing for its connections. What does that mean? It means that both sides of the tunnel have hard coded rules sending specific subnets across the tunnel. This ensures that the traffic for the subnets you specify in your Azure network configuration is transmitted across the tunnel, but if you want to reconfigure your network in the future you have to modify the configuration both in Azure and your firewall. Just as with a firewall you can have static routes or you can use routing protocols (OSPF, RIP, EIGRP, etc.) the Azure Static Routing gateway is the Azure solution for static routes.

So what’s the downside of a Static Routing Gateway? The main consideration is that the static gateway is a single site-to-site connection. For example, if your organization has multiple locations and you would like to create a tunnel from all of your offices back to the same Azure gateway you can’t with a static gateway. Only one tunnel is allowed and all of the other locations will need to route through that primary office first. Static gateways also limit your ability to use point-to-site VPNs and Azure-to-Azure connections which may be of use if you are trying to connect multiple regions or services together.

Dynamic Routing Gateway

The Dynamic Routing Gateway is the “better” option in that it does not have the limitations of the static routing gateway. In particular, you can have multiple tunnels between on-premises locations and Azure. Dynamic Routing Gateways also support point-to-site VPNs, Azure-to-Azure connections and combinations of the above. However, for a Dynamic Routing Gateway the following configuration is required:

  • A Dynamic Routing Gateway uses the IKEv2 protocol for its tunnel connections. As discussed above, not all firewall devices support this tunneling method. If your firewall does not support IKEv2 you will need to contact the vendor to see if it is on their roadmap before you can set up a Dynamic Routing Gateway.
  • And so what does dynamic routing mean? In dynamic routing Microsoft is expecting that you will use a routing protocol to communicate subnets across the Azure tunnel instead of sending static routes. This gives greater flexibility in your subnets and makes managing them easier because the routing protocol automatically updates the subnets transmitting across the tunnel, however – again your firewall device needs to support routing protocols across a tunnel.

So which gateway type do you pick? The answer really comes down to which firewall device you have. Whenever possible, you want to use a Dynamic Routing Gateway, however your firewall must support it. Unfortunately, at the time this blog is being written, many of the most common firewall types – Cisco ASAs, Palo Altos, Sonicwalls and Watchguards to name a few – either do not support IKEv2 or do not support dynamic routing across tunnels and therefore are not compatible with Dynamic Routing gateways. Microsoft maintains a useful list of which devices are and aren’t compatible with which gateway types.

Do you need help setting up your Azure gateway or selecting the right gateway type? BDO Digital has experience in many environments configuring the gateway that suits your organization’s your needs, contact BDO Digital for more information.