Veeam PN allows you to configure two types of VPN connections:
A site-to-site VPN allows you to establish a secure connection between remote networks over a public network. You can implement the site-to-site VPN scenario if you need to join on-premises networks and private cloud networks in Microsoft Azure. For example, if some of your VMs are restored to Microsoft Azure, you can join a Microsoft Azure network to which these VMs are connected with company on-premises networks.
Veeam PN also lets you set up a VPN exclusively for on-premises networks. This scenario lets you extend the company network and make resources in one remote site available to machines and users in another remote site. For example, you can join several company networks into a single private network or allow machines and users from company branch offices to connect to the company datacenter.
In the VPN, all traffic between remote networks is routed over a secure communication channel — VPN tunnel. To establish a VPN tunnel, Veeam PN uses its appliances: network hub and site gateways.
The Veeam PN VPN is organized around the network hub. The network hub is the core of the VPN infrastructure. The hub is responsible for all background work: traffic routing, encryption, user management, authentication and so on.
The network hub is accessible from all remote networks added to the VPN. Veeam PN supports two deployment scenarios for the network hub: you can deploy the network hub in Microsoft Azure or in an on-premises network.
The network hub acts as one point of the VPN tunnel. To create the other point of the VPN tunnel, you must deploy a site gateway in a remote network that you plan to add to the VPN. The site gateway is a virtual appliance that establishes a secure connection with the network hub.
In the site-to-site scenario, all traffic in the VPN is handled by the network hub and site gateways. You do not need to additionally configure VPN settings on standalone machines in remote sites.
The VPN organized with Veeam PN has the star network topology. All traffic in the VPN is always routed through the network hub. For example, you add three remote networks to the VPN: 2 on-premises networks and a cloud network in Microsoft Azure. With such configuration, you must deploy the network hub in Microsoft Azure, and a site gateway in each on-premises network. All traffic will be routed through the network hub in Microsoft Azure, even if machines from one on-premises network need to communicate with machines in the other on-premises network.
A point-to-site VPN allows you to establish a secure connection from a standalone computer to a remote network. You can implement the point-to-site scenario, for example, if you want to allow remote users to communicate with machines restored to Microsoft Azure. You may also implement this scenario if you want to provide remote users with access to resources in an on-premises company network.
As well as in the site-to-site scenario, in the point-to-site scenario the VPN is organized around the network hub. The network hub is placed in a network to which remote users must gain access. You can deploy the network hub in Microsoft Azure or in an on-premises network, depending on the usage scenario.
To let a remote user access the VPN organized with Veeam PN, you must set up OpenVPN on the user computer and configure it in a proper way. The user side does not require a site gateway or a public-facing IP address or DNS name. Whenever a remote user needs to communicate with a machine in the VPN, it establishes a connection to the network hub. The network hub then routes traffic to necessary resources in the VPN.