Azure site to site VPN security

Question

I have to connect an onpremise network to Azure VNET. I understand that Azure Virtual Network Gateway can be used to create a Site to site VPN. However, my customer is concerned about the security and looking for more secure options.

I have read articles about using Cisco ASAv and similar virtual firewalls. My question is if I plan to use one of these virtual appliances, then can I avoid creating the Azure Virtual Network Gateway in the VNET?

Do I need both a virtual appliance (Virtual appliance to be created in the external facing "DMZ" subnet) and Azure Virtual Network Gateway?

If both are not required at the same time, what is the advantage of using a Virtual appliance over Azure Virtual Network gateway?

Answer 1

As some of the comments says, your customer (and/or you) should have a list of security demands the VPN provider should support and not focus if the box says "Azure Gateway" or "Cisco ASAv" Regarding Azure Virtual Network Gateway, you can configure it in supporting a wide range och alghoritms and encryption https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-compliance-crypto

For communications that require specific cryptographic algorithms or parameters, typically due to compliance or security requirements, customers can now configure their Azure VPN gateways to use a custom IPsec/IKE policy with specific cryptographic algorithms and key strengths, rather than the Azure default policy sets.

Or you can choosa a third party appliance that does the same. If you choose a third party applicance you don't need to deploy a Azure Network Gateway.