Just some frustrating learning from the last few days.
VPNs fall into two broad classes :

  • Route Based
  • Policy Based

When you create a new VPN Gateway in Azure you get to choose which one you want – but be careful !
If you choose Policy Based VPN at this point you will get a very simple ( and relatively cheap ) policy based VPN but it has very limited configurability. As an example you can only use IKEV1 and have one connection configured per VPN, and it is tricky to have more than one VPN per network. You also have no control over ciphers etc. This can be a non starter in some corporate situations.

However, if you choose a “Route-Based” VPN you can then use a feature called “Policy based traffic selectors” to have policy based VPN connections within a “Route based” VPN.
This is covered by this MS article. It is also referenced in the MS FAQs here and in this Cisco document.
Although the MS article is about using PowerShell it can be configured via the UI.
Also note that this article is out of date in that the PowerShell commands specify obsolete SKUs ( I have raised a change request ).
Microsoft are not very clear about which SKUs support this feature but it seems to be VpnGw1 and higher.

I hope that this helps someone else 🙂