Overview
Azure Site to Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network. Data transfer over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. Azure VPN gateways provide cross-premises connectivity between customer premises and Azure.
This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. Will show you steps for using Azure portal to create a Site-to-Site VPN gateway connection from your on-premises network to the VNet.
Prerequisite for Site-to-Site VPN
- Virtual Network
- Virtual Network Gateway
- Local Network Gateway
- Compatible VPN Device On-Premises with Public IP
Brief steps to create Azure Site to Site VPN
Deploying a site-to-site VPN from the Azure side involves the following steps:
- Creating/editing a virtual network
- Verifying or adding virtual subnets to the virtual network
- Creating the gateway subnet
- Creating the virtual network gateway
- Creating a local network gateway
- Integrating with your VPN device
- Creating the site-to-site VPN tunnel
- Verifying the connections in both directions
Although this might feel like a lot of different and complex steps, it shouldn't take more than 20 minutes, of which 15 minutes is waiting for the VPN gateway to be deployed and the connections to be set up
Step-1: Create Virtual Network
Go to Azure Portal and click on Create a resource and search for Virtual Network. You will get Virtual Network in Azure Marketplace as per below image.
Click on create resource button and you will get wizard for creation. These values are self-explanatory, and you can fill those as per your requirement. As per below image.
Next, we need to assign IP Range for our Virtual Network.
Next click on Review + create.
Now, we have successfully created Virtual Network in Azure.
Step-2: Create Gateway Subnet
Let’s create Gateway subnet for our Virtual Private Gateway. Go to Virtual Network and click on Subnets.
Click on + Gateway Subnet and you may see the option as shown above. Add your desired IP Range and Save it.
Step-3: Create Virtual Network Gateway
Login to the Portal and search for Azure Virtual Network Gateway
Click on Create to create the Virtual Network Gateway. On the next screen, you will have to provide the following information:
- Subscription: - Select your organization subscription (Subscription is logical ID assigned under your tenant)
- Resource Group: - Select resource group where you want to deploy this service (Resource Group is logical grouping of your resources)
- Name: - Name for your Virtual Network Gateway.
- Region: - Its geographical location where your datacenter is located. For testing purpose, you can choose East US region as its cheapest than others.
- Gateway Type: - VPN as we are using it for P2S.
- VPN Type: - Choose Route Based VPN.
- SKU: - For testing purpose select Basic SKU (Stock Keeping Unit). SKU will as per requirement Note: - Basic SKU only supports Windows Machines for P2S.
- Generation: - Select generation 2 latest.
- Virtual Network: - Azure Network which you want to talk with On-Prem Network.
- Public IP address name: It allows you to give name for your Public IP. In Basic SKU we are using BASIC Public IP Address
You can configure Active-Active Mode as per your requirement. And you can go one step ahead if you want to configure using BGP Protocol.
Now, review and click on Create button.
Step-4: Create Local Network Gateway and Connection
Now, we have successfully deployed Azure Network and Virtual Network Gateway, so we can go ahead and configure Azure Site to Site VPN.
Let’s configure azure Connections to establish Site to Site VPN Connectivity. Go to the Connections pane in click on Add option to configure.
Once you click on Add you will get below wizard here, we must select few options as showed in below image
- Name: - It should be the Name of your Connection. You can configure i.e., US-Office-Connection
- Connection Type: - It must me Site-to-Site over IPsec
- Virtual Network Gateway: - Virtual Network Gateway which created recently, and it will pick up automatically.
- Local Network Gateway: - It hold your on-premises VPN configuration details.
- Shared Key (PSK): - Its act as a Passphrase and you will require this to configure.
- IKE Protocol: - We should first confirm that does on premises VPN or Firewall support V1 or V2
Now let’s create Local Network Gateway. This will represent "the glue" between Azure and your on-premises network. If you don’t have Local Network Gateway, then click on choose Local Network Gateway Option
You will get option for Create New. Click on that you will get wizard as per below image.
Here you can configure Name of Local Gateway. Give the IP address of your Firewall or VPN Device and IP range of On-premises network which you want to communicate with Azure Network. After filling all the necessary details click on ok and go back to the connection configure page.
Then Azure will create Local Network Gateway and connection in back end.
You may see the following in your VPN Connection pane.
Step-5: Access Azure Site to Site VPN
Now, go back to the Overview and download the configuration file for the on-prem Device.
Here you can see multiple values. Like Data In and Data Out which is self-explanatory which shows how much data is transferred between your On-premises to Azure Network.
Now we need to share these details with our On-premises IT team to allow our Azure VPN to talk to Corporate Office Firewall/VPN Device. You can select type of Device Vendor. If your device is not listed here, you can use generic one
Once you click on Download Configuration. You will get one text file that contains IP Address of Azure VPN and Shared Key which we configured in Connection.
After opening that text file, you will see multiple entries. Don’t get scared!
You just need three things to communicate you On-Prem Firewall to Connect with Azure VPN i.e. Public IP of Azure VPN, Shared Key, and the IP Range that we have allowed in Local Gateway.
Once you see status is connected you can check connectivity from your On-Premises Network to the Azure Network.
Summary
In this tutorial we learn about VPN configuration on Azure to achieve hybrid network connectivity between your On-Premises to Cloud Network. Site-to-Site connections can be used to create a hybrid solution, or whenever you want secure connections between your on-premises networks and your virtual networks. A VPN device is required to configure a Site-to-Site (S2S) cross-premises VPN connection using a VPN gateway.
What's Next
Configure Azure Point To Site VPN Connection
References
VPN Gateway design
Highly Available cross-premises and VNet-to-VNet connectivity
Related Keywords: azure vpn setup, azure local network gateway, site to site vpn azure, azure gateway subnet, site to site vpn, gateway subnet