You need to connect VNet1 to the on-premises network by using a site-to-site VPN

You have an Azure subscription named Subscription1 that contains an Azure virtual network named VNet1. VNet1 connects to your on-premises network by using

Azure ExpressRoute.

You plan to prepare the environment for automatic failover in case of ExpressRoute failure.

You need to connect VNet1 to the on-premises network by using a site-to-site VPN. The solution must minimize cost.

In this tutorial, learn how to create a site-to-site VPN Gateway IPsec connection from your on-premises network to a VNet.

Azure VPN Gateway

cherylmc

vpn-gateway

tutorial

09/21/2022

Tutorial: Create a site-to-site VPN connection in the Azure portal

Azure VPN gateways provide cross-premises connectivity between customer premises and Azure. This tutorial shows you how to use the Azure portal to create a site-to-site VPN gateway connection from your on-premises network to the VNet. You can also create this configuration using Azure PowerShell or Azure CLI.

:::image type="content" source="./media/tutorial-site-to-site-portal/diagram.png" alt-text="Site-to-site VPN Gateway cross-premises connection diagram.":::

In this tutorial, you learn how to:

[!div class="checklist"]
Create a virtual network
Create a VPN gateway
Create a local network gateway
Create a VPN connection
Verify the connection
Connect to a virtual machine

Prerequisites

An Azure account with an active subscription. If you don't have one, create one for free.
Make sure you have a compatible VPN device and someone who is able to configure it. For more information about compatible VPN devices and device configuration, see About VPN Devices.
Verify that you have an externally facing public IPv4 address for your VPN device.
If you're unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. None of the subnets of your on-premises network can over lap with the virtual network subnets that you want to connect to.

Create a virtual network

In this section, you'll create a virtual network (VNet) using the following values:

Resource group: TestRG1
Name: VNet1
Region: (US) East US
IPv4 address space: 10.1.0.0/16
Subnet name: FrontEnd
Subnet address space: 10.1.0.0/24

[!INCLUDE About cross-premises addresses]

[!INCLUDE Create a virtual network]

Create a VPN gateway

In this step, you create the virtual network gateway for your VNet. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.

About the gateway subnet

[!INCLUDE About gateway subnets]

Create the gateway

Create a virtual network gateway (VPN gateway) using the following values:

Name: VNet1GW
Region: East US
Gateway type: VPN
VPN type: Route-based
SKU: VpnGw2
Generation: Generation 2
Virtual network: VNet1
Gateway subnet address range: 10.1.255.0/27
Public IP address: Create new
Public IP address name: VNet1GWpip
Enable active-active mode: Disabled
Configure BGP: Disabled

[!INCLUDE Create a vpn gateway]

[!INCLUDE Configure PIP settings]

You can see the deployment status on the Overview page for your gateway. A gateway can take up to 45 minutes to fully create and deploy. After the gateway is created, you can view the IP address that has been assigned to it by looking at the virtual network in the portal. The gateway appears as a connected device.

[!INCLUDE NSG warning]

View the public IP address

You can view the gateway public IP address on the Overview page for your gateway.

:::image type="content" source="./media/tutorial-create-gateway-portal/address.png" alt-text="Screenshot shows public IP address." lightbox= "./media/tutorial-create-gateway-portal/address.png":::

To see additional information about the public IP address object, select the name/IP address link next to Public IP address.

Create a local network gateway

The local network gateway is a specific object that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you'll create a connection. You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on-premises network. If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.

Create a local network gateway using the following values:

Name: Site1
Resource Group: TestRG1
Location: East US

[!INCLUDE Add a local network gateway]

Configure your VPN device

Site-to-site connections to an on-premises network require a VPN device. In this step, you configure your VPN device. When configuring your VPN device, you need the following values:

A shared key. This is the same shared key that you specify when creating your site-to-site VPN connection. In our examples, we use a basic shared key. We recommend that you generate a more complex key to use.
The Public IP address of your virtual network gateway. You can view the public IP address by using the Azure portal, PowerShell, or CLI. To find the Public IP address of your VPN gateway using the Azure portal, go to Virtual network gateways, then select the name of your gateway.

[!INCLUDE Configure a VPN device]

Create VPN connections

Create a site-to-site VPN connection between your virtual network gateway and your on-premises VPN device.

Create a connection using the following values:

Local network gateway name: Site1
Connection name: VNet1toSite1
Shared key: For this example, we use abc123. But, you can use whatever is compatible with your VPN hardware. The important thing is that the values match on both sides of the connection.

[!INCLUDE Add a site-to-site connection]

To configure additional connection settings (optional)

You can configure additional settings for your connection, if necessary. Otherwise, skip this section and leave the defaults in place.

[!INCLUDE Configure additional connection settings with screenshot]

Verify the VPN connection

[!INCLUDE Verify the connection]

Connect to a virtual machine

[!INCLUDE Connect to a VM]

Optional steps

Resize a gateway SKU

There are specific rules regarding resizing vs. changing a gateway SKU. In this section, we'll resize the SKU. For more information, see Gateway settings - resizing and changing SKUs.

[!INCLUDE resize a gateway]

Reset a gateway

Resetting an Azure VPN gateway is helpful if you lose cross-premises VPN connectivity on one or more site-to-site VPN tunnels. In this situation, your on-premises VPN devices are all working correctly, but aren't able to establish IPsec tunnels with the Azure VPN gateways.

[!INCLUDE reset a gateway]

Add another connection

You can create a connection to multiple on-premises sites from the same VPN gateway. If you want to configure multiple connections, the address spaces can’t overlap between any of the connections.

To add an additional connection, go to the VPN gateway, then select Connections to open the Connections page.
Select +Add to add your connection. Adjust the connection type to reflect either VNet-to-VNet (if connecting to another VNet gateway), or Site-to-site.
If you're connecting using Site-to-site and you haven't already created a local network gateway for the site you want to connect to, you can create a new one.
Specify the shared key that you want to use, then select OK to create the connection.

Additional configuration considerations

S2S configurations can be customized in a variety of ways. For more information, see the following articles:

For information about BGP, see the BGP Overview and How to configure BGP.
For information about forced tunneling, see About forced tunneling.
For information about Highly Available Active-Active connections, see Highly Available cross-premises and VNet-to-VNet connectivity.
For information about how to limit network traffic to resources in a virtual network, see Network Security.
For information about how Azure routes traffic between Azure, on-premises, and Internet resources, see Virtual network traffic routing.

Clean up resources

If you're not going to continue to use this application or go to the next tutorial, delete these resources using the following steps:

Which of the following is required to set up Azure for site

A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it.

Which option is used to set the communication between an on

VPN Gateway sends encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. You can also use VPN Gateway to send encrypted traffic between Azure virtual networks over the Microsoft network.

How does Azure Connect to premise network?

You can use the Routing and Remote Access Service (RRAS) in Windows Server 2016 or Windows Server 2012 to establish an IPsec site-to-site VPN connection between the on-premises network and the Azure virtual network. You can also use other options, such as Cisco or Juniper Networks VPN devices.

What methods are available in Azure to connect Azure virtual network to on premise environment?

Connectivity services: Connect Azure resources and on-premises resources using any or a combination of these networking services in Azure - Virtual Network (VNet), Virtual WAN, ExpressRoute, VPN Gateway, Virtual network NAT Gateway, Azure DNS, Peering service, and Azure Bastion.