Create a Site-to-Site connection in the Azure portal
Azure VPN gateways allow customers to connect their on-premises networks to Azure. We’ll learn how to construct a Site-to-Site VPN gateway connection from your on-premises network to the VNet using the Azure interface. You may also use Azure PowerShell or Azure CLI to generate this setting.
Create a virtual network
Create a virtual network (VNet) using the following values:
Resource group: TestRG1
Name: VNet1
Region: (US) East US
IPv4 address space: 10.1.0.0/16
Subnet name: FrontEnd
Subnet address space: 10.1.0.0/24
- Firstly, sign in to the Azure portal.
- Secondly, in Search resources, service, and docs (G+/), type virtual network.
- Thirdly, select Virtual Network from the Marketplace results.
- Then, on the Virtual Network page, select Create.
- Once you select Create, the Create virtual network page opens.
- On the Basics tab, configure Project details and Instance details VNet settings.
- When you fill in the fields, you see a green check mark when the characters you enter in the field are validated. Some values are autofilled, which you can replace with your own values:
- Subscription: Verify that the subscription listed is the correct one. You can change subscriptions by using the drop-down.
- Resource group: Select an existing resource group, or click Create new to create a new one. For more information about resource groups, see Azure Resource Manager overview.
- Name: Enter the name for your virtual network.
- Region: Select the location for your VNet. The location determines where the resources that you deploy to this VNet will live.
- On the IP Addresses tab, configure the values. The values shown in the examples below are for demonstration purposes. Adjust these values according to the settings that you require.
- Then, on the Security tab, at this time, leave the default values:
- DDos protection: Basic
- Firewall: Disabled
- Then, select Review + create to validate the virtual network settings.
- Lastly, after the settings have been validated, select Create.
Create the gateway
Create a VPN gateway using the following values:
Name: VNet1GW
Region: East US
Gateway type: VPN
VPN type: Route-based
SKU: VpnGw1
Generation: Generation1
Virtual network: VNet1
Gateway subnet address range: 10.1.255.0/27
Public IP address: Create new
Public IP address name: VNet1GWpip
Enable active-active mode: Disabled
Configure BGP: Disabled
- Firstly, from the Azure portal, in Search resources, services, and docs (G+/) type virtual network gateway. Locate Virtual network gateway in the search results and select it.
- Then, on the Virtual network gateway page, select + Add. This opens the Create virtual network gateway page.
- Thirdly, on the Basics tab, fill in the values for your virtual network gateway.
- Select Review + create to run validation.
- Lastly, once validation passes, select Create to deploy the VPN gateway.
Create a local network gateway
For routing reasons, a local network gateway is a distinct object that represents your on-premises location (the site). You give the site a name that Azure will recognise, and then you specify the IP address of the on-premises VPN device to which you will establish a connection. You may also define the IP address prefixes that will be delivered to the VPN device through the VPN gateway. The address prefixes you select are those that exist on your local network. You can simply alter the parameters if your on-premises network changes or you need to modify the public IP address for the VPN device.
Use the following settings to create a local network gateway:
Name: Site1
Resource Group: TestRG1
Location: East US
- Firstly, from the Azure portal, in Search resources, services, and docs (G+/) type local network gateway. Locate local network gateway under Marketplace in the search results and select it. This opens the Create local network gateway page.
- Secondly, on the Create local network gateway page, specify the values for your local network gateway.
Create a local network gateway with IP address
- Name: Specify a name for your local network gateway object.
- Endpoint: Select the endpoint type for the on-premises VPN device – IP address or FQDN (Fully Qualified Domain Name).
- Address Space refers to the address ranges for the network that this local network represents. You can add multiple address space ranges. Make sure that the ranges you specify here do not overlap with ranges of other networks that you want to connect to. Azure will route the address range that you specify to the on-premises VPN device IP address. Use your own values here if you want to connect to your on-premises site, not the values shown in the example.
- Configure BGP settings: Use only when configuring BGP. Otherwise, don’t select this.
- Subscription: Verify that the correct subscription is showing.
- Resource Group: Select the resource group that you want to use. You can either create a new resource group, or select one that you have already created.
- Location: The location is the same as Region in other settings. Select the location that this object will be created in. You may want to select the same location that your VNet resides in, but you are not required to do so.
- Lastly, when you have finished specifying the values, select the Create button at the bottom of the page to create the local network gateway.
Create a VPN connection
Creating the Site-to-Site VPN connection between your virtual network gateway and your on-premises VPN device.
Create a connection using the following values:
- Local network gateway name: Site1
- Connection name: VNet1toSite1
- Shared key: For this example, we use abc123. But, you can use whatever is compatible with your VPN hardware. The important thing is that the values match on both sides of the connection.
- Firstly, open the page for your virtual network gateway. You can navigate to the gateway by going to Name of your VNet -> Overview -> Connected devices -> Name of your gateway, although there are multiple other ways to navigate as well.
- Secondly, on the page for the gateway, select Connections. At the top of the Connections page, select +Add to open the Add connection page.
- Then, on the Add connection page, configure the values for your connection.
- Name: Name your connection.
- Connection type: Select Site-to-site (IPSec).
- Virtual network gateway: The value is fixed because you are connecting from this gateway.
- Local network gateway: Select Choose a local network gateway and select the local network gateway that you want to use.
- Shared Key: the value here must match the value that you are using for your local on-premises VPN device. The example uses ‘abc123’, but you can (and should) use something more complex.
- Leave Use Azure Private IP Address unchecked.
- Leave Enable BGP unchecked.
- Select IKEv2.
- The remaining values for Subscription, Resource Group, and Location are fixed.
- Then, select OK to create your connection. You’ll see Creating Connection flash on the screen.
- Lastly, you can view the connection in the Connections page of the virtual network gateway. The Status will go from Unknown to Connecting, and then to Succeeded.
Verify the VPN connection
In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the connection. The following steps show one way to navigate to your connection and verify.
- Firstly, in the Azure portal menu, select All resources or search for and select All resources from any page.
- Secondly, select to your virtual network gateway.
- Then, on the blade for your virtual network gateway, click Connections. You can see the status of each connection.
- Lastly, click the name of the connection that you want to verify to open Essentials. In Essentials, you can view more information about your connection. The Status is ‘Succeeded’ and ‘Connected’ when you have made a successful connection.
Reference: Microsoft Documentation