Create a site-to-site VPN Connection in Azure

Create a site-to-site VPN Connection in Azure

Azure Networking Imoh Etuk

In this post, you learn how to set up a site-to-site VPN connection in Azure. A site-to-site VPN connection in Azure is a type of VPN connection that allows you to securely connect your on-premises network to a virtual network in Azure. With a site-to-site VPN connection, you can extend your on-premises network to the cloud. You can also easily access resources in Azure as if they were on your local network. Read about Amazon EBS Volumes and how to configure AWS NAT Gateway

The site-to-site VPN connection works by creating a secure tunnel between your on-premises VPN device and a virtual network gateway in Azure. All traffic between your on-premises network and the virtual network in Azure is encrypted and transmitted over this tunnel.

It requires that you configure a virtual network gateway in Azure and a VPN device on your on-premises network when setting up a site-to-site VPN connection in Azure. Once the connection is established, you can use Azure resources as if they were connected directly to your on-premises network. Site-to-site VPN connections are often used by organizations to securely connect their on-premises network to Azure and to provide remote access for employees to resources in Azure.

Configuring site-to-site VPN in Azure

To configure a site-to-site VPN connection on Azure, we need to set up a site-to-site VPN gateway connection in Azure and the on-premises network and a virtual network (VNet).

In this first step, I show you how to create these resources before creating a site-to-site VPN connection in Azure

Prerequisites

To be able to create a site-to-site VPN connection in Azure you must meet the following prerequisites:

  1. An Azure account with an active subscription. If you do not already have one, create one for free.
  2. Make sure you have a compatible VPN device and someone who is able to configure it.
  3. Verify that you have an externally facing public IPv4 address for your VPN device.
  4. If you’re unfamiliar with the IP address ranges located in your on-premises network configuration. You must specify the IP address range prefixes that Azure will route to your on-premises location. None of the subnets of your on-premises network can overlap with the virtual network subnets that you want to connect to.

Below are the steps to create a site-to-site VPN connection in Azure;

Step 1: Sign in to the Azure portal.

Step 2: Create a Virtual Network on Azure.

To create a VNet on Azure do the following:

Search for and click on Virtual Network to get started.

Creating Azure Virtual Network

In the Virtual Network dashboard click on Create, and choose the resource group if there is non create a resource group. Supply a name and pick your preferred region. Leave everything at default and click on the Review + Create button. 

Note: You can choose to modify the IP Address field by adding a additional IP Address space and subnets depending on your requirements.

When the VNet is created successfully, click on Go to Resources.

VNet Created Successfully

In the VNET dashboard, I modify the Address space by adding a 10.1.1.0/24 CIDR address range to avoid overlapping IPs.

Adding Additional Address Space

To be able to connect to your Virtual Network in Azure, you must disable the following Bastion Host, DDoS Protection and Firewall.

Create a Network gateway

To successfully set up a site-to-site VPN connection, you must create a VPN Gateway. A Virtual Network Gateway provides a secure connection between an Azure virtual network and an on-premises network or other virtual network. It acts as a bridge between the two networks and allows traffic to flow securely between them over an encrypted tunnel. It uses a specific subnet called the gateway subnet and can take up to 45 minutes or more, depending on the selected gateway SKU to create it

To create VPN Gateway;

Step 1: In the Search resources bar, type virtual network gateway.

Creating a Network Gateways

Step 2: Fill in the values for Project details and Instance details on the Basics tab.

Enter Project and Instance details

From the above screenshot, the name of my Gateway is VNetGW-01, the Gateway type is VPN, the VPN type is Route-based and the SKIU is VpnGw2 and then Generation2. The Virtual Network I created earlier is what I selected in the Virtual Network field.

Note: In the Gateway subnet address range which only appears if your VNet doesn't have a gateway subnet. It's best to specify /27 or larger (/26,/25 etc.). If you don't have a Gateway subnet already created, you need to create it first.

Step 3: Define the values for the Public IP address. Disable Active-Active connection and BGP and then click on Review + create to validate and then click on Create to create the Gateway.

Validating Gateway details

Be patient for the deployment to complete. It can take up to 45 minutes depending on the selected SKU.

Gateway Deployment in Progress

Creating a Local Network Gateway

As part of the requirements for successfully setting up a site-to-site VPN connection, we need to create a local network gateway. 

The local network gateway is a specific object that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you'll create a connection.

To create a local network gateway, follow the steps below:

Step 1: From the Azure Portal, search for the local network gateway and click on it.

Searching for Local Network Gateways

Step 2: On the Create local network gateway page, on the Basics tab, specify the values for your local network gateway as shown in the screenshot below. Note, you can different configuration settings from what is shown here.

Details of Local Network Gateway

On the Advanced tab, you can choose to configure BGP settings if needed. When you have finished specifying the values, select Review + create at the bottom of the page to validate the page and then click on Create to create it.

Configuring your VPN Device

A VPN device is required for site-to-site connections to an on-premises network. You configure your VPN device at this stage. The following values are required while configuring your VPN device:

  1. A shared key: This is the same shared key you specified when setting up your site-to-site VPN connection. We utilize a basic shared key in our samples. We recommend creating a more complex key to use.
  2. Your virtual network gateway’s public IP address. The public IP address can be viewed via the Azure site, PowerShell, or the CLI. To find your VPN gateway’s public IP address using the Azure portal, navigate to Virtual network gateways and then choose the name of your gateway. Here, I named as cloud-pip-net.
Viewing Gateway Public IP

To complete the steps in configuring your VPN Device, see the following official documents from Microsoft.

  1. For information about compatible VPN devices, see VPN Devices.
  2. Before configuring your VPN device, check for any Known device compatibility issues for the VPN device that you want to use.
  3. For links to device configuration settings, see Validated VPN Devices. The device configuration links are provided on a best-effort basis

Creating VPN connections

Create a site-to-site VPN connection between your virtual network gateway and your on-premises VPN device.

Create a connection using the following values:

  • Local network gateway name: Site1
  • Connection name: VNet1toSite1
  • Shared key: For this example, we use vbc234. You can use whatever is compatible with your VPN hardware. It is important that the values match both sides of the connection.
  1. Go to your virtual network. On your VNet page, select Connected devices on the left. Locate your VPN gateway and click to open it.
  2. On the page for the gateway, select Connections. At the top of the Connections page, select +Add 
Add Connection

This opens the  Add connection page. Supply all the details accordingly and click on Okay to add the connection.

Add connection page

Verifying the VPN connection

To test the VPN connection, navigate to the connection in the Azure portal to view the connection status of a VPN gateway. The steps below explain how to navigate to and verify your connection.

  1. Choose All resources from the Azure portal’s menu, or search for and choose All resources from any page.
  2. Select your virtual network gateway.
  3. Click Connections on the blade for your virtual network gateway. Each connection’s state is shown.
  4. To open Essentials, click the name of the connection you want to verify. More information regarding your connection can be found under Essentials. When you make a successful connection, the Status changes to ‘Success’ or ‘Connected’.
VPN Connection Status
Note: The reason why the VON status under essential is showing 'Not connected' is because this is a demonstration execise. If you are implementing the VPN in real environment and have configured the VPN devices on premises correctly, the status should show 'Success' or 'Connected'

In summary, the VPN Gateway in Azure is a key component of a secure hybrid cloud architecture, providing a reliable and secure connection between on-premises and cloud environments. Site-to-site VPN connections are often used by organizations to securely connect their on-premises network to Azure and to provide remote access for employees to resources in Azure.

To avoid incurring charges, clean up your resources by running the below CLI command to delete the Resource Group where you created all your resources. 

az group delete -n [Name -of-Your-Resource-Group]

Stay Ahead with Microsoft Azure Certifications!

Do you want to stay ahead by getting the best practical training on Azure? Get started by registering for any Azure certification course of your choice.

Leave a comment

Your email address will not be published. Required fields are marked *