Configure Azure VPN Gateway

This document guides you through the process of configuring an Azure VPN Gateway to establish secure and reliable connections between your on-premises networks and Azure virtual networks.

Information: Azure VPN Gateway offers two main types of VPNs: Site-to-Site (S2S) VPN and Point-to-Site (P2S) VPN. This guide focuses on the general configuration steps applicable to both, with specific considerations highlighted.

Prerequisites

An active Azure subscription.
A virtual network (VNet) in Azure that you want to connect to.
An on-premises network with a compatible VPN device.
Necessary permissions to create and manage Azure resources.

Step 1: Create a Virtual Network Gateway

The first step is to create the VPN gateway resource itself. This can be done via the Azure portal, Azure CLI, or Azure PowerShell.

Navigate to the Azure portal.
Search for "Virtual network gateways" and select it.
Click "Create".
Fill in the required details:
- Subscription
- Resource group
- Name for your VPN gateway
- Region (must match your VNet region)
- Gateway type (VPN)
- VPN type (Route-based or Policy-based - Route-based is recommended for most scenarios)
- SKU (e.g., VpnGw1, VpnGw2, Basic - choose based on performance and feature requirements)
- Generation (Gen1 or Gen2 - Gen2 offers improved performance)
- Virtual network (select the VNet you want to connect)
Click "Review + create" and then "Create".

Gateway creation can take up to 45 minutes.

Step 2: Configure the Gateway Subnet

Ensure your virtual network has a dedicated subnet named GatewaySubnet. This subnet is specifically reserved for the VPN gateway and must be of type VirtualNetworkGatewaySubnet. The size of this subnet depends on the gateway SKU you select. A /27 or larger is generally recommended.

Step 3: Create a Local Network Gateway

A local network gateway represents your on-premises network. It contains information about your VPN device's public IP address and the address prefixes of your on-premises network.

In the Azure portal, search for "Local network gateways" and select it.
Click "Create".
Provide the following information:
- Subscription
- Resource group
- Name for your local network gateway
- Region
- IP address of your on-premises VPN device.
- Address spaces for your on-premises network (e.g., 10.1.0.0/16).
Click "Review + create" and then "Create".

Step 4: Create a Connection

This step links your Virtual Network Gateway to your Local Network Gateway, defining the VPN connection.

Navigate to your Virtual Network Gateway resource.
In the left-hand menu, under "Settings", select "Connections".
Click "Add".
Configure the connection settings:
- Connection type (Site-to-site or Point-to-site)
- Virtual network gateway (pre-selected)
- Local network gateway (select the one you created)
- Shared key (PSK) - This must match the pre-shared key configured on your on-premises VPN device.
- For S2S, you may also configure BGP and other advanced settings if required.
Click "OK" to create the connection.

Note: The shared key (PSK) is crucial for authenticating the VPN tunnel. Ensure it is strong and kept confidential.

Step 5: Configure Your On-Premises VPN Device

On your on-premises VPN device, you need to configure a matching VPN connection profile. This typically involves:

Setting the remote gateway IP address to the public IP address of your Azure Virtual Network Gateway.
Configuring the tunnel interface with the correct IP address space for your Azure VNet.
Using the same pre-shared key (PSK) as configured in Azure.
Ensuring the encryption and hashing algorithms match the VPN gateway's configuration (defaults are usually sufficient).

Refer to your VPN device's documentation for specific configuration steps.

Step 6: Verify the Connection

Once both sides are configured, you can verify the connection status:

In the Azure portal, navigate to your Virtual Network Gateway and then to "Connections".
The "Status" for your connection should change to "Connected".
You can also check the status and tunnel health on your on-premises VPN device.

Tip: If the connection fails, double-check the shared key, IP addresses, address spaces, and VPN protocols/encryption settings on both Azure and your on-premises device.

Further Configuration & Monitoring

Azure VPN Gateway offers advanced features such as:

BGP Routing: For dynamic route exchange between Azure and on-premises networks.
Active-Active Gateways: For high availability.
Multiple Site-to-Site Connections: Connecting to multiple on-premises locations.
Coexistence with ExpressRoute: Integrating VPN Gateways with ExpressRoute circuits.

You can monitor the performance and health of your VPN gateway and connections through the Azure portal's monitoring tools, including metrics, logs, and connection diagnostics.

Troubleshooting Common Issues

Connection drops: Check network stability, firewall rules, and ensure device configurations are consistent.
Inability to reach resources: Verify IP address spaces, subnet configurations, network security groups (NSGs), and routing tables.
Slow performance: Review gateway SKU, bandwidth limitations, and potential congestion on the network path.