Configure a site-to-site VPN connection

This article guides you through the steps to configure a site-to-site (S2S) VPN connection between your on-premises network and your Azure virtual network using Azure VPN Gateway.

Note: This guide assumes you have a basic understanding of networking concepts and Azure Virtual Network.

Prerequisites

An Azure subscription.
An existing Azure Virtual Network (VNet).
An on-premises VPN device that is compatible with Azure VPN Gateway.
Publicly routable IP addresses for your on-premises VPN device.

Steps to Configure S2S VPN

Step 1: Create an Azure VPN Gateway

If you don't already have a VPN Gateway, you'll need to create one. This involves choosing a gateway type (VPN), VPN type (Route-based is recommended), SKU, and Virtual Network it will be associated with.


# Example using Azure CLI (replace placeholders)
az network vpn-gateway create \
    --name MyVPNGateway \
    --resource-group MyResourceGroup \
    --location eastus \
    --type Vpn \
    --sku VpnGw1 \
    --vpn-gateway-type Vpn \
    --vpn-gateway-generation Generation1 \
    --virtual-network MyVNet

Refer to the Azure VPN Gateway pricing for SKU details.

Step 2: Create a Local Network Gateway

The Local Network Gateway represents your on-premises network. You need to provide the public IP address of your on-premises VPN device and the address space(s) of your on-premises network.


# Example using Azure CLI (replace placeholders)
az network local-gateway create \
    --name MyOnPremGateway \
    --resource-group MyResourceGroup \
    --location eastus \
    --gateway-ip-address 203.0.113.25 \
    --local-address-prefixes 10.1.0.0/16 10.2.0.0/16

Step 3: Create a Connection

This is where you link your Azure VPN Gateway to your Local Network Gateway. You'll specify the connection type (IPsec/IKE), shared key, and other relevant parameters.


# Example using Azure CLI (replace placeholders)
az network vpn-connection create \
    --name MyS2SConnection \
    --resource-group MyResourceGroup \
    --local-gateway MyOnPremGateway \
    --remote-gateway MyVPNGateway \
    --connection-type IPsec \
    --shared-key MyVeryStrongSharedKey123! \
    --ipsec-policies '{"saData সাইkl": 3600, "saLifeTime": 2147483647}'

Tip: Ensure the shared key matches on both your Azure VPN Gateway connection and your on-premises VPN device configuration.

Step 4: Configure Your On-Premises VPN Device

On your on-premises VPN device, you need to configure the VPN tunnel using the information obtained from Azure:

Azure VPN Gateway Public IP: The public IP address of your Azure VPN Gateway.
Remote Gateway IP: The public IP address of your on-premises VPN device (configured in the Local Network Gateway).
Address Spaces: Your on-premises network address spaces and your Azure VNet address space.
IKE/IPsec Parameters: Configure matching encryption, hashing, and other security parameters as per your chosen VPN type and policy.
Shared Key: The same shared key configured in Azure.

Warning: Incorrectly configuring your on-premises device is the most common cause of S2S VPN connection failures.

Verifying the Connection

Once both sides are configured, you can verify the connection status in the Azure portal or using Azure CLI.


# Example using Azure CLI
az network vpn-connection show \
    --name MyS2SConnection \
    --resource-group MyResourceGroup \
    --query "connectionStatus"

The status should eventually show as Connected.

Troubleshooting

If the connection fails, review the following:

Ensure IP addresses and address spaces are correctly configured on both ends.
Verify that the shared key is identical.
Check firewall rules on your on-premises network to ensure VPN traffic is allowed.
Consult the Azure VPN Gateway troubleshooting guide for more detailed assistance.