Configure a VNet-to-Site VPN Gateway

This document guides you through the process of configuring a Virtual Network (VNet)-to-Site VPN gateway in Azure. This allows on-premises devices to connect securely to your Azure virtual networks.

Note: VNet-to-Site VPNs are primarily used for connecting individual devices or smaller networks to Azure. For connecting entire on-premises networks, consider Site-to-Site VPN gateways.

Prerequisites

Before you begin, ensure you have the following:

  • An Azure subscription.
  • A Virtual Network (VNet) in Azure with at least one subnet.
  • An on-premises network with devices that need to connect to Azure.
  • An on-premises VPN device that is compatible with Azure VPN Gateway.
  • Public IP addresses for your on-premises VPN device.

Configuration Steps

Step 1: Create a VPN Gateway

Navigate to the Azure portal and create a new VPN Gateway resource.

1

In the Azure portal, search for "Virtual network gateways" and select it.

Click + Create.

Configure the following settings:

  • Subscription: Select your subscription.
  • Resource Group: Create a new one or select an existing one.
  • Name: Provide a name for your VPN gateway (e.g., MyVPNGateway).
  • Region: Select the same region as your VNet.
  • Gateway type: Select VPN.
  • VPN type: Select Route-based for VNet-to-Site.
  • SKU: Choose a SKU based on your performance needs (e.g., VpnGw1).
  • Generation: Select a generation (e.g., Generation1).
  • Virtual network: Select the VNet you want to connect to.
  • Gateway subnet address range: A dedicated subnet named GatewaySubnet is required. Azure will automatically suggest a range if one doesn't exist. Ensure it's large enough (e.g., /27 or larger).
  • Public IP address: Create a new public IP address or select an existing one.

Click Review + create, then Create.

Tip: The VPN gateway deployment can take 30-45 minutes or more.

Step 2: Create a Local Network Gateway

The Local Network Gateway represents your on-premises network.

2

In the Azure portal, search for "Local network gateways" and select it.

Click + Create.

Configure the following settings:

  • Resource Group: Select the same resource group as your VPN gateway.
  • Region: Select the same region.
  • Name: Provide a name for your local network (e.g., MyOnPremisesNetwork).
  • IP address: Enter the public IP address of your on-premises VPN device.
  • Address space: Enter the IP address ranges of your on-premises network that will communicate with Azure.
  • BGP settings (Optional): Configure if you are using BGP.

Click Review + create, then Create.

Step 3: Create the VPN Connection

This step links your VPN Gateway to your Local Network Gateway.

3

Navigate to your newly created VPN Gateway resource in the Azure portal.

In the left-hand menu, under Settings, select Connections.

Click + Add.

Configure the following settings:

  • Connection type: Select VNet-to-Site.
  • First virtual network gateway: This should be pre-selected.
  • Second key: Leave blank if not using BGP.
  • Second virtual network gateway: Select your Local Network Gateway.
  • Shared key (PSK): Enter a strong pre-shared key. This key must match the key configured on your on-premises VPN device.
  • IKE Protocol: Select IKEv2 if supported by your device, otherwise IKEv1.

Click OK.

Step 4: Configure Your On-Premises VPN Device

Configure your physical or virtual VPN device to establish a tunnel to the Azure VPN Gateway.

You will need to configure the following on your device:

  • Remote Gateway IP Address: The public IP address of your Azure VPN Gateway.
  • Local Network Address Space: Your on-premises IP address ranges.
  • Remote Network Address Space: The IP address ranges of your Azure VNet.
  • Pre-Shared Key (PSK): The same shared key used in Step 3.
  • Encryption and Hashing Algorithms: Ensure these match the policies configured for your Azure VPN Gateway. Refer to Azure VPN Gateway supported IPsec/IKE parameters.
  • Phase 1 and Phase 2 Tunnel Settings: Configure according to Azure best practices.
Warning: Incorrect configuration of your on-premises VPN device is a common cause of connection failures. Consult your device manufacturer's documentation for specific instructions.

Verification

Once your on-premises VPN device is configured, check the connection status in the Azure portal.

  1. Navigate to your VPN Gateway resource.
  2. Go to Connections.
  3. The status of the connection you created should show as Connected.

You can also test connectivity by pinging a virtual machine in your Azure VNet from an on-premises device.

Troubleshooting

If the connection does not establish or is unstable, consider the following:

  • Shared Key Mismatch: Ensure the pre-shared key is identical on both ends.
  • IP Address Mismatch: Verify that the public IP of the Azure VPN Gateway and the on-premises device are correctly configured. Also, confirm address spaces match.
  • Firewall Rules: Ensure no firewalls are blocking UDP ports 500 and 4500, or ESP protocol.
  • IPsec/IKE Parameters: Check that encryption, hashing, DH group, and SA lifetime settings are compatible.
  • GatewaySubnet Size: Ensure the GatewaySubnet is adequately sized.
Error: If you encounter persistent issues, review Azure VPN Gateway logs and consider contacting Azure Support.