Configure Azure VPN Gateway

This document provides a comprehensive guide on configuring Azure VPN Gateway. Azure VPN Gateway enables you to create secure, encrypted connections between your on-premises networks and Azure virtual networks, or between two Azure virtual networks.

Prerequisites

Before you begin, ensure you have the following:

Steps to Configure a VPN Gateway

1. Create a VPN Gateway

You can create a VPN gateway through the Azure portal, Azure CLI, or Azure PowerShell.

Using Azure Portal:
  1. Navigate to the Azure portal.
  2. Search for "Virtual network gateways" and select it.
  3. Click "+ Create".
  4. Configure the following settings:
    • Subscription and Resource group
    • Name for your gateway
    • Region (must match your VNet's region)
    • Gateway type: Select "VPN"
    • VPN type: Choose "Route-based" for most scenarios. "Policy-based" is for specific legacy compatibility.
    • SKU: Select a SKU based on your performance and feature requirements (e.g., VpnGw1, VpnGw2, etc.).
    • Virtual network: Select the VNet where you want to deploy the gateway. The 'GatewaySubnet' must exist in this VNet.
    • Gateway public IP address: Create a new public IP address or use an existing one.
  5. Click "Review + create", then "Create".
Note: Provisioning a VPN gateway can take 30-45 minutes or longer.

2. Configure Local Network Gateways

A local network gateway represents your on-premises network or another network that your VPN gateway will connect to. It contains information about your on-premises IP address space and the IP address of your on-premises VPN device.

  1. In the Azure portal, search for "Local network gateways" and select it.
  2. Click "+ Create".
  3. Configure the following:
    • Resource group and Region
    • Name for your local network gateway
    • Endpoint: Select "IP address" and enter the public IP address of your on-premises VPN device.
    • Address space: Enter the IP address ranges of your on-premises network that you want to make accessible from Azure.
  4. Click "Review + create", then "Create".

3. Create a Connection

Now, create the connection between your Azure VPN Gateway and the Local Network Gateway.

  1. Navigate to your created Virtual Network Gateway resource in the Azure portal.
  2. Under "Settings", click "Connections".
  3. Click "+ Add".
  4. Configure the connection:
    • Connection type: Select "Site-to-site (IPsec)" for on-premises connections, or "VNet-to-VNet" for connections to another Azure VNet.
    • Virtual network gateway: Your current gateway.
    • Local network gateway: Select the Local Network Gateway you created in the previous step.
    • Shared key (PSK): Enter a strong shared secret key. This key must match on both your Azure VPN gateway and your on-premises VPN device.
    • IKE Protocol: Choose the appropriate IKE version (IKEv1 or IKEv2).
  5. Click "OK".
Important: Ensure the shared key configured here exactly matches the pre-shared key on your on-premises VPN device.

4. Configure Your On-Premises VPN Device

On your physical or virtual on-premises VPN device, configure the following:

Refer to your VPN device manufacturer's documentation for specific configuration instructions.

Verifying the Connection

Once configured, you can verify the connection status in the Azure portal under the "Connections" section of your Virtual Network Gateway. The status should show as "Connected". You can also test connectivity by pinging resources across the tunnel.

Further Configuration Options

For detailed instructions on specific scenarios like VNet-to-Site or VNet-to-VNet connections, please refer to the respective documentation sections.

# Example Azure CLI command to create a VPN Gateway (simplified)
az network vpn-gateway create \
    --name MyVpnGateway \
    --resource-group MyResourceGroup \
    --location eastus \
    --sku VpnGw1 \
    --vpn-type RouteBased \
    --public-ip-address MyVpnGatewayPip \
    --vnet MyVnet