Introduction to Azure VPN Gateway

Azure VPN Gateway is a service that enables you to create, manage, and monitor site-to-site (S2S), point-to-site (P2S), and network-to-network connections. VPN Gateway offers a highly available, secure, and scalable solution for connecting your on-premises networks to your Azure virtual networks.

This document provides a step-by-step guide to deploying an Azure VPN Gateway. Follow these instructions to establish a secure connection for your hybrid cloud infrastructure.

Prerequisites

  • An Azure subscription.
  • A virtual network (VNet) in Azure. If you don't have one, you can create it during the deployment process.
  • Permissions to create resources within your Azure subscription.
  • On-premises network information, including public IP addresses and subnet ranges.

Deployment Steps

The deployment of an Azure VPN Gateway involves several key steps. We will guide you through each one.

Step 1: Create a Virtual Network

If you don't already have a virtual network, you'll need to create one first. This VNet will host your VPN Gateway.

You can create a VNet through the Azure portal, Azure CLI, or Azure PowerShell.

Azure Portal: Navigate to "Virtual networks" and click "Create". Fill in the required details like subscription, resource group, name, region, and address space.

Azure CLI Example:

az network vnet create \
    --resource-group MyResourceGroup \
    --name MyVNet \
    --location westus \
    --address-prefix 10.0.0.0/16

Step 2: Create a Gateway Subnet

A dedicated subnet named GatewaySubnet is required for your VPN Gateway. This subnet must be named exactly GatewaySubnet and cannot contain any other resources.

Azure Portal: Within your VNet's settings, go to "Subnets" and click "+ Gateway subnet". Azure will automatically suggest the correct name and an appropriate address range (e.g., 10.0.255.0/27).

Azure CLI Example:

az network vnet subnet create \
    --resource-group MyResourceGroup \
    --vnet-name MyVNet \
    --name GatewaySubnet \
    --address-prefix 10.0.255.0/27

Ensure the address prefix for GatewaySubnet does not overlap with other subnets in your VNet.

Step 3: Create a Virtual Network Gateway

This is the core resource for your VPN connection. You'll specify the gateway type, VPN type, SKU, and associate it with your VNet and public IP address.

1

Azure Portal: Search for "Virtual network gateways" and click "Create".

2

Configuration:

  • Subscription: Select your Azure subscription.
  • Resource Group: Choose or create a resource group.
  • Name: Provide a name for your VPN Gateway (e.g., MyVpnGateway).
  • Region: Select the same region as your virtual network.
  • Gateway type: Choose VPN.
  • VPN type: Select Route-based (most common for S2S and VNet-to-VNet). Policy-based is for specific legacy scenarios.
  • SKU: Select an appropriate SKU based on your performance and connection requirements (e.g., VpnGw1, VpnGw2AZ for active-active).
  • Virtual network: Select the VNet you created earlier. The GatewaySubnet will be automatically detected.
  • Public IP address: Create a new standard SKU, static public IP address or select an existing one.
3

Click "Review + create", then "Create" after validation passes. Deployment can take 30-45 minutes.

Step 4: Configure the VPN Gateway Connection

Once the gateway is deployed, you'll create a connection resource to link your on-premises network or another VNet to the VPN Gateway.

Azure Portal: Navigate to your newly created VPN Gateway, then select "Connections" and click "+ Add".

Configuration:

  • Connection type: Choose Site-to-site (IPsec), VNet-to-VNet, or Point-to-site.
  • Virtual network gateway: This will be pre-filled.
  • For Site-to-site: You'll need the public IP address of your on-premises VPN device and a Shared key (PSK).
  • For VNet-to-VNet: You'll select the other Azure VNet gateway.

A pre-shared key (PSK) is used for authentication in Site-to-Site VPNs. Ensure this key matches on both your Azure VPN Gateway and your on-premises VPN device.

Verification

After configuration, verify the status of your connection in the Azure portal under the VPN Gateway's "Connections" blade. It should show as "Connected".

Test connectivity by attempting to ping or access resources across the connected networks.

Best Practices

  • Use a GatewaySubnet with an adequate address range (e.g., /27 or larger).
  • Choose the appropriate VPN Gateway SKU for your workload.
  • Implement strong shared keys for Site-to-Site connections.
  • Consider zone-redundant gateways (e.g., VpnGw1AZ) for high availability.
  • Regularly monitor your VPN Gateway performance and connectivity.

Troubleshooting

Common issues include:

  • Incorrect shared key or configuration mismatch on on-premises devices.
  • IP address conflicts or overlapping address spaces.
  • Firewall rules blocking VPN traffic.
  • Incorrect gateway subnet configuration.

Use Azure's Network Watcher and VPN troubleshooting tools for diagnostics.

Deploy VPN Gateway Now