Azure Documentation

About VPN Gateway site-to-site VPNs

This document provides an overview of site-to-site (S2S) VPNs with Azure VPN Gateway. Site-to-site VPNs connect your on-premises network to your Azure virtual network.

What is a Site-to-Site VPN?

A site-to-site VPN creates an encrypted tunnel between your on-premises network and Azure over the public internet. This allows your on-premises resources and Azure resources to communicate securely as if they were on the same network. This is commonly used for:

• Extending your datacenter to Azure.
• Providing secure access to Azure resources for on-premises users.
• Connecting multiple geographical locations.

How it Works

A site-to-site VPN requires the following components:

• Azure VPN Gateway: A managed service in Azure that handles VPN connections.
• On-premises VPN Device: A compatible hardware or software VPN device located in your on-premises datacenter.
• Public IP Address: Your on-premises VPN device must have a static, public IP address.
• Virtual Network Gateway Connection: A resource in Azure that establishes the connection between your VPN Gateway and your on-premises VPN device.

The VPN Gateway establishes an IPsec/IKE (IKEv1 or IKEv2) tunnel to your on-premises VPN device. Traffic flowing between your on-premises network and your Azure virtual network is encrypted and decrypted by the VPN Gateway and your on-premises VPN device.

Key Concepts

IPsec/IKE

Azure VPN Gateway supports IPsec/IKE protocols for establishing secure tunnels. This includes various encryption and authentication algorithms.

BGP (Border Gateway Protocol)

For more complex network topologies and dynamic routing, BGP can be used. It allows for route exchange between your on-premises network and Azure.

NAT (Network Address Translation) Traversal

NAT-T is supported, allowing the VPN tunnel to traverse NAT devices common in on-premises networks.

Supported Configurations

• Basic SKU: Provides basic VPN functionality for smaller deployments.
• VpnGw1 to VpnGw5 SKUs: Offer higher performance, throughput, and more concurrent connections.
• Active-Active: Deploy two VPN gateways for high availability.
• Active-Standby: Deploy two VPN gateways with one active and one standby.

Getting Started

To set up a site-to-site VPN:

1. Create an Azure Virtual Network.
2. Create a Virtual Network Gateway (VPN Gateway) and configure it with a public IP address.
3. Configure your on-premises VPN device with the correct IPsec/IKE parameters.
4. Create a Local Network Gateway representing your on-premises network.
5. Create a Connection resource in Azure to link your Virtual Network Gateway and Local Network Gateway.

For detailed step-by-step instructions, refer to the Azure VPN Gateway tutorial.

Best Practices

• Always use strong encryption and authentication algorithms.
• Ensure your on-premises VPN device is compatible with Azure VPN Gateway.
• Plan your IP address space carefully to avoid conflicts.
• Monitor your VPN connections for performance and availability.

For further information and troubleshooting, visit the VPN Gateway FAQ.