This document guides you through the process of creating a VPN gateway in Azure. A VPN gateway enables you to create a secure, encrypted connection between your Azure Virtual Network (VNet) and your on-premises network or another Azure VNet.
Prerequisites
Before you begin, ensure you have the following:
- An Azure subscription.
- A Virtual Network (VNet) already created in your subscription. This VNet will be the target for your VPN gateway.
- An on-premises VPN device that is compatible with Azure VPN gateways.
- The public IP address of your on-premises VPN device.
Steps to Create a VPN Gateway
1. Navigate to the VPN Gateway Service
Log in to the Azure portal. In the search bar at the top, type "Virtual network gateways" and select it from the results.
2. Create a New VPN Gateway
Click the + Create button to start the creation process.
3. Configure Basic Settings
On the Basics tab, configure the following:
- Subscription: Select your Azure subscription.
- Resource group: Choose an existing resource group or create a new one.
- Name: Provide a descriptive name for your VPN gateway (e.g.,
MyAzureVPNGateway). - Region: Select the same region as your Virtual Network.
- Gateway type: Select VPN.
- VPN type: For connecting to an on-premises network, select Route-based. For S2S connections between VNets, you can also use Route-based. Policy-based is typically used for specific legacy scenarios.
- SKU: Choose a SKU that meets your performance and feature requirements. Higher SKUs offer more throughput and features. Common choices include
VpnGw1,VpnGw2, etc. - Generation: Select the generation of the gateway. Generation1 is older and may have limitations, while Generation2 offers improved performance.
- Virtual network: Select the Virtual Network to which you want to attach the VPN gateway. Ensure this VNet has a dedicated gateway subnet.
4. Configure Gateway IP Settings
On the Gateway IP settings tab:
- Public IP address: Select Create new. Provide a name for the public IP address (e.g.,
MyAzureVPNGW-PIP). This will be the public IP address that your on-premises VPN device connects to. - Assignment: Dynamic is the default and recommended for most scenarios. Static is also an option.
- Enable active-active mode: Choose this if you require high availability with two gateway instances.
- Configure BGP: Enable if you plan to use BGP for dynamic routing.
5. Review and Create
Review all the settings you've configured. If everything looks correct, click the Review + create button. Azure will validate your configuration and then prompt you to create the VPN gateway.
6. Configure Your On-Premises VPN Device
Once the VPN gateway is deployed, you will need to configure your on-premises VPN device. This involves:
- Using the public IP address of your Azure VPN gateway.
- Setting up tunnels with shared keys or certificates.
- Configuring routing between your on-premises network and the Azure VNet.
Refer to the specific documentation for your VPN device vendor for detailed configuration steps.
Common Configurations
Site-to-Site (S2S) VPN
This is the most common scenario, connecting your on-premises network to Azure.
VNet-to-VNet VPN
Connect two or more Azure VNets securely using VPN gateways.
Resource Table Example
Here's an example of the resources created for a VPN gateway:
| Resource Type | Name | Description |
|---|---|---|
| Virtual Network Gateway | MyAzureVPNGateway |
The main VPN gateway resource. |
| Public IP Address | MyAzureVPNGW-PIP |
The public IP address for the gateway. |
| Gateway Subnet | GatewaySubnet |
A dedicated subnet within your VNet for the gateway. |
You can now proceed to configure your connections or explore advanced VPN gateway features such as BGP, active-active mode, or VPN types.
Connect to On-Premises Network Configure VNet-to-VNet Connection