Set up an Azure VPN Gateway

This document outlines the steps and considerations for setting up a VPN gateway in Azure Virtual Network. A VPN gateway allows you to create encrypted connections between your on-premises networks and Azure, or between Azure virtual networks.

Prerequisites

Before you begin, ensure you have the following:

An Azure subscription.
A pre-existing Azure Virtual Network (VNet) where you want to deploy the VPN gateway.
A dedicated subnet named 'GatewaySubnet' within your VNet. This subnet must be named exactly 'GatewaySubnet' and can be of size /27 or larger.
A public IP address for the VPN gateway.
Appropriate permissions to create resources in your Azure subscription.

Step 1: Create the VPN Gateway

You can create a VPN gateway using the Azure portal, Azure CLI, or PowerShell.

Using Azure Portal:

Navigate to the Azure portal and search for "Virtual network gateways".
Click "Create".
Configure the following settings:
- Subscription: Select your Azure subscription.
- Resource Group: Choose an existing or create a new one.
- Name: Provide a unique name for your VPN gateway.
- Region: Select the same region as your VNet.
- Gateway type: Select 'VPN'.
- VPN type: Choose 'Route-based' (recommended for most scenarios) or 'Policy-based'.
- SKU: Select a SKU that matches your performance and feature requirements (e.g., VpnGw1, VpnGw2).
- Virtual network: Select the VNet where you want to deploy the gateway. Ensure it has the 'GatewaySubnet'.
- Public IP address: Create a new or select an existing Standard SKU, static public IP address.
Click "Review + create", then "Create".

Step 2: Configure Connection

Once the gateway is deployed, you need to configure the connection to your on-premises network or another VNet.

Site-to-Site (S2S) Connection:

Navigate to your VPN gateway resource in the Azure portal.
Under "Settings", click "Connections".
Click "+ Add".
Configure the connection:
- Connection type: Select 'Site-to-site (IPsec)'.
- Virtual network gateway: This will be pre-filled.
- Local network gateway: Create a new local network gateway representing your on-premises network, or select an existing one. This includes your on-premises public IP address, address space, and BGP settings (if applicable).
- Shared key (PSK): Enter a pre-shared key for authentication. This key must match the one configured on your on-premises VPN device.
- Enable BGP: Enable if your on-premises network uses BGP for routing.
Click "OK".

Step 3: Configure On-Premises VPN Device

Configure your on-premises VPN device to establish a connection with the Azure VPN gateway. This typically involves:

Configuring the tunnel interface with the public IP address of the Azure VPN gateway.
Setting up IPsec/IKE parameters (encryption, hashing, DH group, lifetime) to match the Azure VPN gateway configuration.
Specifying the Azure VNet address space as a remote network.
Using the same pre-shared key (PSK) configured in Azure.
Enabling BGP if configured in Azure.

Refer to your VPN device manufacturer's documentation for specific configuration steps.

Note: VPN gateway deployment can take 30-45 minutes or longer.

Tip: For testing and development, consider using a lower SKU like VpnGw1 to reduce costs. For production environments, choose a SKU that meets your throughput and availability requirements.

Key Considerations

Gateway SKUs: Different SKUs offer varying levels of performance, tunnel count, and throughput.
VPN Types: Route-based VPNs are more flexible and support dynamic routing, while policy-based VPNs are simpler but have limitations.
High Availability: For production workloads, consider using active-active configurations or multiple VPN gateways for redundancy.
Monitoring: Monitor gateway performance, tunnel status, and traffic through the Azure portal or Azure Monitor.

Warning: Incorrectly configured shared keys or IPsec parameters will prevent the VPN tunnel from establishing.

For more advanced configurations, such as VNet-to-VNet VPNs or Point-to-Site VPNs, please refer to the relevant Azure documentation.