Azure VPN Gateway
Azure VPN Gateway is a managed service that enables you to create and manage secure cross-premises connectivity between your on-premises networks and your Azure Virtual Networks (VNets). It also enables secure cross-premises connectivity between your Azure VNets.
Key Concepts
- Site-to-Site (S2S) VPN: Connects your on-premises network to an Azure VNet.
- Point-to-Site (P2S) VPN: Connects an individual client device to an Azure VNet.
- VNet-to-VNet VPN: Connects two or more Azure VNets together.
- Gateway SKUs: Different performance tiers for VPN gateways, affecting throughput, number of tunnels, and features.
- Connection Types: Specifies the type of VPN connection (e.g., IPsec/IKE, SSTP, L2TP/IPsec).
- BGP (Border Gateway Protocol): Enables dynamic routing between on-premises VPN devices and Azure VPN Gateway.
Creating a VPN Gateway
You can create a VPN gateway using the Azure portal, Azure CLI, PowerShell, or Azure Resource Manager (ARM) templates.
Using the Azure Portal:
- Navigate to the Azure portal.
- Search for "Virtual network gateways" and select it.
- Click "Create".
- Configure the gateway settings:
- Subscription
- Resource Group
- Name
- Region
- Gateway type: VPN
- VPN type: Route-based or Policy-based
- SKU: Choose an appropriate SKU (e.g., VpnGw1, VpnGw2).
- Virtual network: Select the VNet where you want to deploy the gateway.
- Gateway subnet address range: Ensure you have a dedicated subnet named 'GatewaySubnet' with an appropriate address range (e.g., /27 or larger).
- Public IP address: Create a new or use an existing Standard SKU, Static Public IP address.
- Active-active mode (optional)
- BGP (optional)
- Review and create the gateway. Deployment can take 30-45 minutes.
Important: The gateway subnet MUST be named
GatewaySubnet.
Configuring Connections
Once the VPN gateway is deployed, you need to create connections to establish the secure tunnels.
Site-to-Site Connection Example:
- Navigate to your VPN gateway resource in the Azure portal.
- Under "Connections", click "Add".
- Configure the connection:
- Name
- Connection type: Site-to-site (IPsec)
- Virtual network gateway: (Pre-selected)
- Local network gateway: Create a new local network gateway representing your on-premises network (IP address ranges, public IP of your on-premises VPN device).
- Shared key (PSK): Enter a strong, pre-shared key that matches the one configured on your on-premises VPN device.
- IKE Protocol: Auto/IKEv2 or IKEv1.
- Click "OK" to create the connection.
Tip: Ensure that the IPsec/IKE parameters (encryption, hashing, DH group, lifetimes) are identical on both Azure VPN Gateway and your on-premises VPN device for a successful connection.
Troubleshooting
Common issues include:
- Incorrect shared key.
- Mismatched IPsec/IKE parameters.
- Firewall rules blocking VPN traffic.
- Incorrect subnet configuration.
- Routing issues.
Use the "Connection troubleshoot" tool in the Azure portal for your VPN gateway to diagnose connectivity problems.
Warning: Policy-based VPN gateways have limitations on IP address ranges and network topologies. Route-based VPNs are generally recommended for most scenarios.
# Example Azure CLI command to create a VPN Gateway (simplified)
az network vpn-gateway create \
--name MyVpnGateway \
--resource-group MyResourceGroup \
--location eastus \
--sku VpnGw1 \
--vpn-type RouteBased \
--public-ip-address MyVpnGatewayPip \
--vnet MyVnet \
--gateway-default-local-network localNetworkGateway
For detailed configuration and advanced scenarios, refer to the official Azure VPN Gateway documentation.