Virtual WAN Site-to-Site VPN

This article provides a comprehensive guide to configuring and managing Site-to-Site VPN connections within Azure Virtual WAN. Site-to-Site VPN allows you to securely connect your on-premises networks to your Azure Virtual WAN hub.

What is Site-to-Site VPN?

Site-to-Site (S2S) VPN is a network connection that connects an on-premises network to a cloud network. Virtual WAN provides a managed, scalable, and highly available global network solution that can be used to establish S2S VPN connections. This approach simplifies management and provides consistent connectivity.

Key Concepts

  • Virtual WAN Hub: A central network transit hub that connects your virtual networks, remote branches, and other network services.
  • Virtual Network Connection: Connects your Azure Virtual Networks (VNets) to the Virtual WAN hub.
  • Site: Represents your on-premises network location.
  • Connection: Establishes the VPN tunnel between your on-premises VPN device and the Virtual WAN hub.

Steps to Configure Site-to-Site VPN

1. Create a Virtual WAN Hub

Before you can create a VPN connection, you need a Virtual WAN hub. Navigate to the Virtual WAN service in the Azure portal and create a new hub in your desired region.

2. Create a VPN Site

A VPN site represents your on-premises network. You'll need to provide information such as:

  • Name: A friendly name for your site.
  • Region: The Azure region where your VPN site resource will be created.
  • Address Space: The CIDR block(s) representing your on-premises network.
  • IP Address: The public IP address of your on-premises VPN device.

In the Azure portal, go to your Virtual WAN, then "VPN sites," and click "Create VPN site."

3. Create a Site-to-Site VPN Connection

This step establishes the VPN tunnel.

  1. Navigate to your Virtual WAN hub.
  2. Under "Connectivity," select "VPN (Site-to-site)."
  3. Click "Create VPN connection."
  4. Select the Connection Type: Usually "Site-to-site (IPsec)."
  5. Choose the Target Hub: Your Virtual WAN hub.
  6. Choose the VPN Site: The site you created in step 2.
  7. Connection Name: A descriptive name for the connection.
  8. Link Speed: Configure according to your network requirements.
  9. IPsec/IKE Policy: You can use default policies or define custom ones. Ensure these match your on-premises VPN device's capabilities.
  10. Shared Key: A pre-shared key (PSK) that must be identical on both your Azure VPN gateway and your on-premises VPN device.

Important: The IPsec/IKE parameters (encryption, integrity algorithms, DH group, lifetimes) must be compatible between your Azure Virtual WAN VPN connection and your on-premises VPN device. Consult your VPN device vendor's documentation for compatible settings.

4. Configure Your On-Premises VPN Device

On your on-premises VPN device, you need to configure the following to establish the tunnel:

  • Remote Gateway IP Address: The public IP address of the Virtual WAN hub's VPN gateway (provided in the Azure portal connection details).
  • Local Network(s): The IP address spaces of your on-premises network.
  • Remote Network(s): The IP address spaces of your Azure VNet(s) connected to the hub.
  • IPsec/IKE Parameters: Match the policy configured in Azure (encryption, authentication, DH group, lifetimes).
  • Pre-Shared Key (PSK): The same key used in the Azure VPN connection.

Note: The specific configuration steps vary significantly depending on your VPN device vendor (e.g., Cisco, Fortinet, Palo Alto Networks, pfSense). Refer to your device's documentation.

Monitoring and Troubleshooting

Azure Virtual WAN provides monitoring tools within the Azure portal to track the status of your VPN connections. You can view:

  • Connection Status: Whether the tunnel is active or not.
  • Data Transfer: Incoming and outgoing traffic through the tunnel.
  • Logs: VPN gateway logs can provide detailed information for troubleshooting connection issues.

Common troubleshooting steps include verifying:

  • Matching IPsec/IKE parameters.
  • Correct pre-shared keys.
  • Firewall rules on-premises that might be blocking VPN traffic (UDP ports 500 and 4500).
  • Correct IP address ranges defined for local and remote networks.

Best Practices

  • Use strong, unique pre-shared keys.
  • Ensure your on-premises VPN device is supported by Azure Virtual WAN.
  • Configure redundant VPN connections for high availability.
  • Monitor connection health regularly.
  • Keep firmware on your VPN devices up to date.

By following these steps, you can establish secure and reliable Site-to-Site VPN connections between your on-premises environments and Azure using Virtual WAN.