Site-to-Site VPN Gateways in Azure Virtual WAN

This document provides detailed information on configuring and managing Site-to-Site (S2S) VPN connections with Azure Virtual WAN. Site-to-Site VPNs allow you to connect your on-premises networks to your Azure Virtual WAN hub securely over the public internet.

What is Site-to-Site VPN?

Site-to-Site VPN connects your on-premises network to Azure Virtual WAN. This connection is established using a VPN device at your on-premises location that is compatible with Azure VPN gateways. This provides a secure and encrypted tunnel between your resources in Azure and your on-premises infrastructure.

Key Concepts

Virtual WAN Hub: The central point of connectivity in your Virtual WAN deployment. It contains the necessary network infrastructure, including VPN gateways.
VPN Site: Represents your on-premises network location. You define the public IP address of your VPN device and the address space(s) of your on-premises network.
Connection: The logical link between a Virtual WAN hub and a VPN site. This establishes the S2S VPN tunnel.
IPsec/IKE: The standard protocol suite used to provide secure IP communications over an IP network. Azure Virtual WAN supports IPsec VPNs.

Prerequisites

An Azure subscription.
A Virtual WAN hub deployed in your Azure subscription.
A compatible VPN device at your on-premises location with a static public IP address.
Knowledge of your on-premises network's IP address ranges.

Configuring a Site-to-Site VPN Connection

The configuration process involves defining your on-premises VPN site and then creating a connection between the site and your Virtual WAN hub.

Step 1: Create a VPN Site

In the Azure portal, navigate to your Virtual WAN resource and select 'VPN sites' under 'Connectivity'. Click '+ Create VPN site'.

Name: A descriptive name for your on-premises location (e.g., 'Headquarters-VPN').
Region: The Azure region where your VPN site resource will be created (usually same as your hub).
Provider: Select your VPN device vendor or 'Azure VPN'.
IP Address: The public IP address of your on-premises VPN device.
Address space(s): The IP address ranges of your on-premises network that you want to connect to Azure.
BGP settings (Optional): Configure if you are using BGP for dynamic routing.

Step 2: Create a Connection

Once the VPN site is created, go to your Virtual WAN hub, select 'Site-to-site VPN' under 'Connectivity', and click '+ Add connection'.

Connection name: A name for this specific connection (e.g., 'HQ-to-Hub').
Hub: Select the Virtual WAN hub.
VPN Site: Select the VPN site you created earlier.
IKE Protocol: Choose IKEv1 or IKEv2 (IKEv2 is recommended).
IPsec / VNG settings: Configure IPsec parameters such as pre-shared key, encryption, and integrity algorithms. Refer to Azure's compatibility list for your VPN device.
BGP settings (Optional): Configure if BGP is enabled on your VPN site.

Note: Ensure that the IPsec/IKE parameters on your on-premises VPN device match the settings configured in Azure to establish a successful connection.

Tunnel Configuration Details

When you create a Site-to-Site VPN connection, Azure Virtual WAN provisions a virtual network gateway within the hub. The connection details provide essential information for configuring your on-premises VPN device:

Gateway IP addresses: These are the public IP addresses of the Azure VPN gateways that your on-premises device will connect to.
Pre-shared key (PSK): A secret key used for authentication between the two VPN endpoints.
IPsec/IKE parameters: Specific encryption, integrity, Diffie-Hellman group, and SA lifetime settings.

You can download the configuration script for common VPN devices from the Azure portal by clicking the 'Download' button on the connection details page.

Verifying the Connection

After configuring both ends, monitor the connection status in the Azure portal. A 'Connected' status indicates a successful tunnel establishment. You can also check the VPN logs on your on-premises device.

Troubleshooting Common Issues

Incorrect IP Addresses: Verify the public IP address of your on-premises VPN device and the expected Azure gateway IP addresses.
Mismatched IPsec/IKE Parameters: Ensure all security parameters (encryption, integrity, PSK, lifetimes) are identical on both sides.
Firewall Blocking: Confirm that your on-premises firewall allows UDP ports 500 and 4500 (for NAT-T) and ESP traffic.
BGP Configuration: If using BGP, ensure correct ASN, BGP peer IP addresses, and network advertisement.

For more advanced troubleshooting, refer to the Azure Network Watcher tools and VPN gateway diagnostics.

Best Practices

Use IKEv2 for improved security and stability.
Configure redundant VPN tunnels by using multiple VPN devices or links on-premises.
Enable BGP for dynamic route exchange to simplify network management.
Regularly review and update your IPsec/IKE policies.
Utilize Azure Network Watcher for connection monitoring and diagnostics.

This guide provides a foundational understanding of Site-to-Site VPNs in Azure Virtual WAN. For specific deployment scenarios and advanced configurations, consult the comprehensive Azure documentation.