Create a Site-to-Site VPN Gateway using Azure Resource Manager (ARM) templates and PowerShell
This article guides you through the process of creating a Site-to-Site (S2S) VPN gateway in Azure using Azure Resource Manager (ARM) templates and PowerShell. This setup allows you to securely connect your on-premises network to your Azure virtual network.
Note: This article focuses on using ARM templates for declarative deployment. For imperative deployment using PowerShell cmdlets, refer to Create a VNet-to-VNet connection.
Prerequisites
- An Azure subscription. If you don't have one, create a free account before you begin.
- PowerShell 7.1 or later installed. Install PowerShell.
- The Azure PowerShell module installed. Install Azure PowerShell.
- An on-premises VPN device that is compatible with Azure VPN Gateway and supports IKEv2 or IKEv1 protocols.
- Public IP address for your on-premises VPN device.
Step 1: Download the ARM Template and Parameters File
We'll use pre-defined ARM templates for simplicity. Download the following two files:
Save these files to a local directory on your computer.
Step 2: Modify the Parameters File
Open azuredeploy.parameters.json in a text editor. You'll need to modify the following parameters to match your environment:
virtualNetworkName: The name for your Azure Virtual Network.virtualNetworkAddressPrefixes: The address space for your Virtual Network.gatewaySubnetPrefix: The address prefix for the gateway subnet.gatewaySku: The SKU for the VPN Gateway (e.g., "VpnGw1", "VpnGw2").vpnGatewayName: The name for your VPN Gateway.vpnGatewayIpConfigName: The name for the IP configuration of the VPN Gateway.publicIpAddressName: The name for the public IP address that will be associated with the VPN Gateway.location: The Azure region where you want to deploy the resources.gatewayAsn: The BGP Autonomous System Number (ASN) for your VPN Gateway.localNetworkGatewayName: The name for your Local Network Gateway (representing your on-premises network).localNetworkGatewayAddressPrefixes: The address space of your on-premises network.connectionName: The name for the connection between Azure VPN Gateway and your on-premises VPN device.sharedKey: The pre-shared key for the VPN connection.
Example modification:
"virtualNetworkName": {
"value": "MyAzureVNet"
},
"virtualNetworkAddressPrefixes": {
"value": "10.1.0.0/16"
},
"gatewaySubnetPrefix": {
"value": "10.1.255.0/27"
},
"gatewaySku": {
"value": "VpnGw1"
},
"vpnGatewayName": {
"value": "MyVpnGateway"
},
"location": {
"value": "eastus"
},
"localNetworkGatewayName": {
"value": "MyOnPremNetwork"
},
"localNetworkGatewayAddressPrefixes": {
"value": "192.168.1.0/24"
},
"sharedKey": {
"value": "MySuperSecretSharedKey123!"
}Step 3: Deploy the ARM Template using PowerShell
Open PowerShell and navigate to the directory where you saved the ARM template files. Run the following command to deploy the resources:
Login-AzAccount
$resourceGroupName = "MyResourceGroup" # Replace with your desired resource group name
New-AzResourceGroup -Name $resourceGroupName -Location eastus # Replace 'eastus' with your chosen location
New-AzResourceGroupDeployment `
-ResourceGroupName $resourceGroupName `
-TemplateFile ./azuredeploy.json `
-TemplateParameterFile ./azuredeploy.parameters.jsonThis command will:
- Log you into your Azure account.
- Create a new resource group if it doesn't exist.
- Deploy the resources defined in the ARM template to the specified resource group.
The deployment process can take a significant amount of time (15-30 minutes or more) as Azure provisions the VPN gateway.
Step 4: Verify the Deployment
Once the deployment is complete, you can verify the resources in the Azure portal or by using PowerShell commands:
Get-AzVirtualNetwork -ResourceGroupName $resourceGroupName
Get-AzVpnGateway -ResourceGroupName $resourceGroupName
Get-AzPublicIpAddress -ResourceGroupName $resourceGroupName
Get-AzLocalNetworkGateway -ResourceGroupName $resourceGroupName
Get-AzVpnConnection -ResourceGroupName $resourceGroupNameTip: After the VPN gateway is created, you will need to configure your on-premises VPN device with the public IP address of the Azure VPN gateway and the pre-shared key to establish the connection.
Step 5: Configure On-Premises VPN Device
This step is highly dependent on your specific on-premises VPN device. Generally, you will need to configure the following:
- Remote Gateway IP Address: The public IP address of the Azure VPN Gateway. You can find this in the Azure portal or using
Get-AzPublicIpAddress. - Shared Secret (Pre-Shared Key): The value you specified in the
sharedKeyparameter. - IKE Version: Ensure it matches the configuration of your Azure VPN Gateway (typically IKEv2).
- IPsec/IKE Parameters: Configure encryption, integrity, Diffie-Hellman groups, and lifetimes to match Azure's defaults or your specific requirements.
- Traffic Selectors: Configure the traffic selectors to allow traffic between your on-premises network address space and your Azure Virtual Network address space.
Troubleshooting
- Connection Issues: Double-check that the shared key, IP addresses, and encryption settings match on both ends. Verify firewall rules on your on-premises network are not blocking VPN traffic (UDP ports 500 and 4500).
- Deployment Failures: Review the deployment logs in the Azure portal for specific error messages. Ensure the parameter values are correct and valid.
Warning: Incorrectly configured VPN devices can lead to connectivity issues and potential security vulnerabilities. Always refer to your VPN device manufacturer's documentation.
By following these steps, you can successfully deploy a Site-to-Site VPN gateway in Azure using ARM templates and PowerShell, establishing a secure connection to your on-premises network.