Site-to-Site VPN Concepts

This article explains the concepts that you need to understand to implement a site-to-site (S2S) VPN connection to Azure Virtual WAN. Virtual WAN is a networking service that brings many Azure networking capabilities, such as VPN Site-to-Site, ExpressRoute, public peering, transit and branch network connectivity, together into a single interface.

What is Site-to-Site VPN?

A Site-to-Site (S2S) VPN is a secure IPsec VPN tunnel that connects your on-premises network to your Azure Virtual WAN hub. This allows your on-premises devices to communicate securely with resources deployed in your Azure Virtual WAN.

Key components of an S2S VPN connection in Virtual WAN include:

Virtual WAN Hub: A regional network transit center. It is a managed Azure resource that contains various endpoints for connecting to different types of networks.
VPN Gateway: A managed Azure VPN gateway resource deployed within a Virtual WAN hub. It handles the encryption and decryption of traffic between your on-premises VPN device and Azure.
Virtual Network Connection: Connects your Azure Virtual Networks (VNets) to the Virtual WAN hub, enabling connectivity to resources within those VNets.
Site-to-Site VPN Connection: The configuration that establishes the IPsec tunnel between your on-premises VPN device and the Azure VPN Gateway.
Local Network Gateway (for Traditional VPN): In a traditional site-to-site VPN, this represents your on-premises network. In Virtual WAN, this concept is abstracted by the "Site" resource.
Azure VPN Device: Your physical or virtual VPN appliance located on your on-premises network.

How Site-to-Site VPN Works with Virtual WAN

Virtual WAN simplifies the management of S2S VPN connections by providing a centralized hub. Here's a high-level overview of the process:

Provision a Virtual WAN Hub: Deploy a Virtual WAN hub in the Azure region(s) where you want to establish connectivity.
Deploy a VPN Gateway: Attach a Standard or Basic VPN Gateway to the Virtual WAN hub.
Create a Site: Define your on-premises network as a "Site" resource in Azure. This includes specifying the public IP address of your VPN device and the address space(s) of your on-premises network.
Configure the Connection: Create a Site-to-Site VPN connection resource, linking your on-premises Site to the VPN Gateway in your Virtual WAN hub. This step generates the necessary configuration details (like pre-shared keys and tunnel IP addresses) for your on-premises VPN device.
Configure Your On-Premises VPN Device: Using the configuration details provided by Azure, set up your on-premises VPN device to establish the IPsec tunnel to the Azure VPN Gateway.
Connect Virtual Networks: Connect your Azure Virtual Networks to the Virtual WAN hub to allow traffic to flow between your on-premises sites and your cloud resources.

Key Concepts and Considerations

IPsec/IKE Protocols

Site-to-Site VPN connections use the IPsec protocol suite for securing data over the public internet. This involves two main phases:

IKE (Internet Key Exchange): Used to establish a secure channel and generate cryptographic keys for IPsec. Virtual WAN supports IKEv1 and IKEv2.
IPsec: Used to encrypt and authenticate the actual data packets.

Tunneling and Encryption

Traffic is encapsulated within IPsec tunnels, ensuring confidentiality and integrity. Common encryption algorithms include AES256, and authentication algorithms like SHA256 are used.

Redundancy and High Availability

Virtual WAN VPN gateways are deployed with active-active or active-standby configurations, providing high availability. For optimal redundancy, it's recommended to configure your on-premises VPN device with multiple public IP addresses and establish multiple S2S tunnels.

Recommendation: Use the same pre-shared key (PSK) for all tunnels connecting to a single Azure VPN Gateway.

IP Addressing

Ensure that the address spaces of your on-premises networks and your Azure Virtual Networks do not overlap. This prevents routing conflicts.

Routing

Virtual WAN uses BGP (Border Gateway Protocol) for dynamic route exchange between your on-premises sites and Azure. This allows for automatic route propagation and management.

Pre-shared Key (PSK)

A secret passphrase used for authenticating the VPN tunnel. It must be identical on both your on-premises VPN device and the Azure VPN connection configuration.

                # Example of what your on-premises configuration might look like (conceptual)
                # This is not actual Azure CLI or PowerShell
                site-to-site-vpn {
                    name: "my-azure-vpn-tunnel"
                    remote-gateway-ip: "20.42.1.10" # Azure VPN Gateway Public IP
                    local-gateway-ip: "192.0.2.5"  # Your on-premises VPN Public IP
                    local-network-prefix: "10.1.0.0/16"
                    azure-network-prefix: "10.100.0.0/16"
                    shared-key: "YourSecureSharedKey123!"
                    ike-version: "IKEv2"
                    ipsec-transform-set: {
                        encryption: "AES256"
                        integrity: "SHA256"
                    }
                }
            

Next Steps

To implement a Site-to-Site VPN connection with Azure Virtual WAN, you can follow these guides: