Configure a site‑to‑site VPN connection
This article explains how to configure a site‑to‑site (S2S) VPN connection between an on‑premises network and an Azure Virtual WAN hub using the Azure portal, Azure CLI, or PowerShell.
Prerequisites
- An active Azure subscription.
- A Virtual WAN resource created in the target region.
- A Virtual Hub associated with the Virtual WAN.
- An on‑premises VPN device (Cisco, Juniper, Palo Alto, etc.) supporting IKEv2.
- Azure CLI 2.0 or PowerShell 7+ installed locally (optional, for script‑based deployment).
Step‑by‑step guide
1. Create a Virtual WAN (if not already created)
# Azure CLI
az network wan create \
--name MyWAN \
--resource-group MyResourceGroup \
--location eastus
2. Create a Virtual Hub
# Azure CLI
az network vhub create \
--name MyHub \
--resource-group MyResourceGroup \
--wan MyWAN \
--address-prefix 10.0.0.0/24 \
--location eastus
3. Define the on‑premises VPN site
# Azure CLI
az network vpn-site create \
--name OnPremVPNSite \
--resource-group MyResourceGroup \
--address-prefixes 192.168.10.0/24 \
--location eastus \
--vpn-device "Cisco ISR 4321" \
--ip-address 203.0.113.10
4. Create the VPN connection
# Azure CLI
az network vhub connection create \
--name S2SConnection \
--resource-group MyResourceGroup \
--vhub-name MyHub \
--remote-vpn-site OnPremVPNSite \
--routing-weight 10 \
--connection-type SiteToSite \
--shared-key "MySecretKey123"
5. Verify the connection
After provisioning, navigate to Virtual Hub > Connections in the Azure portal and confirm the status is Connected. You can also run:
# Azure CLI
az network vhub connection show \
--name S2SConnection \
--resource-group MyResourceGroup \
--vhub-name MyHub
FAQ
- What encryption algorithms are supported?
- Azure Virtual WAN supports AES‑256, AES‑128, and 3DES. The default is AES‑256.
- Can I use BGP over the S2S connection?
- Yes. Enable BGP when creating the VPN connection and provide the ASN and BGP peer IP.