Configure a Site‑to‑Site VPN in Azure Virtual WAN

Prerequisites

An Azure subscription with Owner or Network Contributor rights.
A Virtual WAN resource already created.
On‑premises VPN device that supports IKEv2 (or IKEv1) and has a public IP address.
Azure PowerShell 7.x or Azure CLI 2.50+ installed.

Step‑by‑step guide

Navigate to Virtual WAN > Your WAN > Site‑to‑Site (VPN).
Click + Add VPN site.
Enter a name, select the appropriate VPN device from the list, and provide the on‑premises public IP.
In the Address space section, add the on‑premises address prefixes you want to advertise.
Under IPSec policy, either accept the default or configure a custom policy.
Click Create. The VPN site will be provisioned and attached to your Virtual Hub.
Download the generated configuration script for your device from the Configuration tab and apply it on-premises.

# Variables
$resourceGroup = "MyResourceGroup"
$wanName       = "MyVirtualWAN"
$hubName       = "MyVirtualHub"
$vpnSiteName   = "OnPremSite"
$addressPrefix = "10.0.0.0/16"
$publicIP      = "203.0.113.10"

# Create VPN site
New-AzVpnSite -ResourceGroupName $resourceGroup `
              -Name $vpnSiteName `
              -VirtualWan $wanName `
              -AddressPrefix $addressPrefix `
              -DeviceModel "Cisco ISR" `
              -DeviceVendor "Cisco" `
              -IpAddress $publicIP

# Link VPN site to hub
New-AzVpnSiteLink -ResourceGroupName $resourceGroup `
                  -VpnSiteName $vpnSiteName `
                  -VirtualHubName $hubName `
                  -Name "Link1"

# Verify
Get-AzVpnSite -ResourceGroupName $resourceGroup -Name $vpnSiteName

# Variables
RESOURCE_GROUP="MyResourceGroup"
WAN_NAME="MyVirtualWAN"
HUB_NAME="MyVirtualHub"
SITE_NAME="OnPremSite"
ADDRESS_PREFIX="10.0.0.0/16"
PUBLIC_IP="203.0.113.10"

# Create VPN site
az network vwan vpn-site create \
  --resource-group $RESOURCE_GROUP \
  --name $SITE_NAME \
  --wan-name $WAN_NAME \
  --address-prefixes $ADDRESS_PREFIX \
  --device-model "Cisco ISR" \
  --device-vendor "Cisco" \
  --ip-address $PUBLIC_IP

# Associate with hub
az network vwan vpn-site link create \
  --resource-group $RESOURCE_GROUP \
  --vpn-site-name $SITE_NAME \
  --virtual-hub $HUB_NAME \
  --name Link1

# Show details
az network vwan vpn-site show \
  --resource-group $RESOURCE_GROUP \
  --name $SITE_NAME

Validate the connection

After configuring the on‑premises device, verify the tunnel status from the portal or using Azure CLI:

# Azure CLI
az network vwan vpn-site list-connection-health \
  --resource-group MyResourceGroup \
  --vpn-site-name OnPremSite

The command returns the tunnel’s health, latency, and packet loss.

Best practices

Use IKEv2 with strong encryption (AES‑256/GCM) and SHA‑256.
Enable DPD (Dead Peer Detection) to quickly detect failures.
Configure redundant tunnels for high availability.
Keep your on‑premises VPN firmware up to date.

Configure a Site‑to‑Site VPN in Azure Virtual WAN

Prerequisites

Step‑by‑step guide

Validate the connection

Best practices

Related articles