Configure a VPN Gateway for Azure Virtual WAN

This article explains how to configure a VPN gateway in Azure Virtual WAN. Virtual WAN simplifies network management and connectivity by providing a single pane of glass for your wide area network.

Note: This article assumes you have already deployed a Virtual WAN and at least one Virtual Hub.

Prerequisites

An Azure subscription.
A deployed Virtual WAN resource.
A deployed Virtual Hub within your Virtual WAN.
Understanding of VPN concepts and Azure networking.

Steps to Configure a VPN Gateway

1. Navigate to your Virtual Hub

In the Azure portal, navigate to your Virtual WAN resource. Then, select the Virtual Hub where you want to configure the VPN gateway.

2. Create a VPN Gateway

In the Virtual Hub menu, under "Connectivity", select VPN (Site-to-site). Then, click + Create to add a new VPN gateway.

On the "Create VPN gateway" page, configure the following settings:

Gateway type: Select Vpn.
SKU: Choose a suitable SKU based on your throughput and feature requirements (e.g., VpnGw1, VpnGw2). Refer to Azure VPN Gateway SKUs for more details.
Scale Units: Select the number of scale units. This determines the aggregate throughput.
Generations: Choose the generation for your VPN gateway.
Virtual hub: This will be pre-populated with your current Virtual Hub.
Tags: Optionally, add tags for resource management.

Click Review + create, then Create.

3. Configure VPN Site Connections

Once the VPN gateway is deployed, you need to create connections from your on-premises VPN devices or other Azure VNet gateways to this VPN gateway.

In the Virtual Hub menu, under "Connectivity", select Site-to-site VPN. Click + Create connection.

On the "Create connection" page, configure the following:

Connection name: A descriptive name for the connection.
Resource group: The resource group of your Virtual Hub.
Hub: Your Virtual Hub.
Connection type: Select IPsec (IKE V1 and V2) or IKEv2 VPN depending on your on-premises device capabilities.
Virtual network gateway: Select your newly created Virtual WAN VPN gateway.
Local network gateway: If connecting to another Azure VNet, you would select its gateway. For on-premises, this refers to your on-premises network's IP address space and public IP.
IP address of the VPN device: The public IP address of your on-premises VPN device.
Shared key (PSK): The pre-shared key for authentication. Ensure this matches on both ends.
IPsec/IKE policy: Configure custom IPsec/IKE policies if needed, otherwise use default.
BGP settings: Enable if you are using BGP for dynamic routing.

Click Create.

Tip: For connecting to on-premises devices, you will typically configure the "Local network gateway" to represent your on-premises network. This involves specifying the IP address space of your on-premises network and the public IP address of your on-premises VPN device.

Example Azure CLI Commands

Here are some example Azure CLI commands to automate the VPN gateway configuration:

$ az login Login successful. $ az account set --subscription "Your Subscription ID" $ az network vpn-gateway create \ --name MyVpnGateway \ --resource-group MyResourceGroup \ --virtual-hub MyVirtualHub \ --sku VpnGw1 \ --scale-units 1 \ --location eastus $ az network vpn-gateway connection create \ --name MySiteToSiteConnection \ --resource-group MyResourceGroup \ --vpn-gateway MyVpnGateway \ --local-network-gateway MyOnPremisesGateway \ --connection-type IPsec \ --shared-key "YourSharedKeyHere" \ --hub MyVirtualHub

Replace placeholder values like MyVpnGateway, MyResourceGroup, MyVirtualHub, MyOnPremisesGateway, and YourSharedKeyHere with your actual values.

Monitoring and Verification

After configuration, you can monitor the status of your VPN gateway and connections in the Azure portal. Look for connection status, data in/out, and any errors.

You can also use Azure Network Watcher to troubleshoot connectivity issues.

Was this page helpful? Yes | No

Have questions? Ask the community

Please provide feedback to help us improve.