Connect Site to Azure Virtual WAN - Azure Networking Documentation

How to Connect a Site to Azure Virtual WAN

This guide provides step-by-step instructions on how to connect your on-premises network sites to an Azure Virtual WAN hub. This allows for secure and efficient connectivity between your distributed sites and Azure resources.

Prerequisite: Ensure you have a Virtual WAN and a Virtual Hub deployed in your Azure subscription. Refer to the Create a Virtual Hub article for details.

1. Create a Site Resource

A site resource represents your on-premises network or a location outside of Azure that you want to connect to your Virtual WAN.

Navigate to your Virtual WAN resource in the Azure portal.
In the left-hand menu, under Connectivity, select Site-to-site VPNs (or VPN (Site-to-site) depending on your portal view).
Click on + Create site.
Fill in the following details:
- Region: Select the region where your Virtual WAN is deployed.
- Resource group: Choose the resource group for this site resource.
- Site name: Provide a descriptive name for your site (e.g., Headquarters-VPN).
- Device vendor: Select the vendor of your on-premises VPN device. If your vendor is not listed, select Generic.
- IP address: Enter the public IP address of your on-premises VPN device.
- Link speed (Mbps): (Optional) The expected link speed of your VPN connection.
- Address space: Enter the CIDR block(s) representing your on-premises network that will be connected.
Click Next: Tags >.
(Optional) Add any tags for organization.
Click Review + create, then Create.

2. Configure VPN Device Connection

After creating the site resource, you need to configure your on-premises VPN device to establish a connection with Azure Virtual WAN. Azure Virtual WAN supports various VPN device configurations.

Option A: Download Configuration Package

For supported vendors, Azure can generate a configuration package that you can use to configure your on-premises VPN device.

Once your site resource is created, navigate back to the Site-to-site VPNs section of your Virtual WAN.
Select the site you just created.
Click on Download VPN configuration.
Select the PSK (Pre-Shared Key) and the Configuration provider (your VPN device model).
Click Download.
Use this downloaded file to configure your on-premises VPN device according to your vendor's documentation. This typically involves setting up the tunnel interface, IPsec policies, and pre-shared keys.

Important: The downloaded configuration package provides specific settings, including the Azure-side IP addresses for the VPN tunnels and the pre-shared keys. Ensure these match precisely on your on-premises VPN device.

Option B: Manual Configuration

If your device vendor is not listed or you prefer manual configuration, you will need to gather the following information from the Azure portal:

Azure VPN Gateway Public IP Addresses: These are provided when you create the VPN connection within the Virtual Hub.
Azure VPN Gateway Pre-Shared Keys (PSK): These can be generated or viewed within the VPN connection configuration.
Azure Tunnel Interface IP Addresses: These are also part of the VPN connection configuration.

You'll need to refer to your on-premises VPN device vendor's documentation for the specific steps to configure these parameters.

3. Establish the VPN Connection in Virtual Hub

Now, you need to create the actual VPN connection resource within your Virtual Hub and link it to the site you created.

Navigate to your Virtual Hub resource in the Azure portal.
In the left-hand menu, under Connectivity, select VPN (Site-to-site).
Click on + Create VPN connection.
Fill in the following details:
- Region: Should be pre-selected.
- Virtual Hub: Should be pre-selected.
- Connection name: A descriptive name for the connection (e.g., HQ-to-Hub-VPN).
- Hub-to-site: Select this option.
- Site: Choose the site resource you created earlier from the dropdown.
- Link 1 speed (Mbps): Matches the link speed configured for the site.
- Connection mode: Typically Route-based.
- Use Azure Private IP Address: Usually set to No unless you have specific requirements.
- Enable BGP: Select Yes if your on-premises network uses BGP for routing. If so, you'll need to provide your AS number and BGP peer IP address.
- IPsec/IKE Policy: Choose a custom policy or use the default. Ensure it matches your on-premises device configuration.
- Shared Key: Enter the Pre-Shared Key (PSK) that you have configured on your on-premises VPN device.
Click Review + create, then Create.

Repeat these steps to create the second tunnel if your VPN device supports active-active configurations.

4. Verify Connectivity

Once the VPN connection is established, you can verify the connectivity.

Navigate to your Virtual Hub and select VPN (Site-to-site).
Check the Connection status for your newly created VPN connection. It should show as Connected.
From a virtual machine in an Azure VNet connected to the Virtual Hub, try to ping an IP address on your on-premises network, and vice-versa.
Check the BGP peering status if you enabled BGP.

Troubleshooting Tips: If the connection status is not Connected, double-check the Pre-Shared Keys, IP addresses, subnet configurations, and IPsec/IKE policies on both Azure and your on-premises VPN device. Firewall rules on your on-premises network must also permit VPN traffic (UDP ports 500 and 4500).

By following these steps, you can successfully connect your on-premises sites to Azure Virtual WAN, enabling a robust and scalable network infrastructure.