Azure Virtual WAN

Connect your on-premises sites securely to Azure

How to Connect Your Site to Azure Virtual WAN with a Site-to-Site (S2S) VPN

This guide provides step-by-step instructions to establish a secure and reliable Site-to-Site (S2S) VPN connection between your on-premises network and your Azure Virtual WAN hub. This is a crucial step for hybrid cloud architectures, enabling seamless connectivity between your local resources and Azure services.

Prerequisites

  • An Azure subscription.
  • A deployed Azure Virtual WAN hub.
  • An on-premises VPN device that is compatible with Azure VPN Gateways (refer to Azure VPN device compatibility list for details).
  • Access to your on-premises VPN device configuration.
  • Publicly routable IP address for your on-premises VPN device.

Steps to Connect

Step 1: Create a Site-to-Site VPN Connection in Azure Portal

  1. Navigate to your Virtual WAN hub in the Azure portal.
  2. In the hub menu, under "VPN (site to site)", select "Site-to-site VPN connections".
  3. Click "+ Create connection".
  4. Fill in the following details:
    • Connection type: Site-to-site (IPsec)
    • Resource group: Select the resource group for your Virtual WAN.
    • Connection name: A descriptive name for your connection (e.g., 'HQ-to-Azure-VPN').
    • Hub name: Your Virtual WAN hub.
    • Device type: Select your VPN device vendor and model. If not listed, choose 'Generic'.
    • IP address: The public IP address of your on-premises VPN device.
    • BGP: Enable if you plan to use BGP for dynamic routing.
    • Link speed: The upload/download speed of your internet connection.
    • AS number: Your BGP Autonomous System number (if BGP is enabled).
    • IP address ranges: The local IP address ranges of your on-premises network that you want to connect.
    • Pre-shared key: Generate a strong pre-shared key (PSK) or use your own. This will be used on both Azure and your on-premises device.
  5. Click "Review + create" and then "Create".

Step 2: Configure Your On-Premises VPN Device

This is a critical step that requires configuration on your physical or virtual VPN device. The exact steps will vary based on your device's make and model.

Refer to the Azure VPN Gateway documentation for specific configuration guides for popular VPN device vendors.

You will need to configure the following parameters on your on-premises VPN device using the information provided in the Azure portal after the connection is created:

  • Azure VPN Gateway Public IP Address: This is the public IP address of your Virtual WAN hub's VPN gateway.
  • Remote/Peer Gateway IP Address: The IP address of your on-premises VPN device.
  • Pre-shared Key (PSK): The same PSK you generated or entered in Azure.
  • IPsec/IKE Parameters: Ensure the encryption, hashing, Diffie-Hellman group, and SA lifetimes match those configured in Azure. You can often find these details within the connection settings in the Azure portal.
  • Local and Remote Network Identifiers: Define the traffic selectors (also known as Phase 2 selectors or traffic selectors) to specify which on-premises networks should be routed to Azure and vice-versa.
  • BGP Configuration (if applicable): If BGP is enabled, configure the BGP peer IP addresses and AS numbers.

Step 3: Verify the Connection Status

  1. In the Azure portal, navigate back to your Virtual WAN hub and the "Site-to-site VPN connections" section.
  2. The status of your connection should eventually change to "Connected". This may take a few minutes as the tunnel establishes.
  3. You can also check the "Connection health" or "Tunnel status" for more detailed information.

Troubleshooting Common Issues

  • Mismatched Pre-shared Keys: Ensure the PSK is identical on both ends.
  • Incorrect IP Addresses: Verify that the public IP addresses of both the Azure gateway and your on-premises device are correctly configured.
  • IPsec/IKE Parameter Mismatch: This is a very common cause of connection failures. Double-check all encryption, hashing, DH group, and lifetime settings.
  • Firewall Rules: Ensure that no firewalls on your network are blocking UDP ports 500 and 4500, which are used for IKE and IPsec.
  • Route Conflicts: Ensure there are no overlapping IP address ranges between your on-premises network and your Azure Virtual Network.

For advanced troubleshooting, utilize Azure Network Watcher's VPN Troubleshoot feature.

Next Steps

Once your S2S VPN connection is established, you can proceed with:

  • Configuring routing to allow traffic flow between your on-premises network and your Azure VNets.
  • Deploying resources in Azure that need to be accessible from your on-premises network.
  • Monitoring your VPN connection health and performance through Azure Monitor.