Site-to-Site VPN Connectivity with Azure Virtual WAN

This document provides a comprehensive guide to configuring and managing Site-to-Site (S2S) VPN connections within Azure Virtual WAN. Virtual WAN simplifies the management of large-scale, distributed network architectures by providing a single pane of glass for connecting your on-premises sites to Azure.

NOTE: Site-to-Site VPN connects your on-premises VPN device to Azure. It's a common method for hybrid cloud connectivity, enabling secure communication between your corporate network and your Azure resources.

Key Concepts

Virtual WAN Hub: The central network hub deployed in an Azure region that acts as a transit point for your network traffic.
Virtual Network Connection: Connects your Azure Virtual Networks (VNets) to the Virtual WAN hub.
Site-to-Site VPN Connection: Establishes a secure tunnel between your on-premises VPN device and the Virtual WAN hub.
Local Network Gateway: Represents your on-premises network and VPN device.
Connection Type: Typically IPsec/IKE VPN.

Prerequisites

Before you begin, ensure you have the following:

An active Azure subscription.
A Virtual WAN resource deployed in your subscription.
A Virtual WAN Hub created within the Virtual WAN resource.
An on-premises VPN device that supports IKEv1 or IKEv2 and is compatible with Azure VPN Gateway. You'll need its public IP address.
Network connectivity to your on-premises VPN device.

Steps to Configure Site-to-Site VPN

1. Create a Virtual WAN Hub (if not already present)

A Virtual WAN hub is the core component. If you haven't created one, navigate to your Virtual WAN resource and create a hub in the desired Azure region.

2. Create a VPN Site

Define your on-premises network and VPN device configuration:

In the Azure portal, navigate to your Virtual WAN resource.
Under "Site to site VPN," select "VPN sites."
Click "+ Create VPN site."
Provide a name for the site, select the region, and enter the Public IP address of your on-premises VPN device.
Specify the address space(s) of your on-premises network that will communicate with Azure.
Optionally, configure BGP settings if your on-premises device supports BGP.

Figure 1: Creating a VPN site in Azure portal.

3. Create a Site-to-Site VPN Connection

This step establishes the tunnel between your VPN site and the Virtual WAN hub:

Navigate back to your Virtual WAN resource and select "Site to site VPN."
Click "+ Add connection."
Select the target Virtual Hub.
Provide a name for the connection.
Select the previously created VPN site.
Choose "IPsec" as the connection type.
Enter a Pre-shared key (PSK). This key must match the one configured on your on-premises VPN device.
Configure IPsec/IKE policy if needed, or use the default settings.
Click "Create."

IMPORTANT: Ensure the Pre-shared Key is strong and securely communicated to your on-premises network team.

4. Configure Your On-Premises VPN Device

This is a crucial step that involves configuring your physical or virtual VPN device to establish the IPsec tunnel with Azure. The exact steps vary depending on the vendor and model of your VPN device. You will typically need to configure:

Remote Gateway IP Address: The public IP address of the Azure VPN Gateway associated with your Virtual WAN hub.
IPsec/IKE Parameters: Encryption, hashing, Diffie-Hellman group, lifetimes, and other security parameters to match the Azure configuration.
Pre-shared Key: The same key used in step 3.
Local and Remote Network Definitions: Specifying your on-premises address space and the Azure VNet address spaces.
BGP (if applicable): Configure BGP peering with the Virtual WAN hub.

Refer to the Azure VPN device configuration documentation for specific vendor configurations:

VPN Device Configuration Documentation

Verifying the Connection

Once configured on both ends, you can verify the status of your Site-to-Site VPN connection:

In the Azure portal, navigate to your Virtual WAN hub and select "Site to site VPN."
Check the "Connections" tab. The status should eventually show as "Connected."
You can also check the connection status on your on-premises VPN device.

Routing and Traffic Flow

Virtual WAN uses routing that enables transitive routing between different connection types (e.g., S2S VPN to VNet, VNet to VNet). Traffic originating from your on-premises site will be routed through the Virtual WAN hub to reach your Azure VNets, and vice-versa.

TIP: For detailed routing configurations and propagation, refer to the Virtual WAN routing concepts documentation.

Troubleshooting Common Issues

Connection not establishing: Verify IPsec/IKE parameters, pre-shared key, firewall rules on your on-premises network, and ensure public IP addresses are correct.
No traffic flow: Check routing tables in Azure and on your on-premises device, Network Security Groups (NSGs) in Azure VNets, and ensure IP address spaces are correctly defined.
BGP issues: Verify BGP ASN, neighbor IP addresses, and routing policies.

For more advanced troubleshooting, consult the Virtual WAN Troubleshooting Guide.

By following these steps, you can successfully establish secure and reliable Site-to-Site VPN connectivity with Azure Virtual WAN, enhancing your hybrid cloud networking capabilities.