Configure Site-to-Site VPN for Azure Virtual WAN

This article provides guidance on how to configure and manage Site-to-Site (S2S) VPN connections for Azure Virtual WAN. Virtual WAN simplifies the management of global network connectivity and branch office connectivity.

What is Site-to-Site VPN?

Site-to-Site VPN allows you to securely connect your on-premises networks (branches, data centers) to your Azure Virtual WAN hub over the public internet using IPsec tunnels. This is a cost-effective alternative to dedicated private connections like ExpressRoute.

Key Components

• Azure Virtual WAN Hub: A managed networking service that acts as a central transit point for your hybrid cloud networking.
• VPN Device: A physical or virtual network appliance at your on-premises location capable of establishing IPsec VPN tunnels.
• Virtual Network Gateway: Deployed within the Virtual WAN hub, this component handles the VPN connections.
• Site: Represents your on-premises location and its network configuration, including the VPN device's public IP address.

Steps to Configure S2S VPN

Follow these steps to establish a Site-to-Site VPN connection:

1. Create a Virtual WAN Hub: If you don't already have one, create an Azure Virtual WAN resource and then deploy a Virtual Hub within it.
2. Create a VPN Gateway: Within your Virtual Hub, create a VPN gateway. Choose the appropriate SKU and scale based on your throughput requirements.
3. Create a Site: In the Azure portal, navigate to your Virtual WAN resource. Under "Site-to-site VPN," select "Sites" and then click "+ Create site."
   • Provide a name for the site (e.g., "NewYorkOffice").
   • Select the correct Azure region.
   • Enter the public IP address of your on-premises VPN device.
   • Specify the address space(s) of your on-premises network.
   • (Optional) Configure BGP settings if your on-premises VPN device supports BGP.
4. Connect Site to Hub: After creating the site, navigate to the "Site-to-site VPN" section within your Virtual WAN hub. Select "Connections" and click "+ Add connection."
   • Choose the connection name (e.g., "NYOffice-to-Hub").
   • Select the VPN gateway you created.
   • Select the "Site" you created.
   • Configure shared key (PSK) or certificate authentication.
   • (Optional) Enable BGP if applicable.
   • Review and create the connection.
5. Configure On-Premises VPN Device: On your on-premises VPN device, configure the IPsec/IKE parameters to match the settings used by the Azure VPN gateway. This typically includes:
   • Remote Gateway IP Address (the public IP of your Azure Virtual WAN VPN Gateway).
   • Local Network Information (your on-premises address space).
   • IPsec/IKE Phase 1 and Phase 2 parameters (e.g., encryption algorithms, hashing algorithms, Diffie-Hellman groups, lifetimes).
   • Pre-shared key (PSK) or certificate.
   You can download the configuration script for your specific VPN device model from the Azure portal connection details page.

Key Considerations

• Throughput: The throughput of your S2S VPN connection depends on the SKU and scale of your Virtual WAN VPN Gateway.
• High Availability: Azure VPN gateways provide active-active configurations for high availability. Ensure your on-premises VPN device also supports redundant tunnels.
• BGP: Using BGP allows for dynamic routing and automatic failover. Ensure your on-premises network infrastructure and VPN device support BGP.
• IPsec/IKE Policies: Ensure compatibility between the IPsec/IKE policies configured on both Azure and your on-premises VPN device. Azure supports a range of standard algorithms.