Azure Virtual WAN

Comprehensive Documentation

Virtual Network Gateway Connections

This document provides detailed information on managing connections for your Azure Virtual WAN Virtual Network Gateways. Understanding and configuring these connections is crucial for establishing secure and efficient network connectivity.

Connection Types

Virtual Network Gateways in Azure Virtual WAN support various connection types to suit different networking requirements. The primary connection types include:

  • Site-to-Site VPN: Connects your on-premises networks to your Azure Virtual WAN hub using IPsec tunnels.
  • ExpressRoute: Provides private, high-bandwidth connectivity between your on-premises network and Azure Virtual WAN.
  • VNet-to-VNet: Enables connectivity between different Azure Virtual Networks through the Virtual WAN hub.

Configuring a Site-to-Site VPN Connection

Follow these steps to configure a new Site-to-Site VPN connection:

Navigate to your Virtual WAN resource in the Azure portal.

Under the "Virtual network connections" section, click "Create connection".

Select the "VPN" connection type and provide a name for your connection.

Choose the Virtual Network Gateway and the Hub where you want to establish the connection.

Configure the VPN device details, including IP address and shared key.

Specify the address spaces for your on-premises network.

Review and create the connection.

Important: Ensure that your on-premises VPN device is compatible with Azure VPN Gateway and has matching configuration parameters, such as IKE version, encryption algorithms, and integrity algorithms.

Managing Existing Connections

You can view, edit, and delete existing connections through the Azure portal. Each connection has a detailed overview page showing its status, configuration, and associated resources.

Connection Status and Troubleshooting

Connection status indicators in the Azure portal provide real-time information about the health of your VPN tunnels and ExpressRoute circuits. If a connection is down, check the following:

  • VPN Gateway Logs: Examine VPN logs for authentication errors or negotiation failures.
  • On-Premises Device Configuration: Verify that your on-premises VPN device is online and correctly configured.
  • Network Path: Ensure there are no network firewalls or devices blocking the necessary VPN ports (UDP 500, UDP 4500, ESP).
  • IP Address Mismatch: Double-check that public IP addresses for both Azure and on-premises gateways are correctly configured.

Advanced Connection Settings

Virtual WAN offers advanced settings for connections, including:

  • BGP Routing: Enable Border Gateway Protocol (BGP) for dynamic routing between your on-premises networks and Azure.
  • IPsec/IKE Policy: Customize IPsec and IKE parameters for enhanced security and compatibility.
  • Custom IPsec Transform Sets: Define specific encryption and integrity algorithms for your VPN tunnels.

Example: Custom IPsec Policy


{
  "name": "MyCustomIPsecPolicy",
  "ipsecEncryption": "AES256",
  "ipsecIntegrity": "SHA256",
  "ikeEncryption": "AES256",
  "ikeIntegrity": "SHA256",
  "dhGroup": "DHGroup2",
  "saDataSizeKilobytes": 102400,
  "saLifeTimeSeconds": 3600
}

Connection Limitations and Best Practices

Be aware of the following limitations and best practices when configuring connections:

  • Maximum Connections: Refer to Azure Virtual WAN limits for the maximum number of connections supported per hub.
  • Throughput: Understand the throughput limitations of your VPN gateway SKU and ExpressRoute circuit.
  • Redundancy: Implement redundant connections for high availability.
  • Naming Conventions: Use clear and consistent naming conventions for your connections.