Configure Site‑to‑Site VPN with Azure Virtual WAN

Prerequisites

  • An active Azure subscription.
  • Virtual WAN instance created.
  • On‑premises VPN device that supports IKEv2.
  • Public IP address for the on‑premises device.

Step‑by‑Step Guide

  1. Navigate to Virtual WAN > Virtual hubs and select your hub.
  2. Click VPN site > Add VPN site.
  3. Enter a name, select the on‑premises location, and provide the public IP address.
  4. Under IPSec connection, configure:
    • IKE version: 2
    • Pre‑shared key: yourStrongKey
    • Encryption: AES256
    • Integrity: SHA256
    • DH Group: DH Group 14
  5. Save the configuration and wait for the connection state to become Connected.
# Create a VPN site
az network vwan vpn-site create \
  --resource-group MyResourceGroup \
  --name OnPremVpnSite \
  --virtual-wan MyVirtualWAN \
  --address-prefixes 10.1.0.0/16 \
  --bgp-peering-address 10.1.255.254 \
  --asn 65001 \
  --ip-address 203.0.113.10

# Create an IPSec connection
az network vwan connection create \
  --resource-group MyResourceGroup \
  --name SiteToSiteConn \
  --vwan MyVirtualWAN \
  --hub MyHub \
  --vpn-site OnPremVpnSite \
  --shared-key yourStrongKey \
  --routing-weight 10

# Create VPN site
New-AzVirtualWanVpnSite -ResourceGroupName "MyResourceGroup" `
    -Name "OnPremVpnSite" `
    -VirtualWanId (Get-AzVirtualWan -ResourceGroupName "MyResourceGroup" -Name "MyVirtualWAN").Id `
    -AddressSpace @("10.1.0.0/16") `
    -BgpPeeringAddress "10.1.255.254" `
    -Asn 65001 `
    -IpAddress "203.0.113.10"

# Create IPSec connection
New-AzVirtualWanConnection -ResourceGroupName "MyResourceGroup" `
    -Name "SiteToSiteConn" `
    -VirtualWanId (Get-AzVirtualWan -ResourceGroupName "MyResourceGroup" -Name "MyVirtualWAN").Id `
    -HubId (Get-AzVirtualWanHub -ResourceGroupName "MyResourceGroup" -VirtualWanName "MyVirtualWAN" -Name "MyHub").Id `
    -VpnSiteId (Get-AzVirtualWanVpnSite -ResourceGroupName "MyResourceGroup" -Name "OnPremVpnSite").Id `
    -SharedKey "yourStrongKey" `
    -RoutingWeight 10

Verification

After the connection is established, verify routing with the following command:

# Azure CLI
az network vwan hub connection list --resource-group MyResourceGroup --hub-name MyHub

# Expected output contains your VPN site and status "Connected".
Troubleshoot Connection

Best Practices

  • Use strong, unique pre‑shared keys for each connection.
  • Enable BGP for dynamic route exchange whenever possible.
  • Monitor connection health via Azure Monitor and Network Watcher.
  • Apply NSG rules to restrict inbound traffic from the on‑premises network.