Deploy and Configure Azure VPN Gateway

This document guides you through the process of deploying and configuring an Azure VPN Gateway to establish secure, cross-premises connectivity between your on-premises networks and your Azure virtual networks.

Tip: For optimal performance and reliability, plan your VPN gateway configuration carefully, considering factors like throughput, connection types, and region.

Prerequisites

An active Azure subscription.
An existing Azure Virtual Network (VNet).
A gateway subnet within your VNet, named GatewaySubnet. This subnet must be specifically for the VPN gateway.
An on-premises VPN device or a compatible Azure VPN client.

Deployment Steps

1. Create a VPN Gateway

You can deploy a VPN gateway using the Azure portal, Azure CLI, or Azure PowerShell.

Using Azure Portal

Navigate to the Azure portal.
Search for "Virtual network gateways" and select it.
Click + Create.
Configure the following settings:
- Subscription: Select your Azure subscription.
- Resource group: Choose an existing or create a new resource group.
- Name: Provide a unique name for your VPN gateway.
- Region: Select the same region as your VNet.
- Gateway type: Choose VPN.
- VPN type: Select the type that matches your on-premises device (e.g., RouteBased for most scenarios).
- SKU: Choose a SKU that meets your performance and feature requirements (e.g., VpnGw1, VpnGw2AZ).
- Generation: Select the generation (e.g., Generation1, Generation2).
- Virtual network: Select the VNet that contains your GatewaySubnet.
- Public IP address: Create a new Standard SKU, Static IP address or select an existing one.
- Enable active-active mode: (Optional) For higher availability.
- Configure BGP: (Optional) If you plan to use BGP for dynamic routing.
Click Review + create, then Create.

Using Azure CLI

The following is a simplified example. Refer to the official Azure CLI documentation for detailed parameters.


az network vnet-gateway create \
  --name MyVpnGateway \
  --resource-group MyResourceGroup \
  --location eastus \
  --gateway-type Vpn \
  --vpn-type RouteBased \
  --sku VpnGw1 \
  --vnet <YOUR_VNET_NAME> \
  --public-ip-address <YOUR_PUBLIC_IP_NAME>

Note: VPN gateway deployment can take 30-45 minutes.

2. Create a Local Network Gateway

A local network gateway represents your on-premises network. It contains the public IP address of your on-premises VPN device and the address spaces of your on-premises network.

In the Azure portal, search for "Local network gateways" and select it.
Click + Create.
Configure the following settings:
- Resource group: Same as your VPN gateway.
- Region: Same as your VPN gateway.
- Name: A descriptive name for your on-premises network (e.g., OnPremisesNetwork).
- IP address: The public IP address of your on-premises VPN device.
- Address spaces: The IP address ranges of your on-premises network(s).
- Configure BGP settings: (Optional) If applicable.
Click Review + create, then Create.

3. Create a Connection

This step links your Azure VPN Gateway to your Local Network Gateway, establishing the VPN tunnel.

Navigate to your created Azure VPN Gateway resource.
Under Settings, select Connections.
Click + Add.
Configure the following settings:
- Name: A name for the connection (e.g., VNetToOnPrem).
- Connection type: Select Site-to-site (IPsec).
- Virtual network gateway: Automatically selected.
- Local network gateway: Select the local network gateway you created.
- Shared key (PSK): Enter a strong pre-shared key. This key must match on both the Azure side and your on-premises VPN device.
- IKE protocol: Choose the appropriate IKE protocol (IKEv2 is recommended).
- Enable BGP: (Optional) If BGP is configured.
Click OK.

Important: Ensure the pre-shared key (PSK) is identical on the Azure connection and your on-premises VPN device configuration.

On-Premises Device Configuration

Configure your on-premises VPN device to establish a tunnel to your Azure VPN Gateway. This typically involves:

Specifying the Azure VPN Gateway's public IP address as the remote gateway.
Configuring the matching pre-shared key (PSK).
Defining the traffic selectors (IPsec proposals) to match Azure's defaults or your chosen configuration.
Ensuring your on-premises network address spaces are correctly defined for routing.

Consult your VPN device vendor's documentation for specific configuration steps.

Verification

After both Azure and your on-premises device are configured, the connection status in the Azure portal should change to Connected.

Test connectivity by pinging resources across the tunnel or accessing services.