title | description | titleSuffix | author | ms.author | ms.service | ms.topic | ms.date |
---|---|---|---|---|---|---|---|
Tutorial - Create S2S VPN connection between on-premises network and Azure virtual network: Azure portal |
In this tutorial, you learn how to create a VPN Gateway site-to-site IPsec connection between your on-premises network and a virtual network. |
Azure VPN Gateway |
cherylmc |
cherylmc |
vpn-gateway |
tutorial |
04/16/2024 |
In this tutorial, you use the Azure portal to create a site-to-site (S2S) VPN gateway connection between your on-premises network and a virtual network. You can also create this configuration by using Azure PowerShell or the Azure CLI.
:::image type="content" source="./media/tutorial-site-to-site-portal/diagram.png" alt-text="Diagram that shows site-to-site VPN gateway cross-premises connections." lightbox="./media/tutorial-site-to-site-portal/diagram.png":::
In this tutorial, you:
[!div class="checklist"]
- Create a virtual network.
- Create a VPN gateway.
- Create a local network gateway.
- Create a VPN connection.
- Verify the connection.
- Connect to a virtual machine.
- You need an Azure account with an active subscription. If you don't have one, you can create one for free.
- Make sure you have a compatible VPN device and someone who can configure it. For more information about compatible VPN devices and device configuration, see About VPN devices.
- Verify that you have an externally facing public IPv4 address for your VPN device.
- If you're unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. None of the subnets of your on-premises network can overlap with the virtual network subnets that you want to connect to.
In this section, you create a virtual network by using the following values:
- Resource group: TestRG1
- Name: VNet1
- Region: (US) East US
- IPv4 address space: 10.1.0.0/16
- Subnet name: FrontEnd
- Subnet address space: 10.1.0.0/24
[!INCLUDE About cross-premises addresses]
[!INCLUDE Create a virtual network]
After you create your virtual network, you can optionally configure Azure DDoS Protection. Azure DDoS Protection is simple to enable on any new or existing virtual network, and it requires no application or resource changes. For more information about Azure DDoS Protection, see What is Azure DDoS Protection?.
[!INCLUDE About gateway subnets]
[!INCLUDE Create gateway subnet]
[!INCLUDE NSG warning]
In this step, you create the virtual network gateway for your virtual network. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.
Create a virtual network gateway (VPN gateway) by using the following values:
- Name: VNet1GW
- Region: East US
- Gateway type: VPN
- SKU: VpnGw2
- Generation: Generation 2
- Virtual network: VNet1
- Gateway subnet address range: 10.1.255.0/27
- Public IP address: Create new
- Public IP address name: VNet1GWpip
- Enable active-active mode: Disabled
- Configure BGP: Disabled
[!INCLUDE Create a vpn gateway]
[!INCLUDE Configure PIP settings]
A gateway can take 45 minutes or more to fully create and deploy. You can see the deployment status on the Overview page for your gateway. After the gateway is created, you can view the IP address assigned to it by looking at the virtual network in the portal. The gateway appears as a connected device.
[!INCLUDE NSG warning]
To view public IP addresses associated to your virtual network gateway, navigate to your gateway in the portal.
- On the portal page for your virtual network gateway, under Settings, open the Properties page.
- To view more information about the IP address object, click the associated IP address link.
The local network gateway is a specific object deployed to Azure that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to it, and then specify the IP address of the on-premises VPN device to which you create a connection. You also specify the IP address prefixes that are routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on-premises network. If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.
Create a local network gateway by using the following values:
- Name: Site1
- Resource Group: TestRG1
- Location: East US
[!INCLUDE Add a local network gateway]
Site-to-site connections to an on-premises network require a VPN device. In this step, you configure your VPN device. When you configure your VPN device, you need the following values:
- Shared key: This shared key is the same one that you specify when you create your site-to-site VPN connection. In our examples, we use a very simple shared key. We recommend that you generate a more complex key to use.
- Public IP address of your virtual network gateway: You can view the public IP address by using the Azure portal, PowerShell, or the Azure CLI. To find the public IP address of your VPN gateway by using the Azure portal, go to Virtual network gateways and then select the name of your gateway.
[!INCLUDE Configure a VPN device]
Create a site-to-site VPN connection between your virtual network gateway and your on-premises VPN device.
Create a connection by using the following values:
- Local network gateway name: Site1
- Connection name: VNet1toSite1
- Shared key: For this example, you use abc123. But you can use whatever is compatible with your VPN hardware. The important thing is that the values match on both sides of the connection.
[!INCLUDE Add a site-to-site connection]
You can configure more settings for your connection, if necessary. Otherwise, skip this section and leave the defaults in place. For more information, see Configure custom IPsec/IKE connection policies.
[!INCLUDE Configure additional connection settings with screenshot]
[!INCLUDE Verify the connection]
[!INCLUDE Connect to a VM]
This section describes options that are available to you.
There are specific rules about resizing versus changing a gateway SKU. In this section, you resize the SKU. For more information, see Resize or change gateway SKUs.
[!INCLUDE resize a gateway]
Resetting an Azure VPN gateway is helpful if you lose cross-premises VPN connectivity on one or more site-to-site VPN tunnels. In this situation, your on-premises VPN devices are all working correctly but aren't able to establish IPsec tunnels with the Azure VPN gateways.
[!INCLUDE reset a gateway]
You can create a connection to multiple on-premises sites from the same VPN gateway. If you want to configure multiple connections, the address spaces can't overlap between any of the connections.
- To add another connection, go to the VPN gateway and then select Connections to open the Connections page.
- Select + Add to add your connection. Adjust the connection type to reflect either network-to-network (if connecting to another virtual network gateway) or site-to-site.
- If you're connecting by using site-to-site and you haven't already created a local network gateway for the site you want to connect to, you can create a new one.
- Specify the shared key that you want to use and then select OK to create the connection.
You can specify a different shared key for your connection. In the portal, go to the connection. Change the shared key on the Authentication page.
You can customize site-to-site configurations in various ways. For more information, see the following articles:
- For information about BGP, see the BGP overview and How to configure BGP.
- For information about forced tunneling, see About forced tunneling.
- For information about highly available active-active connections, see Highly available cross-premises and VNet-to-VNet connectivity.
- For information about how to limit network traffic to resources in a virtual network, see Network security.
- For information about how Azure routes traffic between Azure, on-premises, and internet resources, see Virtual network traffic routing.
If you're not going to continue to use this application or go to the next tutorial, delete these resources.
- Enter the name of your resource group in the Search box at the top of the portal and select it from the search results.
- Select Delete resource group.
- Enter your resource group for TYPE THE RESOURCE GROUP NAME and select Delete.
After you configure a site-to-site connection, you can add a point-to-site connection to the same gateway.
[!div class="nextstepaction"] Point-to-site VPN connections