This post will show you how to create a Site-to-Site VPN gateway using Azure. And I will not just stop at creating it, I will also show a test sample of the connection working. Yes, that’s how I roll, you have to see what you’re configuring working in real-time.
Things to consider before creating a site-to-site VPN: If you’re unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. None of the subnets of your on-premises network can overlap with the virtual network subnets that you want to connect to.
What is Site-to-Site VPN
Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it.
What is a VPN Gateway
A VPN gateway is a type of virtual network gateway that sends encrypted traffic between your virtual network and your on-premises location across a public connection. You can also use a VPN gateway to send traffic between virtual networks across the Azure backbone.
What is a Local Network Gateway
A local network gateway is a specific object that represents your on-premises location (the site) for routing purposes.
A local network gateway is used to establish a secure, encrypted connection between your on-premises network and your Azure virtual network. This enables you to extend your on-premises network to the cloud and access resources in Azure as if they were located on your local network.
You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you’ll create a connection. You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on-premises network.
What we will need to Configure the Site-to-Site VPN.
Virtual Network
VPN Gateway
Local Gateway
Connecting
Routing and Remote Access
If you have read my previous post about Point-to-Site VPN you should be familiar with some of them.
Creating a Virtual Network
Firstly, we need to create a Virtual Network
Step 1: Sign in to the Azure Portal.
Step 2: Search for virtual network in Azure portal.
Step 3: In the search results, select virtual network right under Marketplace.
Step 4: On the Virtual network page, click on Create.
Step 5: Under the Basics tab, choose the Subscription you want to use for this project.
Step 6: Resource group can be selected from existing resource group, or a new resource group can be created by clicking on Create new.
Step 7: Enter a preferred name for the virtual network.
Step 8: Choose a preferred location for the Virtual Network, by clicking on the drop-down and selecting the region you prefer, and then click on next at the bottom. Note: The location determines where the resources that you deploy to this VNet will live.
For this tutorial, we will leave the Security tab with the default settings and then click on next again.
We will be using the 172.16.0.0/16 for our address space and for the subnet we will create two subnets: abcofcloudsubnet with a subnet address space of 172.16.0.0/24.
Step 9: On the IP addresses tab click on the Add an IP address space and select the Address space type radio button for IPv4. Starting address type 172.16.0.0, Address space size use the drop-down to select /16 (65536 addresses) and click the Add button.
Step 10: After this has been added you can now delete the default address space.
Step 11: This is the time we add our subnet, click on the plus(+) button beside Add a subnet, and on the pop-out button by the right under the Subnet details enter a preferred name, for this tutorial I will be using abcofcloudsubnet, the Starting address as 172.16.0.0 and Subnet size as /24 (256 addresses) then click on the Add button.
Step 12: Click on the Review + Create button to have an overview of your settings and then click Create.
Let’s Create the VPN Gateway
Step 1: Search for Virtual network gateway in Azure portal.
Step 2: In the Search result, under Marketplace select Virtual network gateway.
Step 3: Choose the subscription you want from the drop-down.
Step 4: The Resource Group will be auto-filled when we select the virtual network.
Step 5: Enter any preferred name for your gateway.
Step 6: We will be using VPN as the Gateway type in this tutorial.
Step 7: Route-based is the VPN type we will be using for this tutorial, this can be selected based on your requirement or business need.
Step 8: SKU will be VpnGw2AZ for this tutorial, I will be adding some links where you can learn more about the SKU, resizing, and zone redundant.
Step 9: Generation2 will be the choice for this tutorial.
Step 10: Our Virtual network will be the one we created previously.
Step 11. You can either create a subnet in your virtual subnet with the name Gatewaysubnet or you get the Gateway subnet address range automatically.
Step 12: We will change the default Gateway subnet address range to 172.16.1.0/27 or larger which is (/26,/25,/24, etc.) Anything lesser will throw an error if you’re trying to deploy a zone-redundant/zonal gateway and also this allows enough IP addresses for future changes.
Step 13: Public IP address is set to Create new; you can choose to use existing if you already have one created. These settings specify the public IP address object that gets associated with the VPN gateway. The public IP address is assigned to this object when the VPN gateway is created. The only time the primary Public IP address changes is when the gateway is deleted and re-created. It doesn’t change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.
Step 14: Enter a preferred name for the Public IP address name.
The Assignment setting is controlled by the Public IP Address Type value.
Enable active-active mode and Configure BGP will be disabled in this tutorial.
Step 15: Click on Review + Create and then Create. Tags can be added based on your requirements.
Once you hit the Create button, it’s time to go get a bottle of drink because I also paused and went to a bottle of drink. Also, make sure you don’t refresh the page because it can take 45 minutes or more to fully create and deploy. You will see the status of the deployment on the overview page for the gateway.
Creating the Local Network Gateway
Step 1: Search for local gateway in the Azure portal.
Step 2: Under Marketplace, select local network gateway in the search result.
Step 3: Select your subscription from the drop under Project details.
Step 4: Choose your Resource group, for this tutorial I will be using ABCOFCLOUDVNET-RG
Step 5: For the region, I will be using UK South.
Step 6: Enter a preferred name for your gateway.
Step 7: Endpoint for this tutorial will be the IP address.
Step 8: IP address should be the static public IP address allocated from your Internet service provider for your VPN device, but if you don’t have one and you’re doing this for training purposes then you can type whatsmyip on your web browser to see the dynamic public IP address allocated to you from your Internet service provider which is what I am using in this tutorial.
Step 9: The address space is the private network on your on-premises which this local network represents. The address space I am using is the private IP for my on-premises network, and also note you can add more than one address space if you do have more.
Step 10: On the Advanced tab Configure BGP settings is set to No for this tutorial.
Step 11: Click on Review + create to validate the page and then click on Create.
Configuring VPN on Windows Server 2022
In order for you to configure your VPN in Windows Server you will need to install the Remote Access Role from your Server Manager Dashboard. Once this is completed you can follow the steps.
Step 1: Open the server manager and click on Tools then select Routing and Remote Access, this will pop-up the Routing and Remote Access page.
Step 2: Under Server Status right click on your server name and then select Configure and Enable Routing and Remote Access which will then launch the Routing and Remote Access Server Setup Wizard.
Step 3: Click on Next on the Routing and Remote Access Server Setup Wizard.
Step 4: Choose the Secure connection between two private networks and then click Next.
Step 5: On the Demand-Dial Connections page, you will be asked Do you want to use demand-dial connections to access remote networks? Choose Yes and hit Next.
Step 6: IP Address Assignment I will be using Automatically for this tutorial then click on Next on the Completing the Routing and Remote Access Server Setup Wizard click on Finish.
Once this is done you will see the Demand-Dial Interface Wizard pop-up, click on Next to continue.
Step 7: Enter a number for the Interface, I will be using S2SVPN and click Next.
Step 8: On the connection type page, choose to connect using virtual private networking (VPN).
Step 9: Select IKEv2 for VPN Type.
Step 10: In the Destination Address enter the public IP for the virtual network gateway.
Step 11: Select Route IP packets on this interface for the Protocols and Security.
Step 12: On the Static Routes for Remote Networks page we will be adding the IP address space from the virtual network we created on Azure mine was 172.16.0.0/16. Click on the Add button and then type in the IP address. I will use 10 for the Metric and then click ok. The metric is used to determine the priority of different routes to the same network, and the route with the lowest metric value is chosen as the preferred route.
Step 13: After Adding the virtual network IP address space, click on next, you will see the Dial-Out Credentials page, you can leave the credentials blank and click next, and then click Finish to complete the Demand-Dial Interface Wizard. Once that is done you should see it enabled and all green.
The next thing we are going to do is update the connection type and choose a shared key we will use for the VPN connection in Azure.
Step 14: Click on the Network Interface and right on the Demand-dial and then click on the properties. Click on the Options tab under Dialing policy set the Redial attempts to 3, then click on the Security tab select the Use preshared key for authentication, and type in your preferred shared key, I will be using ABCOFCLOUD2023 then hit OK.
Create a Connection
This will be creating a VPN connection between the virtual network gateway and the on-premises VPN.
Step 1: Log in to Azure portal and type connection in the search bar.
Step 2: In the search result, under Marketplace select the connection.
Step 3: Choose your subscription and Resource group.
Step 4: Connection type select Site-to-Site(IPsec) from the drop-down.
Step 5: Enter a preferred name, for this tutorial I will be using “abcofcloudVNet-to-abcofcloudLocalGW”.
Step 6: Choose your preferred region from the drop-down, I will be choosing UK South for this tutorial, after that click on Next.
Step 7: The virtual network gateway we created will be selected.
Step 8: Local network gateway we created will be selected.
Step 9: The Shared key we created on our VPN which was ABCOFCLOUD2023 will be entered
Step 10: IKE Protocol will be IKEv2.
Every other setting will be left on the default selection for this tutorial. Once this has been selected click on Review + Create to validate then Create.
Now if I click on the connection that has been created, and take a look at the overview the status will be Unknown.
Connecting to Azure Virtual Network Using the Site-to-Site VPN
Step 1: On my Routing and Remote Access, open the drop-down menu on IPv4 and right-click on the Static Routes then click on New Static Route. On the IPv4 Static Route that pops up change the Interface to the Demand-dial that was created. The destination and Network mask should be the same as the one on the virtual network we created and then hit ok.
We are adding this route to make sure the traffic reaches the right network on Azure.
The connection status has now changed from Unknow to Not connected, the next step we will be connecting using the VPN.
Step 2: Go to the Routing and Remote Access and then click on the Network Interface, right-click on the Demand-dial, and then click on connect.
We are now Connected
References: Tutorial: Create a site-to-site VPN connection in the Azure portal
This is beautiful, direct and straight to the point. I will be replicating this soon
This is sweet Jerry. Nice work bro. Reproducing soon.