Skip to content

Azure Site-to-Site VPN

This page explains how to set up a Site-to-Site VPN in Azure, enabling secure communication between your on-premises network and Azure virtual network.


Technical Overview

Azure Site-to-Site VPN allows you to securely connect your on-premises network to an Azure virtual network (VNet) over an IPsec/IKE VPN tunnel. This setup enables seamless and secure communication between your on-premises environment and Azure, extending your data center to the cloud.

Key Components: - Virtual Network (VNet): The Azure network to which you'll connect your on-premises network. - VPN Gateway: The Azure resource that facilitates the VPN connection. - Local Network Gateway: Represents your on-premises network configuration. - Connection: The logical link between the Azure VPN gateway and the on-premises local network gateway.

Implementation Details

1. Set Up Virtual Network (VNet)

  1. Go to the Azure portal.
  2. Navigate to "Create a resource" > "Networking" > "Virtual Network".
  3. Click "Create" and fill in the required fields:
  4. Name: Choose a name for your VNet.
  5. Address space: Define the IP address range (e.g., 10.1.0.0/16).
  6. Subscription: Select your Azure subscription.
  7. Resource group: Create a new resource group or select an existing one.
  8. Location: Choose the Azure region.

  9. Click "Review + create" > "Create" to create the VNet.

  10. Configure subnets within the VNet:
  11. Go to your VNet and select "Subnets".
  12. Click "Add Subnet".
  13. Define the subnet name (e.g., default) and address range (e.g., 10.1.0.0/24).
  14. Click "Save".

2. Create VPN Gateway

  1. In the Azure portal, navigate to your VNet.
  2. Click "Subnets" and then "GatewaySubnet" > "Add".
  3. Define the subnet name as GatewaySubnet and specify the address range (e.g., 10.1.255.0/27).
  4. Click "Save".
  5. Go to "Create a resource" > "Networking" > "VPN Gateway".
  6. Click "Create" and fill in the required fields:
  7. Name: Choose a name for your VPN gateway.
  8. Region: Select the same region as your VNet.
  9. Gateway type: Choose VPN.
  10. VPN type: Choose Route-based.
  11. Virtual network: Select the VNet you created.
  12. Gateway subnet: Automatically selected.
  13. Public IP address: Create a new public IP address.

  14. Click "Review + create" > "Create" to provision the VPN Gateway.

3. Create Local Network Gateway

  1. In the Azure portal, go to "Create a resource" > "Networking" > "Local Network Gateway".
  2. Click "Create" and fill in the required fields:
  3. Name: Choose a name for your local network gateway.
  4. IP address: Enter the public IP address of your on-premises VPN device.
  5. Address space: Define the IP address range of your on-premises network (e.g., 192.168.0.0/16).
  6. Subscription: Select your Azure subscription.
  7. Resource group: Select the resource group used for the VNet.
  8. Location: Choose the Azure region.

  9. Click "Review + create" > "Create".

4. Configure VPN Connection

  1. In the Azure portal, navigate to your VPN Gateway.
  2. Select "Connections" > "Add".
  3. Fill in the required fields:
  4. Name: Choose a name for the connection.
  5. Connection type: Select Site-to-site (IPSec).
  6. Virtual network gateway: Automatically selected.
  7. Local network gateway: Select the local network gateway you created.
  8. Shared key (PSK): Enter a shared key (e.g., MySharedKey123) that matches the on-premises VPN device configuration.
  9. IKE Protocol: Select IKEv2.

  10. Click "OK" to create the connection.

5. Configure On-Premises VPN Device

  1. Access your on-premises VPN device (e.g., firewall, router).
  2. Configure the IPsec/IKE parameters:
  3. Azure VPN gateway IP: Use the public IP address of the Azure VPN gateway.
  4. IPsec/IKE Protocol: Use IKEv2 and the shared key you specified (MySharedKey123).
  5. Encryption and Integrity: Use AES256 for encryption and SHA256 for integrity.
  6. DH Group: Use DH Group 14.
  7. PFS: Use PFS2048.
  8. Local Subnet: Specify the on-premises network address space.
  9. Remote Subnet: Specify the Azure VNet address space.

Use Cases

Real-World Example:

Scenario: A retail company needs to securely connect its on-premises data center to its Azure environment to access cloud-hosted services and databases.

Implementation: - Virtual Network: Created in Azure to host cloud services and databases. - VPN Gateway: Deployed in Azure VNet for secure connectivity. - Local Network Gateway: Configured with the on-premises data center's public IP and address space. - Site-to-Site Connection: Established to enable secure data transfer and communication between on-premises and Azure resources.

Benefits: - Secure and reliable connection between on-premises and Azure. - Seamless access to cloud-hosted resources and services. - Enhanced data security with encrypted VPN tunnels.

Challenges: - Initial setup and configuration can be complex. - Ensuring compatibility between on-premises VPN devices and Azure VPN gateway.

Pricing

Azure Site-to-Site VPN pricing includes costs for: - VPN Gateway: Charges based on the selected SKU and data transfer rates. - Data Transfer: Costs associated with data transfer between on-premises and Azure.

Cost-Effective Tips: - Choose Appropriate SKU: Select a VPN Gateway SKU that meets your performance needs without over-provisioning. - Monitor Data Transfer: Regularly monitor data transfer usage to optimize costs. - Optimize Traffic: Use route-based VPNs to efficiently manage and optimize traffic flows.

Resources

Azure Site-to-Site VPN Documentation