Azure Site-to-Site VPN¶
This page explains how to set up a Site-to-Site VPN in Azure, enabling secure communication between your on-premises network and Azure virtual network.
Technical Overview¶
Azure Site-to-Site VPN allows you to securely connect your on-premises network to an Azure virtual network (VNet) over an IPsec/IKE VPN tunnel. This setup enables seamless and secure communication between your on-premises environment and Azure, extending your data center to the cloud.
Key Components: - Virtual Network (VNet): The Azure network to which you'll connect your on-premises network. - VPN Gateway: The Azure resource that facilitates the VPN connection. - Local Network Gateway: Represents your on-premises network configuration. - Connection: The logical link between the Azure VPN gateway and the on-premises local network gateway.
Implementation Details¶
1. Set Up Virtual Network (VNet)¶
- Go to the Azure portal.
- Navigate to "Create a resource" > "Networking" > "Virtual Network".
- Click "Create" and fill in the required fields:
- Name: Choose a name for your VNet.
- Address space: Define the IP address range (e.g.,
10.1.0.0/16
). - Subscription: Select your Azure subscription.
- Resource group: Create a new resource group or select an existing one.
-
Location: Choose the Azure region.
-
Click "Review + create" > "Create" to create the VNet.
- Configure subnets within the VNet:
- Go to your VNet and select "Subnets".
- Click "Add Subnet".
- Define the subnet name (e.g.,
default
) and address range (e.g.,10.1.0.0/24
). - Click "Save".
2. Create VPN Gateway¶
- In the Azure portal, navigate to your VNet.
- Click "Subnets" and then "GatewaySubnet" > "Add".
- Define the subnet name as
GatewaySubnet
and specify the address range (e.g.,10.1.255.0/27
). - Click "Save".
- Go to "Create a resource" > "Networking" > "VPN Gateway".
- Click "Create" and fill in the required fields:
- Name: Choose a name for your VPN gateway.
- Region: Select the same region as your VNet.
- Gateway type: Choose
VPN
. - VPN type: Choose
Route-based
. - Virtual network: Select the VNet you created.
- Gateway subnet: Automatically selected.
-
Public IP address: Create a new public IP address.
-
Click "Review + create" > "Create" to provision the VPN Gateway.
3. Create Local Network Gateway¶
- In the Azure portal, go to "Create a resource" > "Networking" > "Local Network Gateway".
- Click "Create" and fill in the required fields:
- Name: Choose a name for your local network gateway.
- IP address: Enter the public IP address of your on-premises VPN device.
- Address space: Define the IP address range of your on-premises network (e.g.,
192.168.0.0/16
). - Subscription: Select your Azure subscription.
- Resource group: Select the resource group used for the VNet.
-
Location: Choose the Azure region.
-
Click "Review + create" > "Create".
4. Configure VPN Connection¶
- In the Azure portal, navigate to your VPN Gateway.
- Select "Connections" > "Add".
- Fill in the required fields:
- Name: Choose a name for the connection.
- Connection type: Select
Site-to-site (IPSec)
. - Virtual network gateway: Automatically selected.
- Local network gateway: Select the local network gateway you created.
- Shared key (PSK): Enter a shared key (e.g.,
MySharedKey123
) that matches the on-premises VPN device configuration. -
IKE Protocol: Select
IKEv2
. -
Click "OK" to create the connection.
5. Configure On-Premises VPN Device¶
- Access your on-premises VPN device (e.g., firewall, router).
- Configure the IPsec/IKE parameters:
- Azure VPN gateway IP: Use the public IP address of the Azure VPN gateway.
- IPsec/IKE Protocol: Use
IKEv2
and the shared key you specified (MySharedKey123
). - Encryption and Integrity: Use
AES256
for encryption andSHA256
for integrity. - DH Group: Use
DH Group 14
. - PFS: Use
PFS2048
. - Local Subnet: Specify the on-premises network address space.
- Remote Subnet: Specify the Azure VNet address space.
Use Cases¶
Real-World Example:¶
Scenario: A retail company needs to securely connect its on-premises data center to its Azure environment to access cloud-hosted services and databases.
Implementation: - Virtual Network: Created in Azure to host cloud services and databases. - VPN Gateway: Deployed in Azure VNet for secure connectivity. - Local Network Gateway: Configured with the on-premises data center's public IP and address space. - Site-to-Site Connection: Established to enable secure data transfer and communication between on-premises and Azure resources.
Benefits: - Secure and reliable connection between on-premises and Azure. - Seamless access to cloud-hosted resources and services. - Enhanced data security with encrypted VPN tunnels.
Challenges: - Initial setup and configuration can be complex. - Ensuring compatibility between on-premises VPN devices and Azure VPN gateway.
Pricing¶
Azure Site-to-Site VPN pricing includes costs for: - VPN Gateway: Charges based on the selected SKU and data transfer rates. - Data Transfer: Costs associated with data transfer between on-premises and Azure.
Cost-Effective Tips: - Choose Appropriate SKU: Select a VPN Gateway SKU that meets your performance needs without over-provisioning. - Monitor Data Transfer: Regularly monitor data transfer usage to optimize costs. - Optimize Traffic: Use route-based VPNs to efficiently manage and optimize traffic flows.