Azure Site-to-Site VPN

This page explains how to set up a Site-to-Site VPN in Azure, enabling secure communication between your on-premises network and Azure virtual network.
Tags:

  4 minute read  

Technical Overview

Azure Site-to-Site VPN allows you to securely connect your on-premises network to an Azure virtual network (VNet) over an IPsec/IKE VPN tunnel. This setup enables seamless and secure communication between your on-premises environment and Azure, extending your data center to the cloud.

Key Components:

  • Virtual Network (VNet): The Azure network to which you’ll connect your on-premises network.
  • VPN Gateway: The Azure resource that facilitates the VPN connection.
  • Local Network Gateway: Represents your on-premises network configuration.
  • Connection: The logical link between the Azure VPN gateway and the on-premises local network gateway.

Implementation Details

1. Set Up Virtual Network (VNet)

  1. Go to the Azure portal.

  2. Navigate to “Create a resource” > “Networking” > “Virtual Network”.

  3. Click “Create” and fill in the required fields:

    • Name: Choose a name for your VNet.
    • Address space: Define the IP address range (e.g., 10.1.0.0/16).
    • Subscription: Select your Azure subscription.
    • Resource group: Create a new resource group or select an existing one.
    • Location: Choose the Azure region.

  4. Click “Review + create” > “Create” to create the VNet.

  5. Configure subnets within the VNet:

    • Go to your VNet and select “Subnets”.
    • Click “Add Subnet”.
    • Define the subnet name (e.g., default) and address range (e.g., 10.1.0.0/24).
    • Click “Save”.

2. Create VPN Gateway

  1. In the Azure portal, navigate to your VNet.

  2. Click “Subnets” and then “GatewaySubnet” > “Add”.

  3. Define the subnet name as GatewaySubnet and specify the address range (e.g., 10.1.255.0/27).

  4. Click “Save”.

  5. Go to “Create a resource” > “Networking” > “VPN Gateway”.

  6. Click “Create” and fill in the required fields:

    • Name: Choose a name for your VPN gateway.
    • Region: Select the same region as your VNet.
    • Gateway type: Choose VPN.
    • VPN type: Choose Route-based.
    • Virtual network: Select the VNet you created.
    • Gateway subnet: Automatically selected.
    • Public IP address: Create a new public IP address.

  7. Click “Review + create” > “Create” to provision the VPN Gateway.

3. Create Local Network Gateway

  1. In the Azure portal, go to “Create a resource” > “Networking” > “Local Network Gateway”.

  2. Click “Create” and fill in the required fields:

    • Name: Choose a name for your local network gateway.
    • IP address: Enter the public IP address of your on-premises VPN device.
    • Address space: Define the IP address range of your on-premises network (e.g., 192.168.0.0/16).
    • Subscription: Select your Azure subscription.
    • Resource group: Select the resource group used for the VNet.
    • Location: Choose the Azure region.

  3. Click “Review + create” > “Create”.

4. Configure VPN Connection

  1. In the Azure portal, navigate to your VPN Gateway.

  2. Select “Connections” > “Add”.

  3. Fill in the required fields:

    • Name: Choose a name for the connection.
    • Connection type: Select Site-to-site (IPSec).
    • Virtual network gateway: Automatically selected.
    • Local network gateway: Select the local network gateway you created.
    • Shared key (PSK): Enter a shared key (e.g., MySharedKey123) that matches the on-premises VPN device configuration.
    • IKE Protocol: Select IKEv2.

  4. Click “OK” to create the connection.

5. Configure On-Premises VPN Device

  1. Access your on-premises VPN device (e.g., firewall, router).
  2. Configure the IPsec/IKE parameters:
    • Azure VPN gateway IP: Use the public IP address of the Azure VPN gateway.
    • IPsec/IKE Protocol: Use IKEv2 and the shared key you specified (MySharedKey123).
    • Encryption and Integrity: Use AES256 for encryption and SHA256 for integrity.
    • DH Group: Use DH Group 14.
    • PFS: Use PFS2048.
    • Local Subnet: Specify the on-premises network address space.
    • Remote Subnet: Specify the Azure VNet address space.

Use Cases

Real-World Example:

Scenario: A retail company needs to securely connect its on-premises data center to its Azure environment to access cloud-hosted services and databases.

Implementation:

  • Virtual Network: Created in Azure to host cloud services and databases.
  • VPN Gateway: Deployed in Azure VNet for secure connectivity.
  • Local Network Gateway: Configured with the on-premises data center’s public IP and address space.
  • Site-to-Site Connection: Established to enable secure data transfer and communication between on-premises and Azure resources.

Benefits:

  • Secure and reliable connection between on-premises and Azure.
  • Seamless access to cloud-hosted resources and services.
  • Enhanced data security with encrypted VPN tunnels.

Challenges:

  • Initial setup and configuration can be complex.
  • Ensuring compatibility between on-premises VPN devices and Azure VPN gateway.

Pricing

Azure Site-to-Site VPN pricing includes costs for:

  • VPN Gateway: Charges based on the selected SKU and data transfer rates.
  • Data Transfer: Costs associated with data transfer between on-premises and Azure.

Cost-Effective Tips:

  • Choose Appropriate SKU: Select a VPN Gateway SKU that meets your performance needs without over-provisioning.
  • Monitor Data Transfer: Regularly monitor data transfer usage to optimize costs.
  • Optimize Traffic: Use route-based VPNs to efficiently manage and optimize traffic flows.

Resources

Azure Site-to-Site VPN Documentation


Last modified February 19, 2025: Update azure-point-to-site-vpn.md (a9c807a)