Tutorial: Create a Site-to-Site connection using Azure Virtual WAN

This tutorial shows you how to use Virtual WAN to connect to your resources in Azure over an IPsec/IKE (IKEv1 and IKEv2) VPN connection. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. For more information about Virtual WAN, see the Virtual WAN Overview.

In this tutorial you learn how to:

  • Create a virtual WAN
  • Create a hub
  • Create a Site-to-Site VPN gateway
  • Create a site
  • Connect a site to a hub
  • Connect a VPN site to a hub
  • Connect a VNet to a hub
  • Download a configuration file
  • Configure your VPN gateway

Note

If you have many sites, you typically would use a Virtual WAN partner to create this configuration. However, you can create this configuration yourself if you are comfortable with networking and proficient at configuring your own VPN device.

Screenshot shows a networking diagram for Virtual WAN.

Prerequisites

Verify that you have met the following criteria before beginning your configuration:

  • You have an Azure subscription. If you don't have an Azure subscription, create a free account.

  • You have a virtual network that you want to connect to. Verify that none of the subnets of your on-premises networks overlap with the virtual networks that you want to connect to. To create a virtual network in the Azure portal, see the Quickstart article.

  • Your virtual network must not have any existing virtual network gateways. If your virtual network already has gateways (VPN or ExpressRoute), you must remove all of the gateways before proceeding. This configuration requires that virtual networks connect to the Virtual WAN hub gateway only.

  • A virtual hub is a virtual network that is created and used by Virtual WAN. It's the core of your Virtual WAN network in a region. Obtain an IP address range for your virtual hub region. The address range that you specify for the hub can't overlap with any of the existing virtual networks that you connect to. It also can't overlap with the on-premises address ranges that you connect to. If you are unfamiliar with the IP address ranges located in your on-premises network configuration, coordinate with someone who can provide those details for you.

Create a virtual WAN

From a browser, navigate to the Azure portal and sign in with your Azure account.

  1. In the portal, select + Create a resource. Type Virtual WAN into the search box and select Enter.

  2. Select Virtual WAN from the results. On the Virtual WAN page, select Create to open the Create WAN page.

  3. On the Create WAN page, on the Basics tab, fill in the following fields:

    Screenshot shows the Create WAN pane with the Basics tab selected.

    • Subscription - Select the subscription that you want to use.
    • Resource group - Create new or use existing.
    • Resource group location - Choose a resource location from the dropdown. A WAN is a global resource and does not live in a particular region. However, you must select a region in order to manage and locate the WAN resource that you create.
    • Name - Type the Name that you want to call your WAN.
    • Type - Basic or Standard. Select Standard. If you select Basic VWAN, understand that Basic VWANs can only contain Basic hubs, which limits your connection type to site-to-site.
  4. After you finish filling out the fields, select Review +Create.

  5. Once validation passes, select Create to create the virtual WAN.

Create a hub

A hub is a virtual network that can contain gateways for site-to-site, ExpressRoute, or point-to-site functionality. Once the hub is created, you'll be charged for the hub, even if you don't attach any sites.

  1. Locate the virtual WAN that you created. On the virtual WAN page, under the Connectivity section, select Hubs.

  2. On the Hubs page, select +New Hub to open the Create virtual hub page.

    Screenshot shows the Create virtual hub pane with the Basics tab selected.

  3. On the Create virtual hub page Basics tab, complete the following fields:

    • Region (previously referred to as Location)
    • Name
    • Hub private address space - The minimum address space is /24 to create a hub. If you use anything in the range from /25 to /32, it will produce an error during creation. You don't need to explicitly plan the subnet address space for the services in the virtual hub. Because Azure Virtual WAN is a managed service, it creates the appropriate subnets in the virtual hub for the different gateways/services (for example, VPN gateways, ExpressRoute gateways, User VPN point-to-site gateways, Firewall, routing, and etc.).

Create a site-to-site VPN gateway

  1. On the Create virtual hub page, click Site to site to open the Site to site tab.

    Screenshot shows the Create virtual hub pane with Site to site selected.

  2. On the Site to site tab, complete the following fields:

    • Select Yes to create a Site-to-site VPN.
    • The AS Number field cannot be edited.
    • Select the Gateway scale units value from the dropdown. The scale unit lets you pick the aggregate throughput of the VPN gateway being created in the virtual hub to connect sites to. If you pick 1 scale unit = 500 Mbps, it implies that two instances for redundancy will be created, each having a maximum throughput of 500 Mbps. For example, if you had five branches, each doing 10 Mbps at the branch, you will need an aggregate of 50 Mbps at the head end. Planning for aggregate capacity of the Azure VPN gateway should be done after assessing the capacity needed to support the number of branches to the hub.
    • Select the appropriate Routing preference. Azure routing preference enables you to choose how your traffic routes between Azure and the Internet. You can choose to route traffic either via the Microsoft network, or, via the ISP network (public internet). These options are also referred to as cold potato routing and hot potato routing, respectively. The public IP address in Virtual WAN is assigned by the service based on the routing option selected. For more information about routing preference via Microsoft network or ISP, see the Routing preference article.
  3. Select Review + Create to validate.

  4. Select Create to create the hub. Creating a VPN gateway may take up to 30 minutes. After 30 minutes, Refresh to view the hub on the Hubs page. Select Go to resource to navigate to the resource.

Create a site

In this section, you create site. Sites correspond to your physical locations. Create as many sites as you need. For example, if you have a branch office in NY, a branch office in London, and a branch office and LA, you'd create three separate sites. These sites contain your on-premises VPN device endpoints. You can create up to 1000 sites per virtual hub in a virtual WAN. If you had multiple hubs, you can create 1000 per each of those hubs. If you have Virtual WAN partner CPE device, check with them to learn about their automation to Azure. Typically, automation implies a simple click experience to export large-scale branch information into Azure, and setting up connectivity from the CPE to Azure Virtual WAN VPN gateway. For more information, see Automation guidance from Azure to CPE partners.

  1. On the portal page for your virtual wan, in the Connectivity section, select VPN sites to open the VPN sites page.

  2. On the VPN sites page, click +Create site.

  3. On the Create VPN Site page, on the Basics tab, complete the following fields:

    Screenshot shows Create VPN site page with the Basics tab open.

    • Region - Previously referred to as location. This is the location you want to create this site resource in.

    • Name - The name by which you want to refer to your on-premises site.

    • Device vendor - The name of the VPN device vendor (for example: Citrix, Cisco, Barracuda). Adding the device vendor can help the Azure Team better understand your environment in order to add additional optimization possibilities in the future, or to help you troubleshoot.

    • Private address space - The IP address space that is located on your on-premises site. Traffic destined for this address space is routed to your local site. This is required when BGP is not enabled for the site.

      Note

      If you edit the address space after creating the site (for example, add an additional address space) it can take 8-10 minutes to update the effective routes while the components are recreated.

  4. Select Links to add information about the physical links at the branch. If you have a Virtual WAN partner CPE device, check with them to see if this information is exchanged with Azure as a part of the branch information upload set up from their systems.

    Screenshot shows Create VPN site page with the Links tab open.

    • Link Name - A name you want to provide for the physical link at the VPN Site. Example: mylink1.

    • Link speed - This is the speed of the VPN device at the branch location. Example: 50, which means 50 Mbps is the speed of the VPN device at the branch site.

    • Link provider name - The name of the physical link at the VPN Site. Example: ATT, Verizon.

    • Link IP address/FQDN - Public IP address of the on-premises device using this link. Optionally, you can provide the private IP address of your on-premises VPN device that is behind ExpressRoute. You can also include a fully qualified domain name. For example, something.contoso.com. The FQDN should be resolvable from the VPN gateway. This is possible if the DNS server hosting this FQDN is reachable over internet. IP address takes precedence when both IP address and FQDN are specified.

      Note

      • Supports one IPv4 address per FQDN. If the FQDN were to be resolved to multiple IP addresses, then the VPN gateway picks up the first IP4 address from the list. IPv6 addresses are not supported at this time.

      • VPN gateway maintains a DNS cache which is refreshed every 5 minutes. The gateway tries to resolve FQDNs for disconnected tunnels only. A gateway reset or configuration change can also trigger FQDN resolution.

    • Link Border Gateway Protocol - Configuring BGP on a virtual WAN link is equivalent to configuring BGP on an Azure virtual network gateway VPN. Your on-premises BGP peer address must not be the same as the public IP address of your VPN to device or the VNet address space of the VPN site. Use a different IP address on the VPN device for your BGP peer IP. It can be an address assigned to the loopback interface on the device. Specify this address in the corresponding VPN site representing the location. For BGP prerequisites, see About BGP with Azure VPN Gateway. You can always edit a VPN link connection to update its BGP parameters (Peering IP on the link and the AS #).

  5. You can add or delete more links. Four links per VPN Site are supported. For example, if you have four ISPs (Internet service provider) at the branch location, you can create four links, one per each ISP, and provide the information for each link.

  6. Once you have finished filling out the fields, select Review + create to verify and create the site.

  7. Navigate to the virtual hub that you want, and deselect Hub association to connect your VPN site to the hub.

    Screenshot shows Connect to this hub.

Connect the VPN site to the hub

In this step, you connect your VPN site to the hub.

  1. Select Connect VPN Sites to open the Connect sites page.

    Screenshot shows the Connected Sites pane for Virtual HUB ready for a Pre-shared key and associated settings.

    Complete the following fields:

    • Enter a pre-shared key. If you don't enter a key, Azure autogenerates one for you.
    • Select the Protocol and IPsec settings. For more information, see default/custom IPsec.
    • Select the appropriate option for Propagate Default Route. The Enable option allows the virtual hub to propagate a learned default route to this connection. This flag enables default route propagation to a connection only if the default route is already learned by the Virtual WAN hub as a result of deploying a firewall in the hub, or if another connected site has forced tunneling enabled. The default route does not originate in the Virtual WAN hub.
  2. Select Connect.

  3. After a few minutes, the site will show the connection and connectivity status.

    Screenshot shows a site to site connection and connectivity status.

    Connection Status: This is the status of the Azure resource for the connection that connects the VPN site to the Azure hub’s VPN gateway. Once this control plane operation is successful, Azure VPN gateway and the on-premises VPN device will proceed to establish connectivity.

    Connectivity Status: This is the actual connectivity (data path) status between Azure’s VPN gateway in the hub and VPN site. It can show any of the following states:

    • Unknown: This state is typically seen if the backend systems are working to transition to another status.
    • Connecting: Azure VPN gateway is trying to reach out to the actual on-premises VPN site.
    • Connected: Connectivity is established between Azure VPN gateway and on-premises VPN site.
    • Disconnected: This status is seen if, for any reason (on-premises or in Azure), the connection was disconnected.
  4. Within a hub VPN site, you can additionally do the following:

    • Edit or delete the VPN Connection.
    • Delete the site in the Azure portal.
    • Download a branch-specific configuration for details about the Azure side using the context (…) menu next to the site. If you want to download the configuration for all connected sites in your hub, select Download VPN Config on the top menu.

Connect the VNet to the hub

In this step, you create the connection between your hub and a VNet. Repeat these steps for each VNet that you want to connect.

  1. On the page for your virtual WAN, select Virtual network connections.

  2. On the virtual network connection page, select +Add connection.

  3. On the Add connection page, fill in the following fields:

    • Connection name - Name your connection.
    • Hubs - Select the hub you want to associate with this connection.
    • Subscription - Verify the subscription.
    • Virtual network - Select the virtual network you want to connect to this hub. The virtual network cannot have an already existing virtual network gateway.
  4. Select OK to create the connection.

Download VPN configuration

Use the VPN device configuration to configure your on-premises VPN device.

  1. On the page for your virtual WAN, click Overview.
  2. At the top of the Hub ->VPNSite page, click Download VPN config. Azure creates a storage account in the resource group 'microsoft-network-[location]', where location is the location of the WAN. After you have applied the configuration to your VPN devices, you can delete this storage account.
  3. Once the file has finished creating, you can click the link to download it.
  4. Apply the configuration to your on-premises VPN device.

About the VPN device configuration file

The device configuration file contains the settings to use when configuring your on-premises VPN device. When you view this file, notice the following information:

  • vpnSiteConfiguration - This section denotes the device details set up as a site connecting to the virtual WAN. It includes the name and public ip address of the branch device.

  • vpnSiteConnections - This section provides information about the following settings:

    • Address space of the virtual hub(s) VNet.
      Example:

      "AddressSpace":"10.1.0.0/24"
      
    • Address space of the VNets that are connected to the hub.
      Example:

      "ConnectedSubnets":["10.2.0.0/16","10.3.0.0/16"]
      
    • IP addresses of the virtual hub vpngateway. Because each connection of the vpngateway is composed of two tunnels in active-active configuration, you'll see both IP addresses listed in this file. In this example, you see "Instance0" and "Instance1" for each site.
      Example:

      "Instance0":"104.45.18.186"
      "Instance1":"104.45.13.195"
      
    • Vpngateway connection configuration details such as BGP, pre-shared key etc. The PSK is the pre-shared key that is automatically generated for you. You can always edit the connection in the Overview page for a custom PSK.

Example device configuration file

{ 
    "configurationVersion":{ 
       "LastUpdatedTime":"2018-07-03T18:29:49.8405161Z",
       "Version":"r403583d-9c82-4cb8-8570-1cbbcd9983b5"
    },
    "vpnSiteConfiguration":{ 
       "Name":"testsite1",
       "IPAddress":"73.239.3.208"
    },
    "vpnSiteConnections":[ 
       { 
          "hubConfiguration":{ 
             "AddressSpace":"10.1.0.0/24",
             "Region":"West Europe",
             "ConnectedSubnets":[ 
                "10.2.0.0/16",
                "10.3.0.0/16"
             ]
          },
          "gatewayConfiguration":{ 
             "IpAddresses":{ 
                "Instance0":"104.45.18.186",
                "Instance1":"104.45.13.195"
             }
          },
          "connectionConfiguration":{ 
             "IsBgpEnabled":false,
             "PSK":"bkOWe5dPPqkx0DfFE3tyuP7y3oYqAEbI",
             "IPsecParameters":{ 
                "SADataSizeInKilobytes":102400000,
                "SALifeTimeInSeconds":3600
             }
          }
       }
    ]
 },
 { 
    "configurationVersion":{ 
       "LastUpdatedTime":"2018-07-03T18:29:49.8405161Z",
       "Version":"1f33f891-e1ab-42b8-8d8c-c024d337bcac"
    },
    "vpnSiteConfiguration":{ 
       "Name":" testsite2",
       "IPAddress":"66.193.205.122"
    },
    "vpnSiteConnections":[ 
       { 
          "hubConfiguration":{ 
             "AddressSpace":"10.1.0.0/24",
             "Region":"West Europe"
          },
          "gatewayConfiguration":{ 
             "IpAddresses":{ 
                "Instance0":"104.45.18.187",
                "Instance1":"104.45.13.195"
             }
          },
          "connectionConfiguration":{ 
             "IsBgpEnabled":false,
             "PSK":"XzODPyAYQqFs4ai9WzrJour0qLzeg7Qg",
             "IPsecParameters":{ 
                "SADataSizeInKilobytes":102400000,
                "SALifeTimeInSeconds":3600
             }
          }
       }
    ]
 },
 { 
    "configurationVersion":{ 
       "LastUpdatedTime":"2018-07-03T18:29:49.8405161Z",
       "Version":"cd1e4a23-96bd-43a9-93b5-b51c2a945c7"
    },
    "vpnSiteConfiguration":{ 
       "Name":" testsite3",
       "IPAddress":"182.71.123.228"
    },
    "vpnSiteConnections":[ 
       { 
          "hubConfiguration":{ 
             "AddressSpace":"10.1.0.0/24",
             "Region":"West Europe"
          },
          "gatewayConfiguration":{ 
             "IpAddresses":{ 
                "Instance0":"104.45.18.187",
                "Instance1":"104.45.13.195"
             }
          },
          "connectionConfiguration":{ 
             "IsBgpEnabled":false,
             "PSK":"YLkSdSYd4wjjEThR3aIxaXaqNdxUwSo9",
             "IPsecParameters":{ 
                "SADataSizeInKilobytes":102400000,
                "SALifeTimeInSeconds":3600
             }
          }
       }
    ]
 }

Configuring your VPN device

Note

If you are working with a Virtual WAN partner solution, VPN device configuration automatically happens. The device controller obtains the configuration file from Azure and applies to the device to set up connection to Azure. This means you don't need to know how to manually configure your VPN device.

If you need instructions to configure your device, you can use the instructions on the VPN device configuration scripts page with the following caveats:

  • The instructions on the VPN devices page are not written for Virtual WAN, but you can use the Virtual WAN values from the configuration file to manually configure your VPN device.
  • The downloadable device configuration scripts that are for VPN Gateway do not work for Virtual WAN, as the configuration is different.
  • A new Virtual WAN can support both IKEv1 and IKEv2.
  • Virtual WAN can use both policy based and route-based VPN devices and device instructions.

Configure your VPN gateway

You can view and configure your VPN gateway settings at any time by selecting View/Configure.

Screenshot that shows the 'VPN (Site-to-site)' page with an arrow pointing to the 'View/Configure' action.

On the Edit VPN Gateway page, you can see the following settings:

  • VPN Gateway Public IP address (assigned by Azure)

  • VPN Gateway Private IP address (assigned by Azure)

  • VPN Gateway Default BGP IP address (assigned by Azure)

  • Configuration option for Custom BGP IP Address: This field is reserved for APIPA (Automatic Private IP Addressing). Azure supports BGP IP in the ranges 169.254.21.* and 169.254.22.*. Azure accepts BGP connections in these ranges but will dial connection with the default BGP IP.

    Screenshot shows the Edit VPN Gateway page with the Edit button highlighted.

Clean up resources

When you no longer need the resources that you created, delete them. Some of the Virtual WAN resources must be deleted in a certain order due to dependencies. Deleting can take about 30 minutes to complete.

  1. Open the virtual WAN that you created.
  2. Select a virtual hub associated to the virtual WAN to open the hub page.
  3. Click Delete. Delete all entities (connections, gateways, etc.) in the hub. This can take 30 minutes to complete.
  4. You can either delete the hub at this point, or delete it later when you delete the resource group.
  5. Repeat for all hubs associated to the virtual WAN.
  6. Navigate to the resource group in the Azure portal.
  7. Select Delete resource group. This deletes everything in the resource group, including the hubs and the virtual WAN.

Next steps

Next, to learn more about Virtual WAN, see: