Add additional S2S connections to a VNet: Azure portal

This article helps you add additional Site-to-Site (S2S) connections to a VPN gateway that has an existing connection. This architecture is often referred to as a "multi-site" configuration. You can add a S2S connection to a VNet that already has a S2S connection, Point-to-Site connection, or VNet-to-VNet connection. There are some limitations when adding connections. Check the Prerequisites section in this article to verify before you start your configuration.

This article applies to Resource Manager VNets that have a RouteBased VPN gateway. These steps do not apply to new ExpressRoute/Site-to-Site coexisting connection configurations. However, if you are merely adding a new VPN connection to an already existing coexist configuration, you can use these steps. See ExpressRoute/S2S coexisting connections for information about coexisting connections.

Prerequisites

Verify the following items:

  • You are not configuring a new coexisting ExpressRoute and VPN Gateway configuration.
  • You have a virtual network that was created using the Resource Manager deployment model with an existing connection.
  • The virtual network gateway for your VNet is RouteBased. If you have a PolicyBased VPN gateway, you must delete the virtual network gateway and create a new VPN gateway as RouteBased.
  • None of the address ranges overlap for any of the VNets that this VNet is connecting to.
  • You have compatible VPN device and someone who is able to configure it. See About VPN Devices. If you aren't familiar with configuring your VPN device, or are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you.
  • You have an externally facing public IP address for your VPN device.

Configure a connection

  1. From a browser, navigate to the Azure portal and, if necessary, sign in with your Azure account.

  2. Select All resources and locate your virtual network gateway from the list of resources and select it.

  3. On the Virtual network gateway page, select Connections.

    VPN gateway connections

  4. On the Connections page, select +Add.

  5. This opens the Add connection page.

    Add connection page

  6. On the Add connection page, fill out the following fields:

    • Name: The name you want to give to the site you are creating the connection to.
    • Connection type: Select Site-to-site (IPsec).

Add a local network gateway

  1. For the Local network gateway field, select Choose a local network gateway. This opens the Choose local network gateway page.

  2. Select + Create new to open the Create local network gateway page.

    Create local network gateway page

  3. On the Create local network gateway page, fill out the following fields:

    • Name: The name you want to give to the local network gateway resource.
    • Endpoint: The public IP address of the VPN device on the site that you want to connect to, or the FQDN of the endpoint.
    • Address space: The address space that you want to be routed to the new local network site.
  4. Select OK on the Create local network gateway page to save the changes.

Add the shared key

  1. After creating the local network gateway, return to the Add connection page.
  2. Complete the remaining fields. For the Shared key (PSK), you can either get the shared key from your VPN device, or make one up here and then configure your VPN device to use the same shared key. The important thing is that the keys are exactly the same.

Create the connection

  1. At the bottom of the page, select OK to create the connection. The connection begins creating immediately.
  2. Once the connection completes, you can view and verify it.

View and verify the VPN connection

In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the connection. The following steps show one way to navigate to your connection and verify.

  1. In the Azure portal menu, select All resources or search for and select All resources from any page.

  2. Select to your virtual network gateway.

  3. On the blade for your virtual network gateway, click Connections. You can see the status of each connection.

  4. Click the name of the connection that you want to verify to open Essentials. In Essentials, you can view more information about your connection. The Status is 'Succeeded' and 'Connected' when you have made a successful connection.

    Verify VPN Gateway connection using the Azure portal

Next steps

Once your connection is complete, you can add virtual machines to your virtual networks. For more information, see Virtual machines learning paths.