Tutorial: Create a Site-to-Site connection using Azure Virtual WAN

This tutorial shows you how to use Virtual WAN to connect to your resources in Azure over an IPsec/IKE (IKEv1 and IKEv2) VPN connection. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. For more information about Virtual WAN, see the Virtual WAN Overview.

Note

If you have many sites, you typically would use a Virtual WAN partner to create this configuration. However, you can create this configuration yourself if you are comfortable with networking and proficient at configuring your own VPN device.

Virtual WAN diagram

In this tutorial, you learn how to:

  • Create a WAN
  • Create a site
  • Create a hub
  • Connect a hub to a site
  • Create a compatible VNet (if you don't already have one)
  • Connect a VNet to a hub
  • Download and apply the VPN device configuration
  • View your virtual WAN
  • View resource health
  • Monitor a connection

Before you begin

Verify that you have met the following criteria before beginning your configuration:

  • If you already have a virtual network that you want to connect to, verify that none of the subnets of your on-premises network overlap with the virtual networks that you want to connect to. Your virtual network does not require a gateway subnet and cannot have any virtual network gateways. If you do not have a virtual network, you can create one using the steps in this article.
  • Obtain an IP address range for your hub region. The hub is a virtual network and the address range that you specify for the hub region cannot overlap with any of your existing virtual networks that you connect to. It also cannot overlap with your address ranges that you connect to on premises. If you are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you.
  • If you don't have an Azure subscription, create a free account before you begin.

1. Create a virtual WAN

From a browser, navigate to the Azure portal and sign in with your Azure account.

  1. Navigate to the Virtual WAN page. One way to navigate to the page is to go to All services, and then search for Virtual WAN.

  2. Click +Add to open the Create WAN page.

  3. On the Create WAN page, fill in the following fields:

    • Name - Select the Name that you want to call your WAN.
    • Subscription - Select the subscription that you want to use.
    • Resource Group - Create new or use existing.
    • Resource Location - Choose a resource location from the dropdown. A WAN is a global resource and does not live in a particular region. However, you must select a region in order to more easily manage and locate the WAN resource that you create.
  4. After you finish filling out the fields, click Create.

2. Create a site

Create as many sites as you need that correspond to your physical locations. For example, if you have a branch office in NY, a branch office in London, and a branch office and LA, you'd create three separate sites. These sites contain your on-premises VPN device endpoints. At this time, you can specify only one private address space for your site.

  1. Click the WAN you created. On the WAN page, under WAN Architecture, click VPN sites to open the VPN sites page.

  2. On the VPN sites page, click +Create site.

  3. On the Create site page, fill in the following fields:

    • Name - The name by which you want to refer to your on-premises site.
    • Public IP address - The public IP address of the VPN device that resides on your on-premises site.
    • Private address space - This is the IP address space that is located on your on-premises site. Traffic destined for this address space is routed to your local site.
    • Subscription - Verify the subscription.
    • Resource Group - The resource group you want to use.
    • Location
  4. Click Show advanced to view additional settings. You can select BGP to enable BGP, which will enable BGP functionality on all connections created for this site in Azure. You can also enter Device information (optional fields). Doing so can help the Azure Team better understand your environment to add additional optimization possibilities in the future, or to help you troubleshoot.

  5. Click Confirm.

  6. After you click Confirm, view the status on the VPN sites page. The site will go from Provisioning to Provisioned.

3. Create a hub

A hub contains the gateway. Once the hub is created, you'll be charged for the hub, even if you don't attach any sites. It takes 30 minutes to create the hub and gateway.

  1. Locate the Virtual WAN that you created. On the Virtual WAN page, under the Virtual WAN architecture section, click Hubs.

  2. On the Hubs page, click +New Hub to open the Create virtual hub page.

  3. On the Create virtual hub page, complete the following fields:

    • Location
    • Name
    • Hub private address space

Click Confirm to create the hub. Click Refresh to view the hub on the Hubs page.

4. Associate the sites with the hub

Hubs should generally be associated to sites that are in the same region that the VNet resides in.

  1. On the VPN sites page, select the site or sites that you want to associate with the hub, then click +New hub association.
  2. On the Associate sites with one or more hubs page, select a hub from the dropdown. You can associate a site with additional hubs by clicking +Add an association.
  3. You can also add a specific PSK here, or use the default.
  4. Click Confirm.
  5. You can view the connection status on the VPN sites page.

5. Create a virtual network

If you do not already have a VNet, you can quickly create one using PowerShell or the Azure portal. If you already have a VNet, verify that it meets the required criteria and does not have a virtual network gateway.

To quickly create a VNet, you can click "Try It" in this article to open a PowerShell console in Azure Cloud Shell. Adjust the values, then copy and paste the commands into the console window.

Be sure to verify that the address space for the VNet that you create does not overlap with any of the address ranges for other VNets that you want to connect to, or with your on-premises network address spaces.

Create a resource group

If you don't already have a resource group that you want to use, create a new one. Adjust the PowerShell commands to reflect the resource group name you want to use, then run the following cmdlet:

New-AzResourceGroup -ResourceGroupName WANTestRG -Location WestUS

Create a VNet

Adjust the PowerShell commands to create a VNet that is compatible for your environment.

$fesub1 = New-AzVirtualNetworkSubnetConfig -Name FrontEnd -AddressPrefix "10.1.0.0/24"
$vnet   = New-AzVirtualNetwork `
            -Name WANVNet1 `
            -ResourceGroupName WANTestRG `
            -Location WestUS `
            -AddressPrefix "10.1.0.0/16" `
            -Subnet $fesub1

6. Connect your VNet to a hub

In this step, you create the peering connection between your hub and a VNet. Repeat these steps for each VNet that you want to connect.

  1. On the page for your virtual WAN, click Virtual network connections.

  2. On the virtual network connection page, click +Add connection.

  3. On the Add connection page, fill in the following fields:

    • Connection name - Name your connection.
    • Hubs - Select the hub you want to associate with this connection.
    • Subscription - Verify the subscription.
    • Virtual network - Select the virtual network you want to connect to this hub. The virtual network cannot have an already existing virtual network gateway.
  4. Click OK to create the peering connection.

7. Download VPN configuration

Use the VPN device configuration to configure your on-premises VPN device.

  1. On the page for your virtual WAN, click Overview.
  2. At the top of the Overview page, click Download VPN configuration. Azure creates a storage account in the resource group 'microsoft-network-[location]', where location is the location of the WAN. After you have applied the configuration to your VPN devices, you can delete this storage account.
  3. Once the file has finished creating, you can click the link to download it.
  4. Apply the configuration to your VPN device.

Understanding the VPN device configuration file

The device configuration file contains the settings to use when configuring your on-premises VPN device. When you view this file, notice the following information:

  • vpnSiteConfiguration - This section denotes the device details set up as a site connecting to the virtual WAN. It includes the name and public ip address of the branch device.

  • vpnSiteConnections - This section provides information about the following settings:

    • Address space of the virtual hub(s) VNet
      Example:

      "AddressSpace":"10.1.0.0/24"
      
    • Address space of the VNets that are connected to the hub
      Example:

      "ConnectedSubnets":["10.2.0.0/16","10.30.0.0/16"]
      
    • IP addresses of the virtual hub vpngateway. Because each connection of the vpngateway is composed of two tunnels in active-active configuration, you'll see both IP addresses listed in this file. In this example, you see "Instance0" and "Instance1" for each site.
      Example:

      "Instance0":"104.45.18.186"
      "Instance1":"104.45.13.195"
      
    • Vpngateway connection configuration details such as BGP, pre-shared key etc. The PSK is the pre-shared key that is automatically generated for you. You can always edit the connection in the Overview page for a custom PSK.

Example device configuration file

{ 
    "configurationVersion":{ 
       "LastUpdatedTime":"2018-07-03T18:29:49.8405161Z",
       "Version":"r403583d-9c82-4cb8-8570-1cbbcd9983b5"
    },
    "vpnSiteConfiguration":{ 
       "Name":"testsite1",
       "IPAddress":"73.239.3.208"
    },
    "vpnSiteConnections":[ 
       { 
          "hubConfiguration":{ 
             "AddressSpace":"10.1.0.0/24",
             "Region":"West Europe",
             "ConnectedSubnets":[ 
                "10.2.0.0/16",
                "10.30.0.0/16"
             ]
          },
          "gatewayConfiguration":{ 
             "IpAddresses":{ 
                "Instance0":"104.45.18.186",
                "Instance1":"104.45.13.195"
             }
          },
          "connectionConfiguration":{ 
             "IsBgpEnabled":false,
             "PSK":"bkOWe5dPPqkx0DfFE3tyuP7y3oYqAEbI",
             "IPsecParameters":{ 
                "SADataSizeInKilobytes":102400000,
                "SALifeTimeInSeconds":3600
             }
          }
       }
    ]
 },
 { 
    "configurationVersion":{ 
       "LastUpdatedTime":"2018-07-03T18:29:49.8405161Z",
       "Version":"1f33f891-e1ab-42b8-8d8c-c024d337bcac"
    },
    "vpnSiteConfiguration":{ 
       "Name":" testsite2",
       "IPAddress":"66.193.205.122"
    },
    "vpnSiteConnections":[ 
       { 
          "hubConfiguration":{ 
             "AddressSpace":"10.1.0.0/24",
             "Region":"West Europe"
          },
          "gatewayConfiguration":{ 
             "IpAddresses":{ 
                "Instance0":"104.45.18.187",
                "Instance1":"104.45.13.195"
             }
          },
          "connectionConfiguration":{ 
             "IsBgpEnabled":false,
             "PSK":"XzODPyAYQqFs4ai9WzrJour0qLzeg7Qg",
             "IPsecParameters":{ 
                "SADataSizeInKilobytes":102400000,
                "SALifeTimeInSeconds":3600
             }
          }
       }
    ]
 },
 { 
    "configurationVersion":{ 
       "LastUpdatedTime":"2018-07-03T18:29:49.8405161Z",
       "Version":"cd1e4a23-96bd-43a9-93b5-b51c2a945c7"
    },
    "vpnSiteConfiguration":{ 
       "Name":" testsite3",
       "IPAddress":"182.71.123.228"
    },
    "vpnSiteConnections":[ 
       { 
          "hubConfiguration":{ 
             "AddressSpace":"10.1.0.0/24",
             "Region":"West Europe"
          },
          "gatewayConfiguration":{ 
             "IpAddresses":{ 
                "Instance0":"104.45.18.187",
                "Instance1":"104.45.13.195"
             }
          },
          "connectionConfiguration":{ 
             "IsBgpEnabled":false,
             "PSK":"YLkSdSYd4wjjEThR3aIxaXaqNdxUwSo9",
             "IPsecParameters":{ 
                "SADataSizeInKilobytes":102400000,
                "SALifeTimeInSeconds":3600
             }
          }
       }
    ]
 }

Configuring your VPN device

Note

If you are working with a Virtual WAN partner solution, VPN device configuration automatically happens. The device controller obtains the configuration file from Azure and applies to the device to set up connection to Azure. This means you don't need to know how to manually configure your VPN device.

If you need instructions to configure your device, you can use the instructions on the VPN device configuration scripts page with the following caveats:

  • The instructions on the VPN devices page are not written for Virtual WAN, but you can use the Virtual WAN values from the configuration file to manually configure your VPN device.
  • The downloadable device configuration scripts that are for VPN Gateway do not work for Virtual WAN, as the configuration is different.
  • A New Virtual WAN can support both IKEv1 and IKEv2.
  • Virtual WAN can only use route-based VPN devices and device instructions.

8. View your virtual WAN

  1. Navigate to the virtual WAN.
  2. On the Overview page, each point on the map represents a hub. Hover over any point to view the hub health summary.
  3. In the Hubs and connections section, you can view hub status, site, region, VPN connection status, and bytes in and out.

9. View your resource health

  1. Navigate to your WAN.
  2. On your WAN page, in the SUPPORT + Troubleshooting section, click Health and view your resource.

10. Monitor a connection

Create a connection to monitor communication between an Azure VM and a remote site. For information about how to set up a connection monitor, see Monitor network communication. The source field is the VM IP in Azure, and the destination IP is the Site IP.

11. Clean up resources

When you no longer need these resources, you can use Remove-AzResourceGroup to remove the resource group and all of the resources it contains. Replace "myResourceGroup" with the name of your resource group and run the following PowerShell command:

Remove-AzResourceGroup -Name myResourceGroup -Force

Next steps

In this tutorial, you learned how to:

  • Create a WAN
  • Create a site
  • Create a hub
  • Connect a hub to a site
  • Connect a VNet to a hub
  • Download and apply the VPN device configuration
  • View your virtual WAN
  • View resource health
  • Monitor a connection

To learn more about Virtual WAN, see the Virtual WAN Overview page.