Tutorial: Create a Site-to-Site connection using Azure Virtual WAN

This tutorial shows you how to use Virtual WAN to connect to your resources in Azure over an IPsec/IKE (IKEv1 and IKEv2) VPN connection. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. For more information about Virtual WAN, see the Virtual WAN Overview.

In this tutorial you learn how to:

  • Create a virtual WAN
  • Create a hub
  • Create a site
  • Connect a site to a hub
  • Connect a VPN site to a hub
  • Connect a VNet to a hub
  • Download a configuration file
  • Configure your VPN gateway

Note

If you have many sites, you typically would use a Virtual WAN partner to create this configuration. However, you can create this configuration yourself if you are comfortable with networking and proficient at configuring your own VPN device.

Virtual WAN diagram

Before you begin

Verify that you have met the following criteria before beginning your configuration:

  • You have a virtual network that you want to connect to. Verify that none of the subnets of your on-premises networks overlap with the virtual networks that you want to connect to. To create a virtual network in the Azure portal, see the Quickstart.

  • Your virtual network does not have any virtual network gateways. If your virtual network has a gateway (either VPN or ExpressRoute), you must remove all gateways. This configuration requires that virtual networks are connected instead, to the Virtual WAN hub gateway.

  • Obtain an IP address range for your hub region. The hub is a virtual network that is created and used by Virtual WAN. The address range that you specify for the hub cannot overlap with any of your existing virtual networks that you connect to. It also cannot overlap with your address ranges that you connect to on premises. If you are unfamiliar with the IP address ranges located in your on-premises network configuration, coordinate with someone who can provide those details for you.

  • If you don't have an Azure subscription, create a free account.

Create a virtual WAN

From a browser, navigate to the Azure portal and sign in with your Azure account.

  1. Navigate to the Virtual WAN page. In the portal, click +Create a resource. Type Virtual WAN into the search box and select Enter.

  2. Select Virtual WAN from the results. On the Virtual WAN page, click Create to open the Create WAN page.

  3. On the Create WAN page, on the Basics tab, fill in the following fields:

    Virtual WAN

    • Subscription - Select the subscription that you want to use.
    • Resource group - Create new or use existing.
    • Resource group location - Choose a resource location from the dropdown. A WAN is a global resource and does not live in a particular region. However, you must select a region in order to more easily manage and locate the WAN resource that you create.
    • Name - Type the Name that you want to call your WAN.
    • Type: Basic or Standard. If you create a Basic WAN, you can create only a Basic hub. Basic hubs are capable of VPN site-to-site connectivity only.
  4. After you finish filling out the fields, select Review +Create.

  5. Once validation passes, select Create to create the virtual WAN.

Create a hub

A hub is a virtual network that can contain gateways for site-to-site, ExpressRoute, or point-to-site functionality. Once the hub is created, you'll be charged for the hub, even if you don't attach any sites. It takes 30 minutes to create the site-to-site VPN gateway in the virtual hub.

  1. Locate the Virtual WAN that you created. On the Virtual WAN page, under the Connectivity section, select Hubs.

  2. On the Hubs page, select +New Hub to open the Create virtual hub page.

    Basics

  3. On the Create virtual hub page Basics tab, complete the following fields:

    Project details

    • Region (previously referred to as Location)
    • Name
    • Hub private address space. The minimum address space is /24 to create a hub, which implies anything range from /25 to /32 will produce an error during creation. Azure Virtual WAN being a managed service by Microsoft creates the appropriate subnets in the virtual hub for the different gateways/services (e.g VPN Gateways, ExpressRoute Gateways, User VPN/Point-to-site Gateways, Firewall, Routing etc.). There is no need for the user to explicitly plan for subnet address space for the services in the Virtual Hub as Microsoft does this as a part of the service.
  4. Select Next: Site-to-site.

    Site-to-site

  5. On the Site-to-site tab, complete the following fields:

    • Select Yes to create a Site-to-site VPN.
    • The AS Number field is not editable in the virtual hub at this time.
    • Select the Gateway scale units value from the dropdown. The scale unit lets you pick the aggregate throughput of the VPN gateway being created in the virtual hub to connect sites to. If you pick 1 scale unit = 500 Mbps, it implies that two instances for redundancy will be created, each having a maximum throughput of 500 Mbps. For example, if you had five branches, each doing 10 Mbps at the branch, you will need an aggregate of 50 Mbps at the head end. Planning for aggregate capacity of the Azure VPN gateway should be done after assessing the capacity needed to support the number of branches to the hub.
  6. Select Review + Create to validate.

  7. Select Create to create the hub. After 30 minutes, Refresh to view the hub on the Hubs page. Select Go to resource to navigate to the resource.

Create a site

You are now ready to create the sites corresponding to your physical locations. Create as many sites as you need that correspond to your physical locations. For example, if you have a branch office in NY, a branch office in London, and a branch office and LA, you'd create three separate sites. These sites contain your on-premises VPN device endpoints. You can create up to 1000 sites per Virtual Hub in a Virtual WAN. If you had multiple hubs, you can create 1000 per each of those hubs. If you have Virtual WAN partner (link insert) CPE device, check with them to learn about their automation to Azure. Typically automation implies simple click experience to export large-scale branch information into Azure and setting up connectivity from the CPE to Azure Virtual WAN VPN gateway. For more information, see Automation guidance from Azure to CPE partners.

  1. On the portal page for your virtual wan, in the Connectivity section, select VPN sites to open the VPN sites page.

  2. On the VPN sites page, click +Create site.

    Basics

  3. On the Create VPN Site page, on the Basics tab, complete the following fields:

    • Region - Previously referred to as location. This is the location you want to create this site resource in.
    • Name - The name by which you want to refer to your on-premises site.
    • Device vendor - The name of the VPN device vendor (for example: Citrix, Cisco, Barracuda). Doing so can help the Azure Team better understand your environment to add additional optimization possibilities in the future, or to help you troubleshoot.
    • Border Gateway Protocol - Enable implies all connections from the site will be BGP enabled. You will eventually set up the BGP information for each link from the VPN Site in the Links section. Configuring BGP on a Virtual WAN is equivalent to configuring BGP on an Azure virtual network gateway VPN. Your on-premises BGP peer address must not be the same as the public IP address of your VPN to device or the VNet address space of the VPN site. Use a different IP address on the VPN device for your BGP peer IP. It can be an address assigned to the loopback interface on the device. However, it cannot be an APIPA (169.254.x.x) address. Specify this address in the corresponding VPN site representing the location. For BGP prerequisites, see About BGP with Azure VPN Gateway. You can always edit a VPN connection to update its BGP parameters (Peering IP on the link and the AS #) once the VPN Site BGP setting is enabled.
    • Private address space - The IP address space that is located on your on-premises site. Traffic destined for this address space is routed to your local site. This is required when BGP is not enabled for the site.
    • Hubs - The hub that you want your Site to connect to. A site can only be connected to the hubs that have a VPN Gateway. If you do not see a hub, create a VPN gateway in that hub first.
  4. Select Links to add information about the physical links at the branch. If you have a virtual wan partner CPE device, check with them to see if this information is exchanged with Azure as a part of the branch information upload set up from their systems.

    links

    • Link Name - A name you want to provide for the physical link at the VPN Site. Example: mylink1.

    • Provider Name - The name of the physical link at the VPN Site. Example: ATT, Verizon.

    • Speed - This is the speed of the VPN device at the branch location. Example: 50, which means 50 Mbps is the speed of the VPN device at the branch site.

    • IP Address/FQDN - Public IP address of the on-premises device using this link. Optionally, you can provide the private IP address of your on-premises VPN device that is behind ExpressRoute. You can also include a fully qualified domain name. For example, something.contoso.com. The FQDN should be resolvable from the VPN gateway. This is possible if the DNS server hosting this FQDN is reachable over internet. IP address takes precedence when both IP address and FQDN are specified.

      Note

      • Supports one IPv4 address per FQDN. If the FQDN were to be resolved to multiple IP addresses, then the VPN gateway picks up the first IP4 address from the list. IPv6 addresses are not supported at this time.
      • VPN gateway maintains a DNS cache which is refreshed every 5 minutes. The gateway tries to resolve FQDNs for disconnected tunnels only. A gateway reset or configuration change can also trigger FQDN resolution.
  5. You can use the checkbox to delete or add additional links. Four links per VPN Site are supported. For example, if you have four ISP (Internet service provider) at the branch location, you can create four links. one per each ISP, and provide the information for each link.

  6. Once you have finished filling out the fields, select Review + create to verify and create the site.

  7. View the status on the VPN sites page. The site will go to Connection Needed because the site has not yet been connected to the hub.

Connect the VPN site to the hub

In this step, you connect your VPN site to the hub.

  1. Select Connect VPN Sites to open the Connect sites page.

    connect

    Complete the following fields:

    • Enter a pre-shared key. If you don't enter a key, Azure autogenerates one for you.
    • Select the Protocol and IPsec settings. Refer to [default/custom IPSec details] (https://docs.microsoft.com/azure/virtual-wan/virtual-wan-ipsec)
    • Select the appropriate option for Propagate Default Route. The Enable option allows the virtual hub to propagate a learned default route to this connection. This flag enables default route propagation to a connection only if the default route is already learned by the Virtual WAN hub as a result of deploying a firewall in the hub, or if another connected site has forced tunneling enabled. The default route does not originate in the Virtual WAN hub.
  2. Select Connect.

  3. In a few minutes, the site will show the connection and connectivity status.

    status

    Connection Status: This is the status of the Azure resource for the connection that connects the VPN Site to the Azure hub’s VPN gateway. Once this control plane operation is successful, Azure VPN gateway and the on-premises VPN device will proceed to establish connectivity.

    Connectivity Status: This is the actual connectivity (data path) status between Azure’s VPN gateway in the hub and VPN Site. It can show any of the following states:

    • Unknown: This state is typically seen if the backend systems are working to transition to another status.
    • Connecting: Azure VPN gateway is trying to reach out to the actual on-premises VPN site.
    • Connected: Connectivity is established between Azure VPN gateway and on-premises VPN site.
    • Disconnected: This status is seen if, for any reason (on-premises or in Azure), the connection was disconnected.
  4. Within a hub VPN site, you can additionally do the following:

    • Edit or delete the VPN Connection.
    • Delete the site in the Azure portal.
    • Download a branch-specific configuration for details about the Azure side using the context (…) menu next to the site. If you want to download the configuration for all connected sites in your hub, select Download VPN Config on the top menu.

Connect the VNet to the hub

In this step, you create the connection between your hub and a VNet. Repeat these steps for each VNet that you want to connect.

  1. On the page for your virtual WAN, click Virtual network connections.

  2. On the virtual network connection page, click +Add connection.

  3. On the Add connection page, fill in the following fields:

    • Connection name - Name your connection.
    • Hubs - Select the hub you want to associate with this connection.
    • Subscription - Verify the subscription.
    • Virtual network - Select the virtual network you want to connect to this hub. The virtual network cannot have an already existing virtual network gateway.
  4. Click OK to create the virtual network connection.

Download VPN configuration

Use the VPN device configuration to configure your on-premises VPN device.

  1. On the page for your virtual WAN, click Overview.
  2. At the top of the Hub ->VPNSite page, click Download VPN config. Azure creates a storage account in the resource group 'microsoft-network-[location]', where location is the location of the WAN. After you have applied the configuration to your VPN devices, you can delete this storage account.
  3. Once the file has finished creating, you can click the link to download it.
  4. Apply the configuration to your on-premises VPN device.

Understanding the VPN device configuration file

The device configuration file contains the settings to use when configuring your on-premises VPN device. When you view this file, notice the following information:

  • vpnSiteConfiguration - This section denotes the device details set up as a site connecting to the virtual WAN. It includes the name and public ip address of the branch device.

  • vpnSiteConnections - This section provides information about the following settings:

    • Address space of the virtual hub(s) VNet
      Example:

      "AddressSpace":"10.1.0.0/24"
      
    • Address space of the VNets that are connected to the hub
      Example:

      "ConnectedSubnets":["10.2.0.0/16","10.3.0.0/16"]
      
    • IP addresses of the virtual hub vpngateway. Because each connection of the vpngateway is composed of two tunnels in active-active configuration, you'll see both IP addresses listed in this file. In this example, you see "Instance0" and "Instance1" for each site.
      Example:

      "Instance0":"104.45.18.186"
      "Instance1":"104.45.13.195"
      
    • Vpngateway connection configuration details such as BGP, pre-shared key etc. The PSK is the pre-shared key that is automatically generated for you. You can always edit the connection in the Overview page for a custom PSK.

Example device configuration file

{ 
    "configurationVersion":{ 
       "LastUpdatedTime":"2018-07-03T18:29:49.8405161Z",
       "Version":"r403583d-9c82-4cb8-8570-1cbbcd9983b5"
    },
    "vpnSiteConfiguration":{ 
       "Name":"testsite1",
       "IPAddress":"73.239.3.208"
    },
    "vpnSiteConnections":[ 
       { 
          "hubConfiguration":{ 
             "AddressSpace":"10.1.0.0/24",
             "Region":"West Europe",
             "ConnectedSubnets":[ 
                "10.2.0.0/16",
                "10.3.0.0/16"
             ]
          },
          "gatewayConfiguration":{ 
             "IpAddresses":{ 
                "Instance0":"104.45.18.186",
                "Instance1":"104.45.13.195"
             }
          },
          "connectionConfiguration":{ 
             "IsBgpEnabled":false,
             "PSK":"bkOWe5dPPqkx0DfFE3tyuP7y3oYqAEbI",
             "IPsecParameters":{ 
                "SADataSizeInKilobytes":102400000,
                "SALifeTimeInSeconds":3600
             }
          }
       }
    ]
 },
 { 
    "configurationVersion":{ 
       "LastUpdatedTime":"2018-07-03T18:29:49.8405161Z",
       "Version":"1f33f891-e1ab-42b8-8d8c-c024d337bcac"
    },
    "vpnSiteConfiguration":{ 
       "Name":" testsite2",
       "IPAddress":"66.193.205.122"
    },
    "vpnSiteConnections":[ 
       { 
          "hubConfiguration":{ 
             "AddressSpace":"10.1.0.0/24",
             "Region":"West Europe"
          },
          "gatewayConfiguration":{ 
             "IpAddresses":{ 
                "Instance0":"104.45.18.187",
                "Instance1":"104.45.13.195"
             }
          },
          "connectionConfiguration":{ 
             "IsBgpEnabled":false,
             "PSK":"XzODPyAYQqFs4ai9WzrJour0qLzeg7Qg",
             "IPsecParameters":{ 
                "SADataSizeInKilobytes":102400000,
                "SALifeTimeInSeconds":3600
             }
          }
       }
    ]
 },
 { 
    "configurationVersion":{ 
       "LastUpdatedTime":"2018-07-03T18:29:49.8405161Z",
       "Version":"cd1e4a23-96bd-43a9-93b5-b51c2a945c7"
    },
    "vpnSiteConfiguration":{ 
       "Name":" testsite3",
       "IPAddress":"182.71.123.228"
    },
    "vpnSiteConnections":[ 
       { 
          "hubConfiguration":{ 
             "AddressSpace":"10.1.0.0/24",
             "Region":"West Europe"
          },
          "gatewayConfiguration":{ 
             "IpAddresses":{ 
                "Instance0":"104.45.18.187",
                "Instance1":"104.45.13.195"
             }
          },
          "connectionConfiguration":{ 
             "IsBgpEnabled":false,
             "PSK":"YLkSdSYd4wjjEThR3aIxaXaqNdxUwSo9",
             "IPsecParameters":{ 
                "SADataSizeInKilobytes":102400000,
                "SALifeTimeInSeconds":3600
             }
          }
       }
    ]
 }

Configuring your VPN device

Note

If you are working with a Virtual WAN partner solution, VPN device configuration automatically happens. The device controller obtains the configuration file from Azure and applies to the device to set up connection to Azure. This means you don't need to know how to manually configure your VPN device.

If you need instructions to configure your device, you can use the instructions on the VPN device configuration scripts page with the following caveats:

  • The instructions on the VPN devices page are not written for Virtual WAN, but you can use the Virtual WAN values from the configuration file to manually configure your VPN device.
  • The downloadable device configuration scripts that are for VPN Gateway do not work for Virtual WAN, as the configuration is different.
  • A new Virtual WAN can support both IKEv1 and IKEv2.
  • Virtual WAN can use both policy based and route-based VPN devices and device instructions.

Configure your VPN gateway

You can view and configure your VPN gateway settings at any time by selecting View/Configure.

View configuration

On the Edit VPN Gateway page, you can see the following settings:

  • VPN Gateway Public IP address (assigned by Azure)

  • VPN Gateway Private IP address (assigned by Azure)

  • VPN Gateway Default BGP IP address (assigned by Azure)

  • Configuration option for Custom BGP IP Address: This field is reserved for APIPA (Automatic Private IP Addressing). Azure supports BGP IP in the ranges 169.254.21.* and 169.254.22.*

    View configuration

Next steps

To learn more about Virtual WAN, see the Virtual WAN Overview page.