Create a route-based VPN gateway using the Azure portal
This article helps you quickly create a route-based Azure VPN gateway using the Azure portal. A VPN gateway is used when creating a VPN connection to your on-premises network. You can also use a VPN gateway to connect VNets.
The steps in this article will create a VNet, a subnet, a gateway subnet, and a route-based VPN gateway (virtual network gateway). Once the gateway creation has completed, you can then create connections. These steps require an Azure subscription. If you don't have an Azure subscription, create a free account before you begin.
Create a virtual network
To create a VNet in the Resource Manager deployment model by using the Azure portal, follow the steps below. Use the Example values if you are using these steps as a tutorial. If you are not doing these steps as a tutorial, be sure to replace the values with your own. For more information about working with virtual networks, see the Virtual Network Overview.
In order for this VNet to connect to an on-premises location you need to coordinate with your on-premises network administrator to carve out an IP address range that you can use specifically for this virtual network. If a duplicate address range exists on both sides of the VPN connection, traffic does not route the way you may expect it to. Additionally, if you want to connect this VNet to another VNet, the address space cannot overlap with other VNet. Take care to plan your network configuration accordingly.
From a browser, navigate to the Azure portal and sign in with your Azure account.
Click Create a resource. In the Search the marketplace field, type 'virtual network'. Locate Virtual network from the returned list and click to open the Virtual Network page.
Click Create. This opens the Create virtual network page.
On the Create virtual network page, configure the VNet settings. When you fill in the fields, the red exclamation mark becomes a green check mark when the characters entered in the field are valid. Use the following values:
- Name: VNet1
- Address space: 10.1.0.0/16
- Subscription: Verify that the subscription listed is the one you want to use. You can change subscriptions by using the drop-down.
- Resource group: TestRG1 (click Create new to create a new group)
- Location: East US
- Subnet: Frontend
- Address range: 10.1.0.0/24
Leave DDoS as Basic, Service endpoints as Disabled, and Firewall as Disabled.
Click Create to create the VNet.
Configure and create the gateway
In this step, you create the virtual network gateway for your VNet. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.
The virtual network gateway uses specific subnet called the gateway subnet. The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. It contains the IP addresses that the virtual network gateway resources and services use.
When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The number of IP addresses needed depends on the VPN gateway configuration that you want to create. Some configurations require more IP addresses than others. We recommend that you create a gateway subnet that uses a /27 or /28.
If you see an error that specifies that the address space overlaps with a subnet, or that the subnet is not contained within the address space for your virtual network, check your VNet address range. You may not have enough IP addresses available in the address range you created for your virtual network. For example, if your default subnet encompasses the entire address range, there are no IP addresses left to create additional subnets. You can either adjust your subnets within the existing address space to free up IP addresses, or specify an additional address range and create the gateway subnet there.
In the portal, on the left side, click + Create a resource and type 'Virtual Network Gateway' in search. Locate Virtual network gateway in the search return and click the entry. On the Virtual network gateway page, click Create. This opens the Create virtual network gateway page.
On the Create virtual network gateway page, fill in the values for your virtual network gateway.
- Subscription: Select the subscription you want to use from the dropdown.
- Resource Group: This setting is autofilled when you select your virtual network on this page.
Name: Name your gateway. Naming your gateway not the same as naming a gateway subnet. It's the name of the gateway object you are creating.
Region: Select the region in which you want to create this resource. The region for the gateway must be the same as the virtual network.
Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.
VPN type: Select the VPN type that is specified for your configuration. Most configurations require a Route-based VPN type.
SKU: Select the gateway SKU from the dropdown. The SKUs listed in the dropdown depend on the VPN type you select. For more information about gateway SKUs, see Gateway SKUs.
Virtual network: Choose the virtual network to which you want to add this gateway.
Gateway subnet address range: This field only appears if the virtual network you selected does not have a gateway subnet. Fill in the range if you don't already have a gateway subnet. If possible, make the range /27 or larger (/26,/25 etc.)
Public IP address: This setting specifies the public IP address object that gets associated to the VPN gateway. The public IP address is dynamically assigned to this object when the VPN gateway is created. The only time the Public IP address changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.
- Public IP address: Leave Create new selected.
- Public IP address name: In the text box, type a name for your public IP address instance.
- Assignment: VPN gateway supports only Dynamic.
Active-Active mode: Only select Enable active-active mode if you are creating an active-active gateway configuration. Otherwise, leave this setting unselected.
Leave Configure BGP ASN deselected, unless your configuration specifically requires this setting. If you do require this setting, the default ASN is 65515, although this can be changed.
Click Review + Create to run validation. Once validation passes, click Create to deploy the VPN gateway. A gateway can take up to 45 minutes to fully create and deploy. You can see the deployment status on the Overview page for your gateway.
After the gateway is created, you can view the IP address that has been assigned to it by looking at the virtual network in the portal. The gateway appears as a connected device.
The Basic gateway SKU does not support IKEv2 or RADIUS authentication. If you plan on having Mac clients connect to your virtual network, do not use the Basic SKU.
When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating a network security group to this subnet may cause your VPN gateway to stop functioning as expected. For more information about network security groups, see What is a network security group?
View the VPN gateway
After the gateway is created, navigate to VNet1 in the portal. The VPN gateway appears on the Overview page as a connected device.
In the device list, click VNet1GW to view more information.
Once the gateway has finished creating, you can create a connection between your virtual network and another VNet. Or, create a connection between your virtual network and an on-premises location.