Add a Site-to-Site connection to a VNet with an existing VPN gateway connection

This article walks you through using the Azure portal to add Site-to-Site (S2S) connections to a VPN gateway that has an existing connection. This type of connection is often referred to as a "multi-site" configuration. You can add a S2S connection to a VNet that already has a S2S connection, Point-to-Site connection, or VNet-to-VNet connection. There are some limitations when adding connections. Check the Before you begin section in this article to verify before you start your configuration.

This article applies to VNets created using the Resource Manager deployment model that have a RouteBased VPN gateway. These steps do not apply to ExpressRoute/Site-to-Site coexisting connection configurations. See ExpressRoute/S2S coexisting connections for information about coexisting connections.

Deployment models and methods

Azure currently works with two deployment models: Resource Manager and classic. The two models are not completely compatible with each other. Before you begin, you need to know which model that you want to work in. For information about the deployment models, see Understanding deployment models. If you are new to Azure, we recommend that you use the Resource Manager deployment model.

We update this table as new articles and additional tools become available for this configuration. When an article is available, we link directly to it from this table.

Deployment Model/Method Azure Portal Classic Portal PowerShell
Resource Manager Article Not Supported Supported
Classic Not Supported Not Supported Article

Before you begin

Verify the following items:

  • You are not creating an ExpressRoute/S2S coexisting connection.
  • You have a virtual network that was created using the Resource Manager deployment model with an existing connection.
  • The virtual network gateway for your VNet is RouteBased. If you have a PolicyBased VPN gateway, you must delete the virtual network gateway and create a new VPN gateway as RouteBased.
  • None of the address ranges overlap for any of the VNets that this VNet is connecting to.
  • You have compatible VPN device and someone who is able to configure it. See About VPN Devices. If you aren't familiar with configuring your VPN device, or are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you.
  • You have an externally facing public IP address for your VPN device. This IP address cannot be located behind a NAT.

Part 1 - Configure a connection

  1. From a browser, navigate to the Azure portal and, if necessary, sign in with your Azure account.
  2. Click All resources and locate your virtual network gateway from the list of resources and click it.
  3. On the Virtual network gateway blade, click Connections.

    Connections blade

  4. On the Connections blade, click +Add.

    Add connection button

  5. On the Add connection blade, fill out the following fields:

    • Name: The name you want to give to the site you are creating the connection to.
    • Connection type: Select Site-to-site (IPsec).

      Add connection blade

Part 2 - Add a local network gateway

  1. Click Local network gateway Choose a local network gateway. This will open the Choose local network gateway blade.

    Choose local network gateway

  2. Click Create new to open the Create local network gateway blade.

    Create local network gateway blade

  3. On the Create local network gateway blade, fill out the following fields:

    • Name: The name you want to give to the local network gateway resource.
    • IP address: The public IP address of the VPN device on the site that you want to connect to.
    • Address space: The address space that you want to be routed to the new local network site.
  4. Click OK on the Create local network gateway blade to save the changes.

Part 3 - Add the shared key and create the connection

  1. On the Add connection blade, add the shared key that you want to use to create your connection. You can either get the shared key from your VPN device, or make one up here and then configure your VPN device to use the same shared key. The important thing is that the keys are exactly the same.

    Shared key

  2. At the bottom of the blade, click OK to create the connection.

Part 4 - Verify the VPN connection

You can verify that your connection succeeded by using the 'Get-AzureRmVirtualNetworkGatewayConnection' cmdlet, with or without '-Debug'.

  1. Use the following cmdlet example, configuring the values to match your own. If prompted, select 'A' in order to run 'All'. In the example, '-Name' refers to the name of the connection that you want to test.

    Get-AzureRmVirtualNetworkGatewayConnection -Name MyGWConnection -ResourceGroupName MyRG
    
  2. After the cmdlet has finished, view the values. In the example below, the connection status shows as 'Connected' and you can see ingress and egress bytes.

    "connectionStatus": "Connected",
    "ingressBytesTransferred": 33509044,
    "egressBytesTransferred": 4142431
    

Next steps

Once your connection is complete, you can add virtual machines to your virtual networks. See the virtual machines learning path for more information.