Add a Site-to-Site connection to a VNet with an existing VPN gateway connection

This article helps you add Site-to-Site (S2S) connections to a VPN gateway that has an existing connection by using the Azure portal. This type of connection is often referred to as a "multi-site" configuration. You can add a S2S connection to a VNet that already has a S2S connection, Point-to-Site connection, or VNet-to-VNet connection. There are some limitations when adding connections. Check the Before you begin section in this article to verify before you start your configuration.

This article applies to Resource Manager VNets that have a RouteBased VPN gateway. These steps do not apply to new ExpressRoute/Site-to-Site coexisting connection configurations. However, if you are merely adding a new VPN connection to an already existing coexist configuration, you can use these steps. See ExpressRoute/S2S coexisting connections for information about coexisting connections.

Deployment models and methods

Azure currently works with two deployment models: Resource Manager and classic. The two models are not completely compatible with each other. Before you begin, you need to know which model that you want to work in. For information about the deployment models, see Understanding deployment models. If you are new to Azure, we recommend that you use the Resource Manager deployment model.

We update this table as new articles and additional tools become available for this configuration. When an article is available, we link directly to it from this table.

Deployment model/method Azure portal PowerShell
Resource Manager Tutorial Supported
Classic Not Supported Tutorial

Before you begin

Verify the following items:

  • You are not configuring a new coexisting ExpressRoute and VPN Gateway configuration.
  • You have a virtual network that was created using the Resource Manager deployment model with an existing connection.
  • The virtual network gateway for your VNet is RouteBased. If you have a PolicyBased VPN gateway, you must delete the virtual network gateway and create a new VPN gateway as RouteBased.
  • None of the address ranges overlap for any of the VNets that this VNet is connecting to.
  • You have compatible VPN device and someone who is able to configure it. See About VPN Devices. If you aren't familiar with configuring your VPN device, or are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you.
  • You have an externally facing public IP address for your VPN device. This IP address cannot be located behind a NAT.

Part 1 - Configure a connection

  1. From a browser, navigate to the Azure portal and, if necessary, sign in with your Azure account.

  2. Click All resources and locate your virtual network gateway from the list of resources and click it.

  3. On the Virtual network gateway page, click Connections.

    Connections page

  4. On the Connections page, click +Add.

    Add connection button

  5. On the Add connection page, fill out the following fields:

    • Name: The name you want to give to the site you are creating the connection to.

    • Connection type: Select Site-to-site (IPsec).

      Add connection page

Part 2 - Add a local network gateway

  1. Click Local network gateway Choose a local network gateway. This will open the Choose local network gateway page.

    Choose local network gateway

  2. Click Create new to open the Create local network gateway page.

    Create local network gateway page

  3. On the Create local network gateway page, fill out the following fields:

    • Name: The name you want to give to the local network gateway resource.
    • IP address: The public IP address of the VPN device on the site that you want to connect to.
    • Address space: The address space that you want to be routed to the new local network site.
  4. Click OK on the Create local network gateway page to save the changes.

Part 3 - Add the shared key and create the connection

  1. On the Add connection page, add the shared key that you want to use to create your connection. You can either get the shared key from your VPN device, or make one up here and then configure your VPN device to use the same shared key. The important thing is that the keys are exactly the same.

    Shared key

  2. At the bottom of the page, click OK to create the connection.

Part 4 - Verify the VPN connection

You can verify that your connection succeeded by using the 'Get-AzVirtualNetworkGatewayConnection' cmdlet, with or without '-Debug'.

  1. Use the following cmdlet example, configuring the values to match your own. If prompted, select 'A' in order to run 'All'. In the example, '-Name' refers to the name of the connection that you want to test.

    Get-AzVirtualNetworkGatewayConnection -Name VNet1toSite1 -ResourceGroupName TestRG1
  2. After the cmdlet has finished, view the values. In the example below, the connection status shows as 'Connected' and you can see ingress and egress bytes.

    "connectionStatus": "Connected",
    "ingressBytesTransferred": 33509044,
    "egressBytesTransferred": 4142431

Next steps

Once your connection is complete, you can add virtual machines to your virtual networks. See the virtual machines learning path for more information.