This article is written for the classic deployment model. If you are new to Azure, we recommend that you use the Resource Manager deployment model. For information about the deployment models, see Understanding deployment models. To see the Resource Manager version of this article, select it from the drop-down list, or from the table of contents on the left.
This article shows you how to use the Azure portal to create a Site-to-Site VPN gateway connection from your on-premises network to the VNet. The steps in this article apply to the classic deployment model. You can also create this configuration using a different deployment tool or deployment model by selecting a different option from the following list:
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. For more information about VPN gateways, see About VPN gateway.
Before you begin
Verify that you have met the following criteria before beginning configuration:
- Verify that you want to work with the classic deployment model. > [!NOTE] > Azure currently works with two deployment models: Resource Manager and classic. The two models are not completely compatible with each other. Before you begin, you need to know which model that you want to work in. For information about the deployment models, see Understanding deployment models. If you are new to Azure, we recommend that you use the Resource Manager deployment model. > >
- A compatible VPN device and someone who is able to configure it. For more information about compatible VPN devices and device configuration, see About VPN Devices.
- An externally facing public IPv4 IP address for your VPN device. This IP address cannot be located behind a NAT.
- If you are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. None of the subnets of your on-premises network can over lap with the virtual network subnets that you want to connect to.
- Currently, PowerShell is required to specify the shared key and create the VPN gateway connection. Install the latest version of the Azure Service Management (SM) PowerShell cmdlets. For more information, see How to install and configure Azure PowerShell. When working with PowerShell for this configuration, make sure that you are running as administrator.
The examples in this article use the following values. You can use these values to create a test environment, or refer to them to better understand the examples in this article.
- VNet Name: TestVNet1
- Address Space:
- 10.12.0.0/16 (optional for this exercise)
- FrontEnd: 10.11.0.0/24
- BackEnd: 10.12.0.0/24 (optional for this exercise)
- GatewaySubnet: 10.11.255.0/27
- Resource Group: TestRG1
- Location: East US
- DNS Server: 126.96.36.199 (optional for this exercise)
- Local site name: Site2
When you create a virtual network to use for a S2S connection, you need to make sure that the address spaces that you specify do not overlap with any of the client address spaces for the local sites that you want to connect to. If you have overlapping subnets, your connection won't work properly.
If you already have a VNet, verify that the settings are compatible with your VPN gateway design. Pay particular attention to any subnets that may overlap with other networks.
If you don't already have a virtual network, create one. Screenshots are provided as examples. Be sure to replace the values with your own.
To create a virtual network
- From a browser, navigate to the Azure portal and, if necessary, sign in with your Azure account.
Click New. In the Search the marketplace field, type 'Virtual Network'. Locate Virtual Network from the returned list and click to open the Virtual Network blade.
Near the bottom of the Virtual Network blade, from the Select a deployment model list, select Classic, and then click Create.
On the Create virtual network blade, configure the VNet settings. In this blade, you add your first address space and a single subnet address range. After you finish creating the VNet, you can go back and add additional subnets and address spaces.
- Verify that the Subscription is the correct one. You can change subscriptions by using the drop-down.
- Click Resource group and either select an existing resource group, or create a new one by typing a name for your new resource group. For more information about resource groups, visit Azure Resource Manager Overview.
- Next, select the Location settings for your VNet. The location determines where the resources that you deploy to this VNet will reside.
Select Pin to dashboard if you want to be able to find your VNet easily on the dashboard, and then click Create.
After clicking 'Create', a tile appears on the dashboard that reflects the progress of your VNet. The tile changes as the VNet is being created.
Once your virtual network has been created, you will see Created listed under Status on the networks page in the Azure classic portal.
After you create your virtual network, you can add additional address space. Adding additional address space is not a required part of a S2S configuration, but if you require multiple address spaces, use the following steps:
- Locate the virtual networks in the portal.
- On the blade for your virtual network, under the Settings section, click Address space.
- On the Address space blade, click +Add and enter additional address space.
DNS settings are not a required part of a S2S configuration, but DNS is necessary if you want name resolution.
After you create your virtual network, you can add the IP address of a DNS server to handle name resolution. Open the settings for your virtual network, click DNS servers, and add the IP address of the DNS server that you want to use for name resolution. This setting does not create a DNS server. In the example settings, we use a public DNS server. Typically you'd want to use a private DNS server. Be sure to add a DNS server that your resources can communicate with.
- Locate the virtual networks in the portal.
- On the blade for your virtual network, under the Settings section, click DNS servers.
- Add a DNS server.
- To save your settings, click Save at the top of the page.
The local site typically refers to your on-premises location. It contains the IP address of the VPN device to which you will create a connection, and the IP address ranges that will be routed through the VPN gateway to the VPN device.
- In the portal, navigate to the virtual network for which you want to create a gateway.
On the blade for your virtual network, on the Overview blade, in the VPN connections section, click Gateway to open the New VPN Connection blade.
On the New VPN Connection blade, select Site-to-site.
Click Local site - Configure required settings to open the Local site blade. Configure the settings, and then click OK to save the settings.
- Name: Create a name for your local site to make it easy for you to identify.
- VPN gateway IP address: This is the public IP address of the VPN device for your on-premises network. The VPN device requires an IPv4 public IP address. Specify a valid public IP address for the VPN device to which you want to connect. It cannot be behind NAT and has to be reachable by Azure.
Client Address space: List the IP address ranges that you want routed to the local on-premises network through this gateway. You can add multiple address space ranges. Make sure that the ranges you specify here do not overlap with ranges of other networks your virtual network connects to, or with the address ranges of the virtual network itself.
You must create a gateway subnet for your VPN gateway. The gateway subnet contains the IP addresses that the VPN gateway services use.
On the New VPN Connection blade, select the checkbox Create gateway immediately. The 'Optional gateway configuration' blade appears. If you don't select the checkbox, you won't see the blade to configure the gateway subnet.
- Click Optional gateway configuration - Subnet, size, and routing type to open the Gateway configuration blade.
On the Gateway Configuration blade, click Subnet - Configure required settings to open the Add subnet blade.
On the Add subnet blade, add the gateway subnet. The size of the gateway subnet that you specify depends on the VPN gateway configuration that you want to create. While it is possible to create a gateway subnet as small as /29, we recommend that you create a larger subnet that includes more addresses by selecting /27 or /28. Using the larger gateway subnet allows for enough IP addresses to accommodate possible future configurations.
Select the gateway Size. This is the gateway SKU that you use to create your virtual network gateway. In the portal, the 'Default SKU' = Basic. For more information about gateway SKUs, see About VPN Gateway Settings.
- Select the Routing Type for your gateway. This is also known as the VPN type. It's important to select the correct gateway type because you cannot convert the gateway from one type to another. Your VPN device must be compatible with the routing type you select. For more information about VPN type, see About VPN Gateway Settings. You may see articles referring to 'RouteBased' and 'PolicyBased' VPN types. 'Dynamic' corresponds to 'RouteBased', and 'Static' corresponds to' PolicyBased'.
- Click OK to save the settings.
- On the New VPN Connection blade, click OK at the bottom of the blade to begin creating your virtual network gateway. This can take up to 45 minutes to complete.
Site-to-Site connections to an on-premises network require a VPN device. In this step, you configure your VPN device. When configuring your VPN device, you need the following:
- A shared key. This is the same shared key that you specify when creating your Site-to-Site VPN connection. In our examples, we use a basic shared key. We recommend that you generate a more complex key to use.
- The Public IP address of your virtual network gateway. You can view the public IP address by using the Azure portal, PowerShell, or CLI.
See the following links for configuration information:
- For information about compatible VPN devices, see VPN Devices.
- Before configuring your VPN device, check for any Known device compatibility issues for the VPN device that you want to use.
- For links to device configuration settings, see Validated VPN Devices. The device configuration links are provided on a best-effort basis. It's always best to check with your device manufacturer for the latest configuration information.
- For information about editing device configuration samples, see Editing samples.
- For cryptographic requirements, see About cryptographic requirements and Azure VPN gateways.
- For information about IPsec/IKE parameters, see About VPN devices and IPsec/IKE parameters for Site-to-Site VPN gateway connections.
- For IPsec/IKE policy configuration steps, see Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections.
In this step, you set the shared key and create the connection. The key you set is must be the same key that was used in your VPN device configuration.
Currently, this step is not available in the Azure portal. You must use the Service Management (SM) version of the Azure PowerShell cmdlets.
Step 1. Connect to your Azure account
Open your PowerShell console with elevated rights and connect to your account. Use the following example to help you connect:
Check the subscriptions for the account.
If you have more than one subscription, select the subscription that you want to use.
Select-AzureSubscription -SubscriptionId "Replace_with_your_subscription_ID"
Step 2. Set the shared key and create the connection
When working with PowerShell and the classic deployment model, sometimes the names of resources in the portal are not the names the Azure expects to see when using PowerShell. The following steps help you export the network configuration file to obtain the exact values for the names.
Create a directory on your computer and then export the network configuration file to the directory. In this example, the network configuration file is exported to C:\AzureNet.
Get-AzureVNetConfig -ExportToFile C:\AzureNet\NetworkConfig.xml
Open the network configuration file with an xml editor and check the values for 'LocalNetworkSite name' and 'VirtualNetworkSite name'. Modify the example to reflect the values. When specifying a name that contains spaces, use single quotation marks around the value.
Set the shared key and create the connection. The '-SharedKey' is a value that you generate and specify. In the example, we used 'abc123', but you can generate (and should) use something more complex. The important thing is that the value you specify here must be the same value that you specified when configuring your VPN device.
Set-AzureVNetGatewayKey -VNetName 'Group TestRG1 TestVNet1' ` -LocalNetworkSiteName 'D1BFC9CB_Site2' -SharedKey abc123
When the connection is created, the result is: Status: Successful.
In the Azure portal, you can view the connection status for a classic VNet VPN Gateway by navigating to the connection. The following steps show one way to navigate to your connection and verify.
- In the Azure portal, click All resources and navigate to your classic virtual network.
- On the virtual network blade, click Overview to access the VPN connections section of the blade.
On the VPN connections graphic, click the site.
On the Site-to-site VPN connections blade, view the information about your site.
To view more information about the connection, click the name of the connection to open the Site-to-site VPN Connection blade.
Once your connection is complete, you can add virtual machines to your virtual networks. For more information, see Virtual Machines.