Create a Site-to-Site connection using the Azure portal (classic)
This article is written for the classic deployment model. If you're new to Azure, we recommend that you use the Resource Manager deployment model instead. The Resource Manager deployment model is the most current deployment model and offers more options and feature compatibility than the classic deployment model. For more information about the deployment models, see Understanding deployment models.
For the Resource Manager version of this article, select it from the drop-down list below, or from the table of contents on the left.
This article shows you how to use the Azure portal to create a Site-to-Site VPN gateway connection from your on-premises network to the VNet. The steps in this article apply to the classic deployment model. You can also create this configuration using a different deployment tool or deployment model by selecting a different option from the following list:
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. For more information about VPN gateways, see About VPN gateway.
Before you begin
Verify that you have met the following criteria before beginning configuration:
- Verify that you want to work in the classic deployment model. If you want to work in the Resource Manager deployment model, see Create a Site-to-Site connection (Resource Manager). When possible, we recommend that you use the Resource Manager deployment model.
- Make sure you have a compatible VPN device and someone who is able to configure it. For more information about compatible VPN devices and device configuration, see About VPN Devices.
- Verify that you have an externally facing public IPv4 address for your VPN device. This IP address cannot be located behind a NAT.
- If you are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. None of the subnets of your on-premises network can over lap with the virtual network subnets that you want to connect to.
- Currently, PowerShell is required to specify the shared key and create the VPN gateway connection. Install the latest version of the Azure Service Management (SM) PowerShell cmdlets. For more information, see How to install and configure Azure PowerShell. When working with PowerShell for this configuration, make sure that you are running as administrator.
Sample configuration values for this exercise
The examples in this article use the following values. You can use these values to create a test environment, or refer to them to better understand the examples in this article.
- VNet Name: TestVNet1
- Address Space:
- 10.12.0.0/16 (optional for this exercise)
- FrontEnd: 10.11.0.0/24
- BackEnd: 10.12.0.0/24 (optional for this exercise)
- GatewaySubnet: 10.11.255.0/27
- Resource Group: TestRG1
- Location: East US
- DNS Server: 10.11.0.3 (optional for this exercise)
- Local site name: Site2
- Client address space: The address space that is located on your on-premises site.
1. Create a virtual network
When you create a virtual network to use for a S2S connection, you need to make sure that the address spaces that you specify do not overlap with any of the client address spaces for the local sites that you want to connect to. If you have overlapping subnets, your connection won't work properly.
If you already have a VNet, verify that the settings are compatible with your VPN gateway design. Pay particular attention to any subnets that may overlap with other networks.
If you don't already have a virtual network, create one. Screenshots are provided as examples. Be sure to replace the values with your own.
To create a virtual network
- From a browser, navigate to the Azure portal and, if necessary, sign in with your Azure account.
Click +. In the Search the marketplace field, type 'Virtual Network'. Locate Virtual Network from the returned list and click to open the Virtual Network page.
Near the bottom of the Virtual Network page, from the Select a deployment model dropdown list, select Classic, and then click Create.
On the Create virtual network(classic) page, configure the VNet settings. On this page, you add your first address space and a single subnet address range. After you finish creating the VNet, you can go back and add additional subnets and address spaces.
- Verify that the Subscription is the correct one. You can change subscriptions by using the drop-down.
- Click Resource group and either select an existing resource group, or create a new one by typing a name. For more information about resource groups, visit Azure Resource Manager Overview.
- Next, select the Location settings for your VNet. The location determines where the resources that you deploy to this VNet will reside.
If you want to be able to find your VNet easily on the dashboard, select Pin to dashboard. Click Create to create your VNet.
After clicking 'Create', a tile appears on the dashboard that reflects the progress of your VNet. The tile changes as the VNet is being created.
2. Add additional address space
After you create your virtual network, you can add additional address space. Adding additional address space is not a required part of a S2S configuration, but if you require multiple address spaces, use the following steps:
- Locate the virtual networks in the portal.
- On the page for your virtual network, under the Settings section, click Address space.
- On the Address space page, click +Add and enter additional address space.
3. Specify a DNS server
DNS settings are not a required part of a S2S configuration, but DNS is necessary if you want name resolution. Specifying a value does not create a new DNS server. The DNS server IP address that you specify should be a DNS server that can resolve the names for the resources you are connecting to. For the example settings, we used a private IP address. The IP address we use is probably not the IP address of your DNS server. Be sure to use your own values.
After you create your virtual network, you can add the IP address of a DNS server to handle name resolution. Open the settings for your virtual network, click DNS servers, and add the IP address of the DNS server that you want to use for name resolution.
- Locate the virtual networks in the portal.
- On the page for your virtual network, under the Settings section, click DNS servers.
- Add a DNS server.
- To save your settings, click Save at the top of the page.
4. Configure the local site
The local site typically refers to your on-premises location. It contains the IP address of the VPN device to which you will create a connection, and the IP address ranges that will be routed through the VPN gateway to the VPN device.
- In the portal, navigate to the virtual network for which you want to create a gateway.
On the page for your virtual network, on the Overview page, in the VPN connections section, click Gateway to open the New VPN Connection page.
- On the New VPN Connection page, select Site-to-site.
Click Local site - Configure required settings to open the Local site page. Configure the settings, and then click OK to save the settings.
- Name: Create a name for your local site to make it easy for you to identify.
- VPN gateway IP address: This is the public IP address of the VPN device for your on-premises network. The VPN device requires an IPv4 public IP address. Specify a valid public IP address for the VPN device to which you want to connect. It cannot be behind NAT and has to be reachable by Azure. If you don't know the IP address of your VPN device, you can always put in a placeholder value (as long as it is in the format of a valid public IP address) and then change it later.
- Client Address space: List the IP address ranges that you want routed to the local on-premises network through this gateway. You can add multiple address space ranges. Make sure that the ranges you specify here do not overlap with ranges of other networks your virtual network connects to, or with the address ranges of the virtual network itself.
5. Configure the gateway subnet
You must create a gateway subnet for your VPN gateway. The gateway subnet contains the IP addresses that the VPN gateway services use.
On the New VPN Connection page, select the checkbox Create gateway immediately. The 'Optional gateway configuration' page appears. If you don't select the checkbox, you won't see the page to configure the gateway subnet.
- To open the Gateway configuration page, click Optional gateway configuration - Subnet, size, and routing type.
On the Gateway Configuration page, click Subnet - Configure required settings to open the Add subnet page.
On the Add subnet page, add the gateway subnet. The size of the gateway subnet that you specify depends on the VPN gateway configuration that you want to create. While it is possible to create a gateway subnet as small as /29, we recommend that you use /27 or /28. This creates a larger subnet that includes more addresses. Using a larger gateway subnet allows for enough IP addresses to accommodate possible future configurations.
6. Specify the SKU and VPN type
Select the gateway Size. This is the gateway SKU that you use to create your virtual network gateway. In the portal, the 'Default SKU' = Basic. Classic VPN gateways use the old (legacy) gateway SKUs. For more information about the legacy gateway SKUs, see Working with virtual network gateway SKUs (old SKUs).
- Select the Routing Type for your gateway. This is also known as the VPN type. It's important to select the correct gateway type because you cannot convert the gateway from one type to another. Your VPN device must be compatible with the routing type you select. For more information about VPN type, see About VPN Gateway Settings. You may see articles referring to 'RouteBased' and 'PolicyBased' VPN types. 'Dynamic' corresponds to 'RouteBased', and 'Static' corresponds to' PolicyBased'.
- Click OK to save the settings.
- On the New VPN Connection page, click OK at the bottom of the page to begin creating your virtual network gateway. Depending on the SKU you select, it can take up to 45 minutes to create a virtual network gateway.
7. Configure your VPN device
Site-to-Site connections to an on-premises network require a VPN device. In this step, you configure your VPN device. When configuring your VPN device, you need the following:
- A shared key. This is the same shared key that you specify when creating your Site-to-Site VPN connection. In our examples, we use a basic shared key. We recommend that you generate a more complex key to use.
- The Public IP address of your virtual network gateway. You can view the public IP address by using the Azure portal, PowerShell, or CLI.
To download VPN device configuration scripts:
Depending on the VPN device that you have, you may be able to download a VPN device configuration script. For more information, see Download VPN device configuration scripts.
See the following links for additional configuration information:
For information about compatible VPN devices, see VPN Devices.
Before configuring your VPN device, check for any Known device compatibility issues for the VPN device that you want to use.
For links to device configuration settings, see Validated VPN Devices. The device configuration links are provided on a best-effort basis. It's always best to check with your device manufacturer for the latest configuration information. The list shows the versions we have tested. If your OS is not on that list, it is still possible that the version is compatible. Check with your device manufacturer to verify that OS version for your VPN device is compatible.
For an overview of VPN device configuration, see Overview of 3rd party VPN device configurations.
For information about editing device configuration samples, see Editing samples.
For cryptographic requirements, see About cryptographic requirements and Azure VPN gateways.
For information about IPsec/IKE parameters, see About VPN devices and IPsec/IKE parameters for Site-to-Site VPN gateway connections. This link shows information about IKE version, Diffie-Hellman Group, Authentication method, encryption and hashing algorithms, SA lifetime, PFS, and DPD, in addition to other parameter information that you need to complete your configuration.
For IPsec/IKE policy configuration steps, see Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections.
To connect multiple policy-based VPN devices, see Connect Azure VPN gateways to multiple on-premises policy-based VPN devices using PowerShell.
8. Create the connection
In this step, you set the shared key and create the connection. The key you set is must be the same key that was used in your VPN device configuration.
Currently, this step is not available in the Azure portal. You must use the Service Management (SM) version of the Azure PowerShell cmdlets.
Step 1. Connect to your Azure account
Open your PowerShell console with elevated rights and connect to your account. Use the following example to help you connect:
Check the subscriptions for the account.
If you have more than one subscription, select the subscription that you want to use.
Select-AzureSubscription -SubscriptionId "Replace_with_your_subscription_ID"
Step 2. Set the shared key and create the connection
When working with PowerShell and the classic deployment model, sometimes the names of resources in the portal are not the names the Azure expects to see when using PowerShell. The following steps help you export the network configuration file to obtain the exact values for the names.
Create a directory on your computer and then export the network configuration file to the directory. In this example, the network configuration file is exported to C:\AzureNet.
Get-AzureVNetConfig -ExportToFile C:\AzureNet\NetworkConfig.xml
Open the network configuration file with an xml editor and check the values for 'LocalNetworkSite name' and 'VirtualNetworkSite name'. Modify the example to reflect the values that you need. When specifying a name that contains spaces, use single quotation marks around the value.
Set the shared key and create the connection. The '-SharedKey' is a value that you generate and specify. In the example, we used 'abc123', but you can generate (and should) use something more complex. The important thing is that the value you specify here must be the same value that you specified when configuring your VPN device.
Set-AzureVNetGatewayKey -VNetName 'Group TestRG1 TestVNet1' ` -LocalNetworkSiteName 'D1BFC9CB_Site2' -SharedKey abc123
When the connection is created, the result is: Status: Successful.
9. Verify your connection
In the Azure portal, you can view the connection status for a classic VNet VPN Gateway by navigating to the connection. The following steps show one way to navigate to your connection and verify.
- In the Azure portal, click All resources and navigate to your classic virtual network.
- On the virtual network blade, click Overview to access the VPN connections section of the blade.
On the VPN connections graphic, click the site.
On the Site-to-site VPN connections blade, view the information about your site.
To view more information about the connection, click the name of the connection to open the Site-to-site VPN Connection blade.
If you are having trouble connecting, see the Troubleshoot section of the table of contents in the left pane.
How to reset a VPN gateway
Resetting an Azure VPN gateway is helpful if you lose cross-premises VPN connectivity on one or more Site-to-Site VPN tunnels. In this situation, your on-premises VPN devices are all working correctly, but are not able to establish IPsec tunnels with the Azure VPN gateways. For steps, see Reset a VPN gateway.
How to change a gateway SKU
For the steps to change a gateway SKU, see Resize a gateway SKU.