Create a Site-to-Site connection in the Azure portal

This article shows you how to use the Azure portal to create a Site-to-Site VPN gateway connection from your on-premises network to the VNet. The steps in this article apply to the Resource Manager deployment model. You can also create this configuration using a different deployment tool or deployment model by selecting a different option from the following list:

A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. For more information about VPN gateways, see About VPN gateway.

Site-to-Site VPN Gateway cross-premises connection diagram

Before you begin

Verify that you have met the following criteria before beginning your configuration:

  • Make sure you have a compatible VPN device and someone who is able to configure it. For more information about compatible VPN devices and device configuration, see About VPN Devices.
  • Verify that you have an externally facing public IPv4 address for your VPN device. This IP address cannot be located behind a NAT.
  • If you are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. None of the subnets of your on-premises network can over lap with the virtual network subnets that you want to connect to.

Example values

The examples in this article use the following values. You can use these values to create a test environment, or refer to them to better understand the examples in this article. For more information about VPN Gateway settings in general, see About VPN Gateway Settings.

  • VNet Name: TestVNet1
  • Address Space: 10.11.0.0/16 and 10.12.0.0/16 (optional for this exercise)
  • Subscription: The subscription you want to use
  • Resource Group: TestRG1
  • Location: East US
  • Subnet: FrontEnd: 10.11.0.0/24, BackEnd: 10.12.0.0/24 (optional for this exercise)
  • Gateway Subnet name: GatewaySubnet (this will auto-fill in the portal)
  • Gateway Subnet address range: 10.11.255.0/27
  • DNS Server: Optional. The IP address of your DNS server.
  • Virtual Network Gateway Name: VNet1GW
  • Public IP: VNet1GWIP
  • VPN Type: Route-based
  • Connection Type: Site-to-site (IPsec)
  • Gateway Type: VPN
  • Local Network Gateway Name: Site2
  • Connection Name: VNet1toSite2
  • Shared key: For this example, we use abc123. But, you can use whatever is compatible with your VPN hardware. The important thing is that the values match on both sides of the connection.

1. Create a virtual network

To create a VNet in the Resource Manager deployment model by using the Azure portal, follow the steps below. Use the example values if you are using these steps as a tutorial. If you are not doing these steps as a tutorial, be sure to replace the values with your own. For more information about working with virtual networks, see the Virtual Network Overview.

Note

In order for this VNet to connect to an on-premises location you need to coordinate with your on-premises network administrator to carve out an IP address range that you can use specifically for this virtual network. If a duplicate address range exists on both sides of the VPN connection, traffic does not route the way you may expect it to. Additionally, if you want to connect this VNet to another VNet, the address space cannot overlap with other VNet. Take care to plan your network configuration accordingly.

  1. From a browser, navigate to the Azure portal and sign in with your Azure account.
  2. Click New. In the Search the marketplace field, type 'virtual network'. Locate Virtual network from the returned list and click to open the Virtual Network page.
  3. Near the bottom of the Virtual Network page, from the Select a deployment model list, select Resource Manager, and then click Create. This opens the 'Create virtual network' page.

    Create virtual network page

  4. On the Create virtual network page, configure the VNet settings. When you fill in the fields, the red exclamation mark becomes a green check mark when the characters entered in the field are valid.

    • Name: Enter the name for your virtual network. In this example, we use TestVNet1.
    • Address space: Enter the address space. If you have multiple address spaces to add, add your first address space. You can add additional address spaces later, after creating the VNet. Make sure that the address space that you specify does not overlap with the address space for your on-premises location.
    • Subscription: Verify that the subscription listed is the correct one. You can change subscriptions by using the drop-down.
    • Resource group: Select an existing resource group, or create a new one by typing a name for your new resource group. If you are creating a new group, name the resource group according to your planned configuration values. For more information about resource groups, visit Azure Resource Manager Overview.
    • Location: Select the location for your VNet. The location determines where the resources that you deploy to this VNet will reside.
    • Subnet: Add the first subnet name and subnet address range. You can add additional subnets and the gateway subnet later, after creating this VNet.
  5. Select Pin to dashboard if you want to be able to find your VNet easily on the dashboard, and then click Create. After clicking Create, you will see a tile on your dashboard that will reflect the progress of your VNet. The tile changes as the VNet is being created.

2. Specify a DNS server

DNS is not required to create a Site-to-Site connection. However, if you want to have name resolution for resources that are deployed to your virtual network, you should specify a DNS server. This setting lets you specify the DNS server that you want to use for name resolution for this virtual network. It does not create a DNS server. For more information about name resolution, see Name Resolution for VMs and role instances.

  1. On the Settings page for your virtual network, navigate to DNS Servers and click to open the DNS servers blade.

    Add DNS server

    • DNS Servers: Select select Custom.
    • Add DNS server: Enter the IP address of the DNS server that you want to use for name resolution.
  2. When you are done adding DNS servers, click Save at the top of the blade.

3. Create the gateway subnet

The virtual network gateway uses specific subnet called the 'gateway subnet'. You must always create a gateway subnet if you want to create a VPN gateway connection. The IP addresses that are specified in the gateway subnet are part of the virtual network IP address range that you specify when configuring your virtual network. Some of the resources and services that are used by the VPN gateway require IP addresses. Gateway subnet IP addresses are allocated to these gateway services. For this reason, never deploy anything directly to the gateway subnet, such as VMs or any other resources.

When you create a gateway subnet, you specify the number of IP addresses that the gateway subnet contains. The size of the gateway subnet that you specify depends on the VPN gateway configuration that you want to create. Some configurations require more IP addresses than others. The instructions in the article specify when a certain sized gateway subnet is required. While it is technically possible to create a gateway subnet as small as /29, we recommend that in general, you create a larger subnet that includes more addresses by selecting /27 or /28. Using a larger gateway subnet allows for enough IP addresses to be allocated to the gateway services to accommodate possible future configurations.

When you create a gateway subnet, it must be named 'GatewaySubnet'. Naming subnet 'GatewaySubnet' tells Azure where to create the gateway services. If you name the subnet something else, your VPN gateway configuration will fail.

  1. In the portal, navigate to the virtual network for which you want to create a virtual network gateway.
  2. In the Settings section of your VNet page, click Subnets to expand the Subnets page.
  3. On the Subnets page, click +Gateway subnet at the top to open the Add subnet page.

    Add the gateway subnet

  4. The Name for your subnet is automatically filled in with the value 'GatewaySubnet'. The GatewaySubnet value is required in order for Azure to recognize the subnet as the gateway subnet. Adjust the auto-filled Address range values to match your configuration requirements.

    Adding the gateway subnet

  5. To create the subnet, click OK at the bottom of the page.

4. Create the VPN gateway

  1. On the left side of the portal page, click + and type 'Virtual Network Gateway' in search. In Results, locate and click Virtual network gateway.
  2. At the bottom of the 'Virtual network gateway' page, click Create. This opens the Create virtual network gateway page.

    Create virtual network gateway page fields

  3. On the Create virtual network gateway page, specify the values for your virtual network gateway.

    • Name: Name your gateway. This is not the same as naming a gateway subnet. It's the name of the gateway object you are creating.
    • Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.
    • VPN type: Select the VPN type that is specified for your configuration. Most configurations require a Route-based VPN type.
    • SKU: Select the gateway SKU from the dropdown. The SKUs listed in the dropdown depend on the VPN type you select. For more information about gateway SKUs, see Gateway SKUs.
    • Location: You may need to scroll to see Location. Adjust the Location field to point to the location where your virtual network is located. If the location is not pointing to the region where your virtual network resides, when you select a virtual network in the next step, it will not appear in the drop-down list.
    • Virtual network: Choose the virtual network to which you want to add this gateway. Click Virtual network to open the 'Choose a virtual network' page. Select the VNet. If you don't see your VNet, make sure the Location field is pointing to the region in which your virtual network is located.
    • Gateway subnet address range: You will only see this setting if you did not previously create a gateway subnet for your virtual network. If you previously created a valid gateway subnet, this setting will not appear.
    • First IP configuration: The 'Choose public IP address' page creates a public IP address object that gets associated to the VPN gateway. The public IP address is dynamically assigned to this object when the VPN gateway is created. VPN Gateway currently only supports Dynamic Public IP address allocation. However, this does not mean that the IP address changes after it has been assigned to your VPN gateway. The only time the Public IP address changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

      • First, click Create gateway IP configuration to open the 'Choose public IP address' page, then click +Create new to open the 'Create public IP address' page.
      • Next, input a Name for your public IP address. Leave the SKU as Basic unless there is a specific reason to change it to something else, then click OK at the bottom of this page to save your changes.

        Create public IP

  4. Verify the settings. You can select Pin to dashboard at the bottom of the page if you want your gateway to appear on the dashboard.

  5. Click Create to begin creating the VPN gateway. The settings are validated and you'll see the "Deploying Virtual network gateway" tile on the dashboard. Creating a gateway can take up to 45 minutes. You may need to refresh your portal page to see the completed status.

After the gateway is created, view the IP address that has been assigned to it by looking at the virtual network in the portal. The gateway appears as a connected device. You can click the connected device (your virtual network gateway) to view more information.

5. Create the local network gateway

The local network gateway typically refers to your on-premises location. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection. You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on-premises network. If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.

  1. In the portal, from All resources, click +Add.
  2. In the Everything page search box, type Local network gateway, then click to search. This will return a list. Click Local network gateway to open the page, then click Create to open the Create local network gateway page.

    create local network gateway

  3. On the Create local network gateway page, specify the values for your local network gateway.

    • Name: Specify a name for your local network gateway object.
    • IP address: This is the public IP address of the VPN device that you want Azure to connect to. Specify a valid public IP address. The IP address cannot be behind NAT and has to be reachable by Azure. If you don't have the IP address right now, you can use the values shown in the screen shot, but you'll need to go back and replace your placeholder IP address with the public IP address of your VPN device. Otherwise, Azure will not be able to connect.
    • Address Space refers to the address ranges for the network that this local network represents. You can add multiple address space ranges. Make sure that the ranges you specify here do not overlap with ranges of other networks that you want to connect to. Azure will route the address range that you specify to the on-premises VPN device IP address. Use your own values here, not the values shown in the screenshot.
    • Configure BGP settings: Use only when configuring BGP. Otherwise, don't select this.
    • Subscription: Verify that the correct subscription is showing.
    • Resource Group: Select the resource group that you want to use. You can either create a new resource group, or select one that you have already created.
    • Location: Select the location that this object will be created in. You may want to select the same location that your VNet resides in, but you are not required to do so.
  4. When you have finished specifying the values, click Create at the bottom of the page to create the local network gateway.

6. Configure your VPN device

Site-to-Site connections to an on-premises network require a VPN device. In this step, you configure your VPN device. When configuring your VPN device, you need the following:

  • A shared key. This is the same shared key that you specify when creating your Site-to-Site VPN connection. In our examples, we use a basic shared key. We recommend that you generate a more complex key to use.
  • The Public IP address of your virtual network gateway. You can view the public IP address by using the Azure portal, PowerShell, or CLI. To find the Public IP address of your VPN gateway using the Azure portal, navigate to Virtual network gateways, then click the name of your gateway.

See the following links for configuration information:

7. Create the VPN connection

Create the Site-to-Site VPN connection between your virtual network gateway and your on-premises VPN device.

  1. Navigate to and open the blade for your virtual network gateway. There are multiple ways to navigate. In our example, we navigated to the gateway 'VNet1GW' by going to TestVNet1 -> Overview -> Connected devices -> VNet1GW.
  2. On the blade for VNet1GW, click Connections. At the top of the Connections blade, click +Add to open the Add connection blade.

    Create Site-to-Site connection

  3. On the Add connection blade, fill in the values to create your connection.

    • Name: Name your connection. We use VNet1toSite2 in our example.
    • Connection type: Select Site-to-site(IPSec).
    • Virtual network gateway: The value is fixed because you are connecting from this gateway.
    • Local network gateway: Click Choose a local network gateway and select the local network gateway that you want to use. In our example, we use Site2.
    • Shared Key: the value here must match the value that you are using for your local on-premises VPN device. In the example, we used 'abc123', but you can (and should) use something more complex. The important thing is that the value you specify here must be the same value that you specified when configuring your VPN device.
    • The remaining values for Subscription, Resource Group, and Location are fixed.
  4. Click OK to create your connection. You'll see Creating Connection flash on the screen.

  5. You can view the connection in the Connections blade of the virtual network gateway. The Status will go from Unknown to Connecting, and then to Succeeded.

8. Verify the VPN connection

In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the connection. The following steps show one way to navigate to your connection and verify.

  1. In the Azure portal, click All resources and navigate to your virtual network gateway.
  2. On the blade for your virtual network gateway, click Connections. You can see the status of each connection.
  3. Click the name of the connection that you want to verify to open Essentials. In Essentials, you can view more information about your connection. The Status is 'Succeeded' and 'Connected' when you have made a successful connection.

    Verify VPN Gateway connection using Azure portal

To connect to a virtual machine

You can connect to a VM that is deployed to your VNet by creating a Remote Desktop Connection to your VM. The best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather than computer name. That way, you are testing to see if you can connect, not whether name resolution is configured properly.

  1. Locate the private IP address. You can find the private IP address of a VM in multiple ways. Below, we show the steps for the Azure portal and for PowerShell.

    • Azure portal - Locate your virtual machine in the Azure portal. View the properties for the VM. The private IP address is listed.

    • PowerShell - Use the example to view a list of VMs and private IP addresses from your resource groups. You don't need to modify this example before using it.

      $VMs = Get-AzureRmVM
      $Nics = Get-AzureRmNetworkInterface | Where VirtualMachine -ne $null
      
      foreach($Nic in $Nics)
      {
       $VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
       $Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
       $Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
       Write-Output "$($VM.Name): $Prv,$Alloc"
      }
      
  2. Verify that you are connected to your VNet using the VPN connection.

  3. Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on the taskbar, then select Remote Desktop Connection. You can also open Remote Desktop Connection using the 'mstsc' command in PowerShell.
  4. In Remote Desktop Connection, enter the private IP address of the VM. You can click "Show Options" to adjust additional settings, then connect.

To troubleshoot an RDP connection to a VM

If you are having trouble connecting to a virtual machine over your VPN connection, check the following:

  • Verify that your VPN connection is successful.
  • Verify that you are connecting to the private IP address for the VM.
  • If you can connect to the VM using the private IP address, but not the computer name, verify that you have configured DNS properly. For more information about how name resolution works for VMs, see Name Resolution for VMs.
  • For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.

How to reset a VPN gateway

Resetting an Azure VPN gateway is helpful if you lose cross-premises VPN connectivity on one or more Site-to-Site VPN tunnels. In this situation, your on-premises VPN devices are all working correctly, but are not able to establish IPsec tunnels with the Azure VPN gateways. For steps, see Reset a VPN gateway.

How to change a gateway SKU (resize a gateway)

For the steps to change a gateway SKU, see Gateway SKUs.

How to add an additional connection to a VPN gateway

You can add additional connections, provided that none of the address spaces overlap between connections.

  1. To add an additional connection, navigate to the VPN gateway, then click Connections to open the Connections page.
  2. Click +Add to add your connection. Adjust the connection type to reflect either VNet-to-VNet (if connecting to another VNet gateway), or Site-to-site.
  3. If you are connecting using Site-to-site and you have not already created a local network gateway for the site you want to connect to, you can create a new one.
  4. Specify the shared key that you want to use, then click OK to create the connection.

Next steps