Create a Site-to-Site connection in the Azure portal

This article shows you how to use the Azure portal to create a Site-to-Site VPN gateway connection from your on-premises network to the VNet. The steps in this article apply to the Resource Manager deployment model. You can also create this configuration using a different deployment tool or deployment model by selecting a different option from the following list:

A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. For more information about VPN gateways, see About VPN gateway.

Site-to-Site VPN Gateway cross-premises connection diagram

Before you begin

Verify that you have met the following criteria before beginning your configuration:

  • Verify that you want to work with the Resource Manager deployment model. > [!NOTE] > Azure currently works with two deployment models: Resource Manager and classic. The two models are not completely compatible with each other. Before you begin, you need to know which model that you want to work in. For information about the deployment models, see Understanding deployment models. If you are new to Azure, we recommend that you use the Resource Manager deployment model. > >
  • A compatible VPN device and someone who is able to configure it. For more information about compatible VPN devices and device configuration, see About VPN Devices.
  • An externally facing public IPv4 IP address for your VPN device. This IP address cannot be located behind a NAT.
  • If you are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. None of the subnets of your on-premises network can over lap with the virtual network subnets that you want to connect to.

Example values

When using these steps as an exercise, you can use the following example values:

  • VNet Name: TestVNet1
  • Address Space:
    • 10.11.0.0/16
    • 10.12.0.0/16 (optional for this exercise)
  • Subnets:
    • FrontEnd: 10.11.0.0/24
    • BackEnd: 10.12.0.0/24 (optional for this exercise)
    • GatewaySubnet: 10.11.255.0/27
  • Resource Group: TestRG1
  • Location: East US
  • DNS Server: The IP address of your DNS server
  • Virtual Network Gateway Name: VNet1GW
  • Public IP: VNet1GWIP
  • VPN Type: Route-based
  • Connection Type: Site-to-site (IPsec)
  • Gateway Type: VPN
  • Local Network Gateway Name: Site2
  • Connection Name: VNet1toSite2

1. Create a virtual network

To create a VNet in the Resource Manager deployment model by using the Azure portal, follow the steps below. The screenshots are provided as examples. Be sure to replace the values with your own. For more information about working with virtual networks, see the Virtual Network Overview.

  1. From a browser, navigate to the Azure portal and sign in with your Azure account.
  2. Click New. In the Search the marketplace field, type 'Virtual Network'. Locate Virtual Network from the returned list and click to open the Virtual Network blade.
  3. Near the bottom of the Virtual Network blade, from the Select a deployment model list, select Resource Manager, and then click Create.
  4. On the Create virtual network blade, configure the VNet settings. When you fill in the fields, the red exclamation mark will become a green check mark when the characters entered in the field are valid.
  5. The Create virtual network blade looks similar to the following example. There may be values that are auto-filled. If so, replace the values with your own.

    Create virtual network blade

  6. Name: Enter the name for your Virtual Network.
  7. Address space: Enter the address space. If you have multiple address spaces to add, add your first address space. You can add additional address spaces later, after creating the VNet. Make sure that the address space that you specify does not overlap with the address space for your on-premises location.
  8. Subnet name: Add the subnet name and subnet address range. You can add additional subnets later, after creating the VNet.
  9. Subscription: Verify that the Subscription listed is the correct one. You can change subscriptions by using the drop-down.
  10. Resource group: Select an existing resource group, or create a new one by typing a name for your new resource group. If you are creating a new group, name the resource group according to your planned configuration values. For more information about resource groups, visit Azure Resource Manager Overview.
  11. Location: Select the location for your VNet. The location determines where the resources that you deploy to this VNet will reside.
  12. Select Pin to dashboard if you want to be able to find your VNet easily on the dashboard, and then click Create.
  13. After clicking Create, you will see a tile on your dashboard that will reflect the progress of your VNet. The tile changes as the VNet is being created.

2. Specify a DNS server

DNS is not required for Site-to-Site connections. However, if you want to have name resolution for resources that are deployed to your virtual network, you should specify a DNS server. This setting lets you specify the DNS server that you want to use for name resolution for this virtual network. It does not create a DNS server.

  1. On the Settings page for your virtual network, navigate to DNS Servers and click to open the DNS servers blade.
  2. On the DNS Servers page, under DNS servers, select Custom.
  3. In the DNS Server field, in the Add DNS server box, enter the IP address of the DNS server that you want to use for name resolution. When you are done adding DNS servers, click Save at the top of the blade to save your configuration.

    Custom DNS

3. Create the gateway subnet

The virtual network gateway uses a gateway subnet that contains the IP addresses that are used by the VPN gateway services. When you create a gateway subnet, it must be named 'GatewaySubnet'. If you name it something else, your connection configuration fails.

The size of the gateway subnet that you specify depends on the VPN gateway configuration that you want to create. While it is possible to create a gateway subnet as small as /29, we recommend that you create a larger subnet that includes more addresses by selecting /27 or /28. Using a larger gateway subnet allows for enough IP addresses to accommodate possible future configurations.

  1. In the portal, navigate to the virtual network for which you want to create a virtual network gateway.
  2. In the Settings section of your VNet blade, click Subnets to expand the Subnets blade.
  3. On the Subnets blade, click +Gateway subnet at the top. This will open the Add subnet blade.

    Add the gateway subnet

  4. The Name for your subnet will automatically be filled in with the value 'GatewaySubnet'. This value is required in order for Azure to recognize the subnet as the gateway subnet. Adjust the auto-filled Address range values to match your configuration requirements.

    Adding the subnet

  5. Click OK at the bottom of the blade to create the subnet.

4. Create the VPN gateway

  1. On the left side of the portal page, click + and type 'Virtual Network Gateway' in search. In Results, locate and click Virtual network gateway. At the bottom of the Virtual network gateway blade, click Create. This opens the Create virtual network gateway blade.
  2. On the Create virtual network gateway blade, fill in the values for your virtual network gateway.

    Create virtual network gateway blade fields

  3. Name: Name your gateway. This is not the same as naming a gateway subnet. It's the name of the gateway object you are creating.
  4. Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.
  5. VPN type: Select the VPN type that is specified for your configuration. Most configurations require a Route-based VPN type.
  6. SKU: Select the gateway SKU from the dropdown. The SKUs listed in the dropdown depend on the VPN type you select.
  7. Location: You may need to scroll to see Location. Adjust the Location field to point to the location where your virtual network is located. If the location is not pointing to the region where your virtual network resides, the virtual network will not appear in the next step 'Choose a virtual network' dropdown.
  8. Virtual network: Choose the virtual network to which you want to add this gateway. Click Virtual network to open the Choose a virtual network blade. Select the VNet. If you don't see your VNet, make sure the Location field is pointing to the region in which your virtual network is located.
  9. Create public IP address: This blade creates a public IP address object to which a public IP address will be dynamically assigned. Click Public IP address to open the Choose public IP address blade. Click +Create New to open the Create public IP address blade. Input a name for your public IP address. Click OK to save your changes to this blade. The IP address is dynamically assigned when the VPN gateway is created. VPN Gateway currently only supports Dynamic Public IP address allocation. However, this does not mean that the IP address changes after it has been assigned to your VPN gateway. The only time the Public IP address changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

    Create public IP

  10. Subscription: Verify that the correct subscription is selected.
  11. Resource group: This setting is determined by the Virtual Network that you select.
  12. Don't adjust the Location after you've specified the previous settings.
  13. Verify the settings. You can select Pin to dashboard at the bottom of the blade if you want your gateway to appear on the dashboard.
  14. Click Create to begin creating the gateway. The settings will be validated and you'll see the "Deploying Virtual network gateway" tile on the dashboard. Creating a gateway can take up to 45 minutes. You may need to refresh your portal page to see the completed status.

    Create gateway

  15. After the gateway is created, view the IP address that has been assigned to it by looking at the virtual network in the portal. The gateway will appear as a connected device. You can click the connected device (your virtual network gateway) to view more information.

5. Create the local network gateway

The local network gateway typically refers to your on-premises location. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection. You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on-premises network. If your on-premises network changes, you can easily update the prefixes.

  1. In the portal, from All resources, click +Add. In the Everything blade search box, type Local network gateway, then click to search. This will return a list. Click Local network gateway to open the blade, then click Create to open the Create local network gateway blade.

    create local network gateway

  2. On the Create local network gateway blade, specify a Name for your local network gateway object.
  3. Specify a valid public IP address for the VPN device or virtual network gateway to which you want to connect.
    This is the public IP address of the VPN device that you want to connect to. It cannot be behind NAT and has to be reachable by Azure. Use your own values, not the values shown in the screenshot.
  4. Address Space refers to the address ranges for the network that this local network represents. You can add multiple address space ranges. Make sure that the ranges you specify here do not overlap with ranges of other networks that you want to connect to. Azure will route the address range that you specify to the on-premises VPN device IP address. Use your own values here, not the values shown in the screenshot.
  5. For Subscription, verify that the correct subscription is showing.
  6. For Resource Group, select the resource group that you want to use. You can either create a new resource group, or select one that you have already created.
  7. For Location, select the location that this object will be created in. You may want to select the same location that your VNet resides in, but you are not required to do so.
  8. Click Create to create the local network gateway.

6. Configure your VPN device

Site-to-Site connections to an on-premises network require a VPN device. In this step, you configure your VPN device. When configuring your VPN device, you need the following:

  • A shared key. This is the same shared key that you specify when creating your Site-to-Site VPN connection. In our examples, we use a basic shared key. We recommend that you generate a more complex key to use.
  • The Public IP address of your virtual network gateway. You can view the public IP address by using the Azure portal, PowerShell, or CLI. To find the Public IP address of your VPN gateway using the Azure portal, navigate to Virtual network gateways, then click the name of your gateway.

See the following links for VPN device configuration information:

  • For information about compatible VPN devices, see VPN Devices.
  • For links to device configuration settings, see Validated VPN Devices. The device configuration links are provided on a best-effort basis. It's always best to check with your device manufacturer for the latest configuration information.
  • For information about editing device configuration samples, see Editing samples.
  • For IPsec/IKE parameters, see Parameters.
  • Before configuring your VPN device, check for any Known device compatibility issues for the VPN device that you want to use.

7. Create the VPN connection

Create the Site-to-Site VPN connection between your virtual network gateway and your on-premises VPN device.

  1. Locate your virtual network gateway.
  2. Click Connections. At the top of the Connections blade, click +Add to open the Add connection blade.

    Create Site-to-Site connection

  3. On the Add connection blade, Name your connection.
  4. For Connection type, select Site-to-site(IPSec).
  5. For Virtual network gateway, the value is fixed because you are connecting from this gateway.
  6. For Local network gateway, click Choose a local network gateway and select the local network gateway that you want to use.
  7. For Shared Key, the value here must match the value that you are using for your local on-premises VPN device. In the example, we used 'abc123', but you can (and should) use something more complex. The important thing is that the value you specify here must be the same value that you specified when configuring your VPN device.
  8. The remaining values for Subscription, Resource Group, and Location are fixed.
  9. Click OK to create your connection. You'll see Creating Connection flash on the screen.
  10. When the connection is complete, it appears in the Connections blade of the virtual network gateway.

    Create Site-to-Site connection

8. Verify the VPN connection

In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the connection. The following steps show one way to navigate to your connection and verify.

  1. In the Azure portal, click All resources and navigate to your virtual network gateway.
  2. On the blade for your virtual network gateway, click Connections. You can see the status of each connection.
  3. Click the name of the connection that you want to verify to open Essentials. In Essentials, you can view more information about your connection. The Status is 'Succeeded' and 'Connected' when you have made a successful connection.

    Verify VPN Gateway connection using Azure portal

Next steps