Create a Site-to-Site connection in the Azure portal

This article shows you how to use the Azure portal to create a Site-to-Site VPN gateway connection from your on-premises network to the VNet. The steps in this article apply to the Resource Manager deployment model. You can also create this configuration using a different deployment tool or deployment model by selecting a different option from the following list:

A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. For more information about VPN gateways, see About VPN gateway.

Site-to-Site VPN Gateway cross-premises connection diagram

Before you begin

Verify that you have met the following criteria before beginning your configuration:

  • Make sure you have a compatible VPN device and someone who is able to configure it. For more information about compatible VPN devices and device configuration, see About VPN Devices.
  • Verify that you have an externally facing public IPv4 address for your VPN device. This IP address cannot be located behind a NAT.
  • If you are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. None of the subnets of your on-premises network can over lap with the virtual network subnets that you want to connect to.

Example values

The examples in this article use the following values. You can use these values to create a test environment, or refer to them to better understand the examples in this article.

  • VNet Name: TestVNet1
  • Address Space:
    • 10.11.0.0/16
    • 10.12.0.0/16 (optional for this exercise)
  • Subnets:
    • FrontEnd: 10.11.0.0/24
    • BackEnd: 10.12.0.0/24 (optional for this exercise)
  • GatewaySubnet: 10.11.255.0/27
  • Resource Group: TestRG1
  • Location: East US
  • DNS Server: Optional. The IP address of your DNS server.
  • Virtual Network Gateway Name: VNet1GW
  • Public IP: VNet1GWIP
  • VPN Type: Route-based
  • Connection Type: Site-to-site (IPsec)
  • Gateway Type: VPN
  • Local Network Gateway Name: Site2
  • Connection Name: VNet1toSite2

1. Create a virtual network

To create a VNet in the Resource Manager deployment model by using the Azure portal, follow the steps below. Use the example values if you are using these steps as a tutorial. If you are not doing these steps as a tutorial, be sure to replace the values with your own. For more information about working with virtual networks, see the Virtual Network Overview.

  1. From a browser, navigate to the Azure portal and sign in with your Azure account.
  2. Click New. In the Search the marketplace field, type 'Virtual Network'. Locate Virtual Network from the returned list and click to open the Virtual Network blade.
  3. Near the bottom of the Virtual Network blade, from the Select a deployment model list, select Resource Manager, and then click Create. This opens the 'Create virtual network' blade.

    Create virtual network blade

  4. On the Create virtual network blade, configure the VNet settings. When you fill in the fields, the red exclamation mark becomes a green check mark when the characters entered in the field are valid.

    • Name: Enter the name for your virtual network. In this example, we use TestVNet1.
    • Address space: Enter the address space. If you have multiple address spaces to add, add your first address space. You can add additional address spaces later, after creating the VNet. Make sure that the address space that you specify does not overlap with the address space for your on-premises location.
    • Subnet name: Add the first subnet name and subnet address range. You can add additional subnets and the gateway subnet later, after creating this VNet.
    • Subscription: Verify that the subscription listed is the correct one. You can change subscriptions by using the drop-down.
    • Resource group: Select an existing resource group, or create a new one by typing a name for your new resource group. If you are creating a new group, name the resource group according to your planned configuration values. For more information about resource groups, visit Azure Resource Manager Overview.
    • Location: Select the location for your VNet. The location determines where the resources that you deploy to this VNet will reside.
  5. Select Pin to dashboard if you want to be able to find your VNet easily on the dashboard, and then click Create. After clicking Create, you will see a tile on your dashboard that will reflect the progress of your VNet. The tile changes as the VNet is being created.

2. Specify a DNS server

DNS is not required to create a Site-to-Site connection. However, if you want to have name resolution for resources that are deployed to your virtual network, you should specify a DNS server. This setting lets you specify the DNS server that you want to use for name resolution for this virtual network. It does not create a DNS server. For more information about name resolution, see Name Resolution for VMs and role instances.

  1. On the Settings page for your virtual network, navigate to DNS Servers and click to open the DNS servers blade.

    Add DNS server

    • DNS Servers: Select select Custom.
    • Add DNS server: Enter the IP address of the DNS server that you want to use for name resolution.
  2. When you are done adding DNS servers, click Save at the top of the blade.

3. Create the gateway subnet

The virtual network gateway uses specific subnet called the 'GatewaySubnet'. The gateway subnet contains the IP addresses that are used by the VPN gateway services. When you create a gateway subnet, it must be named 'GatewaySubnet'. Naming a subnet 'GatewaySubnet' tells Azure where to create the gateway services. If you name the subnet something else, your VPN gateway configuration will fail.

The IP addresses in the GatewaySubnet are allocated to the gateway services. When you create the GatewaySubnet, you specify the number of IP addresses that the subnet contains. The size of the GatewaySubnet that you specify depends on the VPN gateway configuration that you want to create. While it is possible to create a GatewaySubnet as small as /29, we recommend that you create a larger subnet that includes more addresses by selecting /27 or /28. Using a larger gateway subnet allows for enough IP addresses to accommodate possible future configurations.

  1. In the portal, navigate to the virtual network for which you want to create a virtual network gateway.
  2. In the Settings section of your VNet page, click Subnets to expand the Subnets page.
  3. On the Subnets page, click +Gateway subnet at the top to open the Add subnet page.

    Add the gateway subnet

  4. The Name for your subnet is automatically filled in with the value 'GatewaySubnet'. The GatewaySubnet value is required in order for Azure to recognize the subnet as the gateway subnet. Adjust the auto-filled Address range values to match your configuration requirements.

    Adding the gateway subnet

  5. To create the subnet, click OK at the bottom of the page.

4. Create the VPN gateway

  1. On the left side of the portal page, click + and type 'Virtual Network Gateway' in search. In Results, locate and click Virtual network gateway.
  2. At the bottom of the 'Virtual network gateway' blade, click Create. This opens the Create virtual network gateway blade.

    Create virtual network gateway blade fields

  3. On the Create virtual network gateway blade, specify the values for your virtual network gateway.

    • Name: Name your gateway. This is not the same as naming a gateway subnet. It's the name of the gateway object you are creating.
    • Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.
    • VPN type: Select the VPN type that is specified for your configuration. Most configurations require a Route-based VPN type.
    • SKU: Select the gateway SKU from the dropdown. The SKUs listed in the dropdown depend on the VPN type you select. For more information about gateway SKUs, see Gateway SKUs.
    • Location: You may need to scroll to see Location. Adjust the Location field to point to the location where your virtual network is located. If the location is not pointing to the region where your virtual network resides, the virtual network will not appear in the next step 'Choose a virtual network' dropdown.
    • Virtual network: Choose the virtual network to which you want to add this gateway. Click Virtual network to open the 'Choose a virtual network' blade. Select the VNet. If you don't see your VNet, make sure the Location field is pointing to the region in which your virtual network is located.
    • Public IP address: The 'Create public IP address' blade creates a public IP address object. The public IP address is dynamically assigned when the VPN gateway is created. VPN Gateway currently only supports Dynamic Public IP address allocation. However, this does not mean that the IP address changes after it has been assigned to your VPN gateway. The only time the Public IP address changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

      • First, click Public IP address to open the 'Choose public IP address' blade, then click +Create New to open the 'Create public IP address' blade.
      • Next, input a Name for your public IP address, then click OK at the bottom of this blade to save your changes.

        Create public IP

  4. Verify the settings. You can select Pin to dashboard at the bottom of the blade if you want your gateway to appear on the dashboard.

  5. Click Create to begin creating the VPN gateway. The settings will be validated and you'll see the "Deploying Virtual network gateway" tile on the dashboard. Creating a gateway can take up to 45 minutes. You may need to refresh your portal page to see the completed status.

After the gateway is created, view the IP address that has been assigned to it by looking at the virtual network in the portal. The gateway will appear as a connected device. You can click the connected device (your virtual network gateway) to view more information.

5. Create the local network gateway

The local network gateway typically refers to your on-premises location. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection. You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on-premises network. If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.

  1. In the portal, from All resources, click +Add.
  2. In the Everything blade search box, type Local network gateway, then click to search. This will return a list. Click Local network gateway to open the blade, then click Create to open the Create local network gateway blade.

    create local network gateway

  3. On the Create local network gateway blade, specify the values for your local network gateway.

    • Name: Specify a name for your local network gateway object.
    • IP address: This is the public IP address of the VPN device that you want Azure to connect to. Specify a valid public IP address. The IP address cannot be behind NAT and has to be reachable by Azure. If you don't have the IP address right now, you can use the values shown in the screen shot, but you'll need to go back and replace your placeholder IP address with the public IP address of your VPN device. Otherwise, Azure will not be able to connect.
    • Address Space refers to the address ranges for the network that this local network represents. You can add multiple address space ranges. Make sure that the ranges you specify here do not overlap with ranges of other networks that you want to connect to. Azure will route the address range that you specify to the on-premises VPN device IP address. Use your own values here, not the values shown in the screenshot.
    • Subscription: Verify that the correct subscription is showing.
    • Resource Group: Select the resource group that you want to use. You can either create a new resource group, or select one that you have already created.
    • Location: Select the location that this object will be created in. You may want to select the same location that your VNet resides in, but you are not required to do so.
  4. When you have finished specifying the values, click Create at the bottom of the blade to create the local network gateway.

6. Configure your VPN device

Site-to-Site connections to an on-premises network require a VPN device. In this step, you configure your VPN device. When configuring your VPN device, you need the following:

  • A shared key. This is the same shared key that you specify when creating your Site-to-Site VPN connection. In our examples, we use a basic shared key. We recommend that you generate a more complex key to use.
  • The Public IP address of your virtual network gateway. You can view the public IP address by using the Azure portal, PowerShell, or CLI. To find the Public IP address of your VPN gateway using the Azure portal, navigate to Virtual network gateways, then click the name of your gateway.

See the following links for configuration information:

7. Create the VPN connection

Create the Site-to-Site VPN connection between your virtual network gateway and your on-premises VPN device.

  1. Navigate to and open the blade for your virtual network gateway. There are multiple ways to navigate. In our example, we navigated to the gateway 'VNet1GW' by going to TestVNet1 -> Overview -> Connected devices -> VNet1GW.
  2. On the blade for VNet1GW, click Connections. At the top of the Connections blade, click +Add to open the Add connection blade.

    Create Site-to-Site connection

  3. On the Add connection blade, fill in the values to create your connection.

    • Name: Name your connection. We use VNet1toSite2 in our example.
    • Connection type: Select Site-to-site(IPSec).
    • Virtual network gateway: The value is fixed because you are connecting from this gateway.
    • Local network gateway: Click Choose a local network gateway and select the local network gateway that you want to use. In our example, we use Site2.
    • Shared Key: the value here must match the value that you are using for your local on-premises VPN device. In the example, we used 'abc123', but you can (and should) use something more complex. The important thing is that the value you specify here must be the same value that you specified when configuring your VPN device.
    • The remaining values for Subscription, Resource Group, and Location are fixed.
  4. Click OK to create your connection. You'll see Creating Connection flash on the screen.

  5. You can view the connection in the Connections blade of the virtual network gateway. The Status will go from Unknown to Connecting, and then to Succeeded.

8. Verify the VPN connection

In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the connection. The following steps show one way to navigate to your connection and verify.

  1. In the Azure portal, click All resources and navigate to your virtual network gateway.
  2. On the blade for your virtual network gateway, click Connections. You can see the status of each connection.
  3. Click the name of the connection that you want to verify to open Essentials. In Essentials, you can view more information about your connection. The Status is 'Succeeded' and 'Connected' when you have made a successful connection.

    Verify VPN Gateway connection using Azure portal

To connect to a virtual machine

You can connect to a VM that is deployed to your VNet by creating a Remote Desktop Connection to your VM. The best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather than computer name. That way, you are testing to see if you can connect, not whether name resolution is configured properly.

  1. Locate the private IP address. You can find the private IP address of a VM in multiple ways. Below, we show the steps for the Azure portal and for PowerShell.

    • Azure portal - Locate your virtual machine in the Azure portal. View the properties for the VM. The private IP address is listed.

    • PowerShell - Use the example to view a list of VMs and private IP addresses from your resource groups. You don't need to modify this example before using it.

      $VMs = Get-AzureRmVM
      $Nics = Get-AzureRmNetworkInterface | Where VirtualMachine -ne $null
      
      foreach($Nic in $Nics)
      {
       $VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
       $Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
       $Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
       Write-Output "$($VM.Name): $Prv,$Alloc"
      }
      
  2. Verify that you are connected to your VNet using the VPN connection.

  3. Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on the taskbar, then select Remote Desktop Connection. You can also open Remote Desktop Connection using the 'mstsc' command in PowerShell.
  4. In Remote Desktop Connection, enter the private IP address of the VM. You can click "Show Options" to adjust additional settings, then connect.

To troubleshoot an RDP connection to a VM

If you are having trouble connecting to a virtual machine over your VPN connection, check the following:

  • Verify that your VPN connection is successful.
  • Verify that you are connecting to the private IP address for the VM.
  • If you can connect to the VM using the private IP address, but not the computer name, verify that you have configured DNS properly. For more information about how name resolution works for VMs, see Name Resolution for VMs.
  • For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.

How to reset a VPN gateway

Resetting an Azure VPN gateway is helpful if you lose cross-premises VPN connectivity on one or more Site-to-Site VPN tunnels. In this situation, your on-premises VPN devices are all working correctly, but are not able to establish IPsec tunnels with the Azure VPN gateways. For steps, see Reset a VPN gateway.

How to change a gateway SKU (resize a gateway)

For the steps to change a gateway SKU, see Gateway SKUs.

Next steps