Azure – Networking – Part 15 – Configure Azure Site-to-Site VPN Connection
!!! We Hope You All Had A Very Nice and Safe Diwali Vacation 🙂 !!!
Today in this article we will continue our discussion on use of Virtual Network Gateway. In our last article we have discussed on how to configure Azure VNet-To-VNet Connection. Today we will discuss about one more important connection Site-To-Site connection. So Let’s Start with basic concept and configuration details of Site-To-Site VPN connection.
Tool Installation Articles :
- Configure Azure Command Line Interface ( Azure CLI) On Windows
- Configure PowerShell For Microsoft Azure Az Module On Windows
Previous Azure series :
- Learn Basics Of Azure Networking In 60 Hours
- Learn Basic Of Azure Active Directory And Azure Identity And Access Management
- Azure DevOps – Learn at one place
If you have missed our previous articles on networking, please check them in following links.
Next Article : Part 16 – Azure Virtual Network (VNet) peering
Site-To-Site VPN Connection
- Site-to-site connection is a type of VPN connection that is created between two separate locations.
- Site-to-site connection provides the ability to connect geographically separate locations or networks, generally over the public Internet connection or a WAN connection.
- The connection in a site-to-site VPN is generally enabled through a VPN gateway device.
To Configure a complete Site-to-Site VPN connection, we need to configure resources in both Azure and On-premise end. Few components required from On-Premise environment and few from Azure environment. We have all required resources from Azure environment but currently we don’t have complete resources from On-Premise environment. So it is not possible for for us to show a top-to-bottom configuration of a Site-To-Site VPN connection. I will configure everything required from Azure side and will provide references to complete VPN device (at on-Premise end) configuration for Site-to-Site VPN connection . let’s check what we have before start configuring the connection.
- Resource Group : which will hold all our required resources.
- Virtual Network ( VNet) : An Azure VNet is a representation of our own network in the cloud.
- Virtual Machine : A VM to test connection from on-premise environment.
- Virtual Network Gateway : Virtual Network Gateway helps to establish a connection between an Azure virtual network and our On-Premise network.
- Local network gateway: It represents the hardware or software VPN device in our local network.
- VPN device: A VPN device is needed on-premise to create the VPN connection with Azure. Gateway
- Static Public IP address: The VPN device should have external public IP address and it shouldn’t be NAT.
I have already created most of the above resources in advance. Following are the links, which will help you to create most of those resources.
Now we are missing one important resource from Azure side. So let’s create it.
Create Local Network Gateway :
- Login to Azure Portal and search Local Network Gateway in marketplace as shown in the following figure.
2. Create a new Local Network Gateway by clicking on +Add or Create New button. It will take us to create local network gateway page as shown in the following page.
3. Provide correct information of On-Premise VPN device as described below.
- Name: Name for the local gateway
- IP Address: Public IP address to represent your VPN device. It should not behind NAT
- Address Space: This is ours on premises address ranges. we can add multiple ranges.
- Resource Group: Create new resource group or use the same one you were using
4. After verifying all information click Create button to start creating the Local Area Network. We can see in the following figure, it has created our Local Network Gateway for our demo.
During Local Network Gateway creation, we have provided our On-Premise VPN device static IP and IP address range. Now we will configure Site-To-Site VPN Connection in Azure. But we will not be able to test the connection due to some restriction in our On-Premise environment.
Configure Site-To-Site VPN Connection :
Now we have all the required resources to create Site-to-Site VPN connection between our VPN device and the virtual network gateway. So let’s create the Site-to-Site VPN connection,
Start by Log in to azure portal and search for virtual network gateways and open our ready Virtual Network Gateway (MSTechs_VNet_GW) as shown in the following figure.
In the above figure, we can see Connections under Setting section. Go to Connections landing page and from there click +Add button to create a new connection as shown in the following figure.
In the wizard fill the relevant information and click ok as shown in the following figure.
As in the above figure, we have configured our Site-to-Site connection with following information.
- Name: Name of the connection, here it is “Azure-To-ManasOnPremise”.
- Connection Type: Type of the VPN, here it must be set to Site-to-Site.
- Virtual Network Gateway: Select the relevant virtual network gateway.
- Local Network Gateway: Select the relevant local network gateway for your connection
- Shared Key: This is the pre-shared key you going to use for the VPN configuration.
Once the connection is created as shown in the above figure, we can see the connection status as shown in the following figure.
In the above figure, the status is still Connecting as it is trying to establish the connection with On-premise. It is because, we have one more step to go. We need to configure our On-premise VPN device to finalize our configuration. As I said earlier, we have some restriction to configure anything in our On-premise. So I am sharing following information to configure VPN device. The following information is from one of the Microsoft document.
Configure your VPN device (From Microsoft document) :
Site-to-Site connections to an on-premises network require a VPN device. In this step, you configure your VPN device. When configuring your VPN device, you need the following:
- A shared key. This is the same shared key that you specify when creating your Site-to-Site VPN connection. In our examples, we use a basic shared key. We recommend that you generate a more complex key to use.
- The Public IP address of your virtual network gateway. You can view the public IP address by using the Azure portal, PowerShell, or CLI. To find the Public IP address of your VPN gateway using the Azure portal, navigate to Virtual network gateways, then click the name of your gateway.
Download VPN device configuration scripts:
Depending on the VPN device that you have, you may be able to download a VPN device configuration script. For more information, see Download VPN device configuration scripts.
See the following links for additional configuration information:
- For information about compatible VPN devices, see VPN Devices.
- Before configuring your VPN device, check for any Known device compatibility issues for the VPN device that you want to use.
- For links to device configuration settings, see Validated VPN Devices. The device configuration links are provided on a best-effort basis. It’s always best to check with your device manufacturer for the latest configuration information. The list shows the versions we have tested. If your OS is not on that list, it is still possible that the version is compatible. Check with your device manufacturer to verify that OS version for your VPN device is compatible.
- For an overview of VPN device configuration, see Overview of 3rd party VPN device configurations.
- For information about editing device configuration samples, see Editing samples.
- For cryptographic requirements, see About cryptographic requirements and Azure VPN gateways.
- For information about IPsec/IKE parameters, see About VPN devices and IPsec/IKE parameters for Site-to-Site VPN gateway connections. This link shows information about IKE version, Diffie-Hellman Group, Authentication method, encryption and hashing algorithms, SA lifetime, PFS, and DPD, in addition to other parameter information that you need to complete your configuration.
- For IPsec/IKE policy configuration steps, see Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections.
- To connect multiple policy-based VPN devices, see Connect Azure VPN gateways to multiple on-premises policy-based VPN devices using PowerShell.
I hope this article helps you to get basic information of configuring Site-to-Site connection. My next article of this series is Part 16 – Azure Virtual Network (VNet) peering .
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
If you have any suggestion / feedback / doubt, you are most welcome. Stay tuned on Knowledge-Junction, will come up with more such articles
Thanks for reading 🙂