Create a Site-to-Site connection in the

Azure portal
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an
Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of
connection requires a VPN device located on-premises that has an externally facing public IP
address assigned to it. For more information about VPN gateways, see About VPN gateway.

Before you begin

Verify that you have met the following criteria before beginning your configuration:

 Make sure you have a compatible VPN device and someone who can configure it. For
more information about compatible VPN devices and device configuration, see About
VPN Devices.
 Verify that you have an externally facing public IPv4 address for your VPN device.
This IP address cannot be located behind a NAT.
 If you are unfamiliar with the IP address ranges located in your on-premises network
configuration, you need to coordinate with someone who can provide those details for
you. When you create this configuration, you must specify the IP address range
prefixes that Azure will route to your on-premises location. None of the subnets of
your on-premises network can over lap with the virtual network subnets that you want
to connect to.

Example values

The examples in this article use the following values. You can use these values to create a test
environment, or refer to them to better understand the examples in this article. For more
information about VPN Gateway settings in general, see About VPN Gateway Settings.

 VNet Name: TestVNet1

 Address Space: 10.1.0.0/16
 Subscription: The subscription you want to use
 Resource Group: TestRG1
 Location: East US
 Subnet: FrontEnd: 10.1.0.0/24, BackEnd: 10.1.1.0/24 (optional for this exercise)
 Gateway Subnet name: GatewaySubnet (this will auto-fill in the portal)
 Gateway Subnet address range: 10.1.255.0/27
 DNS Server: 8.8.8.8 - Optional. The IP address of your DNS server.
 Virtual Network Gateway Name: VNet1GW
 Public IP: VNet1GWIP
 VPN Type: Route-based
 Connection Type: Site-to-site (IPsec)
 Gateway Type: VPN
 Local Network Gateway Name: Site1
 Connection Name: VNet1toSite1
 Shared key: For this example, we use abc123. But, you can use whatever is
compatible with your VPN hardware. The important thing is that the values match on
both sides of the connection.

1. Create a virtual network

To create a VNet in the Resource Manager deployment model by using the Azure portal,
follow the steps below. Use the example values if you are using these steps as a tutorial. If
you are not doing these steps as a tutorial, be sure to replace the values with your own. For
more information about working with virtual networks, see the Virtual Network Overview.

Note

In order for this VNet to connect to an on-premises location you need to coordinate with your
on-premises network administrator to carve out an IP address range that you can use
specifically for this virtual network. If a duplicate address range exists on both sides of the
VPN connection, traffic does not route the way you may expect it to. Additionally, if you
want to connect this VNet to another VNet, the address space cannot overlap with other
VNet. Take care to plan your network configuration accordingly.

1. From a browser, navigate to the Azure portal and sign in with your Azure account.
2. Click Create a resource. In the Search the marketplace field, type 'virtual network'.
Locate Virtual network from the returned list and click to open the Virtual Network
page.
3. Near the bottom of the Virtual Network page, from the Select a deployment model
list, select Resource Manager, and then click Create. This opens the 'Create virtual
network' page.
4. On the Create virtual network page, configure the VNet settings. When you fill in
the fields, the red exclamation mark becomes a green check mark when the characters
entered in the field are valid.
o Name: Enter the name for your virtual network. In this example, we use
VNet1.
o Address space: Enter the address space. If you have multiple address spaces
to add, add your first address space. You can add additional address spaces
later, after creating the VNet. Make sure that the address space that you
specify does not overlap with the address space for your on-premises location.
o Subscription: Verify that the subscription listed is the correct one. You can
change subscriptions by using the drop-down.
o Resource group: Select an existing resource group, or create a new one by
typing a name for your new resource group. If you are creating a new group,
name the resource group according to your planned configuration values. For
more information about resource groups, visit Azure Resource Manager
Overview.
o Location: Select the location for your VNet. The location determines where
the resources that you deploy to this VNet will reside.
o Subnet: Add the first subnet name and subnet address range. You can add
additional subnets and the gateway subnet later, after creating this VNet.
5. Select Pin to dashboard if you want to be able to find your VNet easily on the
dashboard, and then click Create. After clicking Create, you will see a tile on your
dashboard that will reflect the progress of your VNet. The tile changes as the VNet is
being created.

2. Specify a DNS server

DNS is not required to create a Site-to-Site connection. However, if you want to have name
resolution for resources that are deployed to your virtual network, you should specify a DNS
server. This setting lets you specify the DNS server that you want to use for name resolution
for this virtual network. It does not create a DNS server. For more information about name
resolution, see Name Resolution for VMs and role instances.

1. On the Settings page for your virtual network, navigate to DNS Servers and click to
open the DNS servers page.

o DNS Servers: Select Custom.

oAdd DNS server: Enter the IP address of the DNS server that you want to use
for name resolution.
2. When you are done adding DNS servers, click Save at the top of the page.

3. Create the gateway subnet

The virtual network gateway uses specific subnet called the gateway subnet. The gateway
subnet is part of the virtual network IP address range that you specify when configuring your
virtual network. It contains the IP addresses that the virtual network gateway resources and
services use. The subnet must be named 'GatewaySubnet' in order for Azure to deploy the
gateway resources. You can't specify a different subnet to deploy the gateway resources to. If
you don't have a subnet named 'GatewaySubnet', when you create your VPN gateway, it will
fail.

When you create the gateway subnet, you specify the number of IP addresses that the subnet
contains. The number of IP addresses needed depends on the VPN gateway configuration that
you want to create. Some configurations require more IP addresses than others. We
recommend that you create a gateway subnet that uses a /27 or /28.

If you see an error that specifies that the address space overlaps with a subnet, or that the
subnet is not contained within the address space for your virtual network, check your VNet
address range. You may not have enough IP addresses available in the address range you
created for your virtual network. For example, if your default subnet encompasses the entire
address range, there are no IP addresses left to create additional subnets. You can either
adjust your subnets within the existing address space to free up IP addresses, or specify an
additional address range and create the gateway subnet there.

1. In the portal, navigate to the virtual network for which you want to create a virtual
network gateway.
2. In the Settings section of your VNet page, click Subnets to expand the Subnets page.
3. On the Subnets page, click +Gateway subnet at the top to open the Add subnet
page.
4. The Name for your subnet is automatically filled in with the value 'GatewaySubnet'.
The GatewaySubnet value is required in order for Azure to recognize the subnet as the
gateway subnet. Adjust the auto-filled Address range values to match your
configuration requirements.

5. To create the subnet, click OK at the bottom of the page.

Important

When working with gateway subnets, avoid associating a network security group (NSG) to
the gateway subnet. Associating a network security group to this subnet may cause your VPN
gateway to stop functioning as expected. For more information about network security
groups, see What is a network security group?

4. Create the VPN gateway

1. On the left side of the portal page, click + and type 'Virtual Network Gateway' in
search. In Results, locate and click Virtual network gateway.
2. At the bottom of the 'Virtual network gateway' page, click Create. This opens the
Create virtual network gateway page.
3. On the Create virtual network gateway page, specify the values for your virtual
network gateway.
o Name: Name your gateway. This is not the same as naming a gateway subnet.
It's the name of the gateway object you are creating.
o Gateway type: Select VPN. VPN gateways use the virtual network gateway
type VPN.
o VPN type: Select the VPN type that is specified for your configuration. Most
configurations require a Route-based VPN type.
o SKU: Select the gateway SKU from the dropdown. The SKUs listed in the
dropdown depend on the VPN type you select. For more information about
gateway SKUs, see Gateway SKUs.
o Location: You may need to scroll to see Location. Adjust the Location field
to point to the location where your virtual network is located. If the location is
not pointing to the region where your virtual network resides, when you select
a virtual network in the next step, it will not appear in the drop-down list.
o Virtual network: Choose the virtual network to which you want to add this
gateway. Click Virtual network to open the 'Choose a virtual network' page.
Select the VNet. If you don't see your VNet, make sure the Location field is
pointing to the region in which your virtual network is located.
o Gateway subnet address range: You will only see this setting if you did not
previously create a gateway subnet for your virtual network. If you previously
created a valid gateway subnet, this setting will not appear.
o First IP configuration: The 'Choose public IP address' page creates a public
IP address object that gets associated to the VPN gateway. The public IP
address is dynamically assigned to this object when the VPN gateway is
created. VPN Gateway currently only supports Dynamic Public IP address
allocation. However, this does not mean that the IP address changes after it
has been assigned to your VPN gateway. The only time the Public IP address
changes is when the gateway is deleted and re-created. It doesn't change across
resizing, resetting, or other internal maintenance/upgrades of your VPN
gateway.
 First, click Create gateway IP configuration to open the 'Choose
public IP address' page, then click +Create new to open the 'Create
public IP address' page.
 Next, input a Name for your public IP address. Leave the SKU as
Basic unless there is a specific reason to change it to something else,
then click OK at the bottom of this page to save your changes.
4. Verify the settings. You can select Pin to dashboard at the bottom of the page if you
want your gateway to appear on the dashboard.
5. Click Create to begin creating the VPN gateway. The settings are validated and you'll
see the "Deploying Virtual network gateway" tile on the dashboard. Creating a
gateway can take up to 45 minutes. You may need to refresh your portal page to see
the completed status.

After the gateway is created, view the IP address that has been assigned to it by looking at the
virtual network in the portal. The gateway appears as a connected device. You can click the
connected device (your virtual network gateway) to view more information.

5. Create the local network gateway

The local network gateway typically refers to your on-premises location. You give the site a
name by which Azure can refer to it, then specify the IP address of the on-premises VPN
device to which you will create a connection. You also specify the IP address prefixes that
will be routed through the VPN gateway to the VPN device. The address prefixes you specify
are the prefixes located on your on-premises network. If your on-premises network changes
or you need to change the public IP address for the VPN device, you can easily update the
values later.

1. In the portal, click +Create a resource.

2. In the search box, type Local network gateway, then press Enter to search. This will
return a list of results. Click Local network gateway, then click the Create button to
open the Create local network gateway page.
3. On the Create local network gateway page, specify the values for your local
network gateway.
o Name: Specify a name for your local network gateway object.
o IP address: This is the public IP address of the VPN device that you want
Azure to connect to. Specify a valid public IP address. The IP address cannot
be behind NAT and has to be reachable by Azure. If you don't have the IP
address right now, you can use the values shown in the example, but you'll
need to go back and replace your placeholder IP address with the public IP
address of your VPN device. Otherwise, Azure will not be able to connect.
o Address Space refers to the address ranges for the network that this local
network represents. You can add multiple address space ranges. Make sure
that the ranges you specify here do not overlap with ranges of other networks
that you want to connect to. Azure will route the address range that you
specify to the on-premises VPN device IP address. Use your own values here
if you want to connect to your on-premises site, not the values shown in the
example.
o Configure BGP settings: Use only when configuring BGP. Otherwise, don't
select this.
o Subscription: Verify that the correct subscription is showing.
o Resource Group: Select the resource group that you want to use. You can
either create a new resource group, or select one that you have already created.
o Location: Select the location that this object will be created in. You may want
to select the same location that your VNet resides in, but you are not required
to do so.
4. When you have finished specifying the values, click the Create button at the bottom
of the page to create the local network gateway.

6. Configure your VPN device

Site-to-Site connections to an on-premises network require a VPN device. In this step, you
configure your VPN device. When configuring your VPN device, you need the following:

 A shared key. This is the same shared key that you specify when creating your Site-
to-Site VPN connection. In our examples, we use a basic shared key. We recommend
that you generate a more complex key to use.
 The Public IP address of your virtual network gateway. You can view the public IP
address by using the Azure portal, PowerShell, or CLI. To find the Public IP address
of your VPN gateway using the Azure portal, navigate to Virtual network gateways,
then click the name of your gateway.

To download VPN device configuration scripts:

Depending on the VPN device that you have, you may be able to download a VPN device
configuration script. For more information, see Download VPN device configuration scripts.

See the following links for additional configuration information:

 For information about compatible VPN devices, see VPN Devices.

 Before configuring your VPN device, check for any Known device compatibility
issues for the VPN device that you want to use.
 For links to device configuration settings, see Validated VPN Devices. The device
configuration links are provided on a best-effort basis. It's always best to check with
your device manufacturer for the latest configuration information. The list shows the
versions we have tested. If your OS is not on that list, it is still possible that the
version is compatible. Check with your device manufacturer to verify that OS version
for your VPN device is compatible.
 For an overview of VPN device configuration, see Overview of 3rd party VPN device
configurations.
 For information about editing device configuration samples, see Editing samples.
 For cryptographic requirements, see About cryptographic requirements and Azure
VPN gateways.
 For information about IPsec/IKE parameters, see About VPN devices and IPsec/IKE
parameters for Site-to-Site VPN gateway connections. This link shows information
about IKE version, Diffie-Hellman Group, Authentication method, encryption and
hashing algorithms, SA lifetime, PFS, and DPD, in addition to other parameter
information that you need to complete your configuration.
 For IPsec/IKE policy configuration steps, see Configure IPsec/IKE policy for S2S
VPN or VNet-to-VNet connections.
 To connect multiple policy-based VPN devices, see Connect Azure VPN gateways to
multiple on-premises policy-based VPN devices using PowerShell.

7. Create the VPN connection

Create the Site-to-Site VPN connection between your virtual network gateway and your on-
premises VPN device.

1. Navigate to and open the page for your virtual network gateway. There are multiple
ways to navigate. You can navigate to the gateway 'VNet1GW' by going to
TestVNet1 -> Overview -> Connected devices -> VNet1GW.
2. On the page for VNet1GW, click Connections. At the top of the Connections page,
click +Add to open the Add connection page.
3. On the Add connection page, configure the values for your connection.
o Name: Name your connection.
o Connection type: Select Site-to-site(IPSec).
o Virtual network gateway: The value is fixed because you are connecting
from this gateway.
o Local network gateway: Click Choose a local network gateway and select
the local network gateway that you want to use.
o Shared Key: the value here must match the value that you are using for your
local on-premises VPN device. The example uses 'abc123', but you can (and
should) use something more complex. The important thing is that the value
you specify here must be the same value that you specify when configuring
your VPN device.
o The remaining values for Subscription, Resource Group, and Location are
fixed.
4. Click OK to create your connection. You'll see Creating Connection flash on the
screen.
5. You can view the connection in the Connections page of the virtual network gateway.
The Status will go from Unknown to Connecting, and then to Succeeded.

8. Verify the VPN connection

In the Azure portal, you can view the connection status of a Resource Manager VPN
Gateway by navigating to the connection. The following steps show one way to navigate to
your connection and verify.

1. In the Azure portal, click All resources and navigate to your virtual network gateway.
2. On the blade for your virtual network gateway, click Connections. You can see the
status of each connection.
3. Click the name of the connection that you want to verify to open Essentials. In
Essentials, you can view more information about your connection. The Status is
'Succeeded' and 'Connected' when you have made a successful connection.

To connect to a virtual machine

You can connect to a VM that is deployed to your VNet by creating a Remote Desktop
Connection to your VM. The best way to initially verify that you can connect to your VM is
to connect by using its private IP address, rather than computer name. That way, you are
testing to see if you can connect, not whether name resolution is configured properly.
1. Locate the private IP address. You can find the private IP address of a VM in multiple
ways. Below, we show the steps for the Azure portal and for PowerShell.
o Azure portal - Locate your virtual machine in the Azure portal. View the
properties for the VM. The private IP address is listed.
o PowerShell - Use the example to view a list of VMs and private IP addresses
from your resource groups. You don't need to modify this example before
using it.

Azure PowerShell

1.
o $VMs = Get-AzureRmVM
o $Nics = Get-AzureRmNetworkInterface | Where VirtualMachine -ne
$null
o
o foreach($Nic in $Nics)
o {
o $VM = $VMs | Where-Object -Property Id -eq
$Nic.VirtualMachine.Id
o $Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty
PrivateIpAddress
o $Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty
PrivateIpAllocationMethod
o Write-Output "$($VM.Name): $Prv,$Alloc"
o }
o
2. Verify that you are connected to your VNet using the VPN connection.
3. Open Remote Desktop Connection by typing "RDP" or "Remote Desktop
Connection" in the search box on the taskbar, then select Remote Desktop
Connection. You can also open Remote Desktop Connection using the 'mstsc'
command in PowerShell.
4. In Remote Desktop Connection, enter the private IP address of the VM. You can click
"Show Options" to adjust additional settings, then connect.

To troubleshoot an RDP connection to a VM

If you are having trouble connecting to a virtual machine over your VPN connection, check
the following:

 Verify that your VPN connection is successful.

 Verify that you are connecting to the private IP address for the VM.
 If you can connect to the VM using the private IP address, but not the computer name,
verify that you have configured DNS properly. For more information about how name
resolution works for VMs, see Name Resolution for VMs.
 For more information about RDP connections, see Troubleshoot Remote Desktop
connections to a VM.

How to reset a VPN gateway

Resetting an Azure VPN gateway is helpful if you lose cross-premises VPN connectivity on
one or more Site-to-Site VPN tunnels. In this situation, your on-premises VPN devices are all
working correctly, but are not able to establish IPsec tunnels with the Azure VPN gateways.
For steps, see Reset a VPN gateway.

How to change a gateway SKU (resize a gateway)

For the steps to change a gateway SKU, see Gateway SKUs.

How to add an additional connection to a VPN gateway

You can add additional connections, provided that none of the address spaces overlap
between connections.

1. To add an additional connection, navigate to the VPN gateway, then click

Connections to open the Connections page.
2. Click +Add to add your connection. Adjust the connection type to reflect either
VNet-to-VNet (if connecting to another VNet gateway), or Site-to-site.
3. If you are connecting using Site-to-site and you have not already created a local
network gateway for the site you want to connect to, you can create a new one.
4. Specify the shared key that you want to use, then click OK to create the connection.