- Understand what a site-to-site VPN connection is and when to use it.
- Identify the high-level components in an Azure site-to-site VPN deployment.
- Follow step-by-step Azure configuration and typical on‑premises settings to establish a working S2S VPN.
What is a site-to-site VPN?
A site-to-site VPN creates a secure, encrypted IP tunnel between two distinct networks—typically an on-premises datacenter and an Azure virtual network—over the public internet. Traffic that traverses this tunnel is encrypted and integrity-protected, enabling private communication across untrusted networks. Key scenarios- Hybrid cloud connectivity between on-premises datacenters and Azure VNets.
- Secure branch-to-branch connectivity over the internet.
- Encrypted IP-level connectivity where ExpressRoute is not required or available.
High-level technical overview
Site-to-site VPNs rely on standard IPsec/IKE protocols and specific Azure resources. Below is a compact reference for the principal components and behaviors.Azure S2S VPN: Step-by-step configuration (high level)
Below is a practical sequence for configuring an Azure site-to-site VPN. Each step includes typical Azure CLI commands as examples. Replace placeholders with your values (wrap them in backticks when used in scripts or docs).- Create a resource group (if you don’t have one):
- Create a virtual network and subnets (include a
GatewaySubnet):
- Create a public IP for the VPN gateway:
- Create the Virtual Network Gateway (this can take 20–45 minutes):
- Create a Local Network Gateway to represent your on-premises site:
- Create the S2S connection with a pre-shared key (PSK):
- For BGP-enabled connections, add the ASN/peer settings and set
--enable-bgp true. - A route-based VPN is the standard for Azure S2S; policy-based is limited in features.
On‑premises configuration checklist
Configure your on-prem VPN device to match the Azure gateway parameters:- Public IP: the device must have a stable public IP known to Azure.
- Pre-shared key: must match
sharedKeyused in the Azure Connection resource. - IKE version: use IKEv2 when possible.
- Encryption & integrity algorithms: ensure compatibility (e.g., AES256/SHA256).
- Tunnel type: route-based (virtual tunnel interfaces) if using Azure route-based gateways.
- Local network prefixes: configured to advertise/route the on-prem address ranges.
- BGP: if using BGP, configure ASN and peer IPs; ensure BGP timers and MTU are compatible.
Routing considerations
- Avoid overlapping IP address spaces between Azure VNets and on-prem networks.
- Choose static routes for simple topologies or BGP for dynamic route exchange and scale.
- When using BGP, ensure both sides have unique ASNs and compatible BGP neighbors.
Troubleshooting checklist
Configuring site-to-site VPNs is not strictly required for all certification exams, but understanding how the pieces fit together is valuable for real-world deployments and troubleshooting.
Do not use overlapping IP address ranges between Azure and on-premises networks—this is the most common cause of routing failures and inaccessible resources.
Links and references
- Azure Virtual Network Gateway documentation: https://learn.microsoft.com/azure/vpn-gateway/
- Azure VPN Gateway troubleshooting: https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-troubleshoot-azure-to-onprem
- IPsec/IKE overview: https://datatracker.ietf.org/doc/html/rfc7296