Skip to main content
Welcome to the module: Connecting Networks with Site-to-Site VPN Connections. This lesson explains what site-to-site (S2S) VPNs are, when to use them, and how to configure them end-to-end between an on‑premises network and an Azure virtual network. Learning objectives
  • Understand what a site-to-site VPN connection is and when to use it.
  • Identify the high-level components in an Azure site-to-site VPN deployment.
  • Follow step-by-step Azure configuration and typical on‑premises settings to establish a working S2S VPN.

What is a site-to-site VPN?

A site-to-site VPN creates a secure, encrypted IP tunnel between two distinct networks—typically an on-premises datacenter and an Azure virtual network—over the public internet. Traffic that traverses this tunnel is encrypted and integrity-protected, enabling private communication across untrusted networks. Key scenarios
  • Hybrid cloud connectivity between on-premises datacenters and Azure VNets.
  • Secure branch-to-branch connectivity over the internet.
  • Encrypted IP-level connectivity where ExpressRoute is not required or available.

High-level technical overview

Site-to-site VPNs rely on standard IPsec/IKE protocols and specific Azure resources. Below is a compact reference for the principal components and behaviors.

Azure S2S VPN: Step-by-step configuration (high level)

Below is a practical sequence for configuring an Azure site-to-site VPN. Each step includes typical Azure CLI commands as examples. Replace placeholders with your values (wrap them in backticks when used in scripts or docs).
  1. Create a resource group (if you don’t have one):
  1. Create a virtual network and subnets (include a GatewaySubnet):
  1. Create a public IP for the VPN gateway:
  1. Create the Virtual Network Gateway (this can take 20–45 minutes):
  1. Create a Local Network Gateway to represent your on-premises site:
  1. Create the S2S connection with a pre-shared key (PSK):
Notes:
  • For BGP-enabled connections, add the ASN/peer settings and set --enable-bgp true.
  • A route-based VPN is the standard for Azure S2S; policy-based is limited in features.

On‑premises configuration checklist

Configure your on-prem VPN device to match the Azure gateway parameters:
  • Public IP: the device must have a stable public IP known to Azure.
  • Pre-shared key: must match sharedKey used in the Azure Connection resource.
  • IKE version: use IKEv2 when possible.
  • Encryption & integrity algorithms: ensure compatibility (e.g., AES256/SHA256).
  • Tunnel type: route-based (virtual tunnel interfaces) if using Azure route-based gateways.
  • Local network prefixes: configured to advertise/route the on-prem address ranges.
  • BGP: if using BGP, configure ASN and peer IPs; ensure BGP timers and MTU are compatible.
Example on-prem parameter summary:

Routing considerations

  • Avoid overlapping IP address spaces between Azure VNets and on-prem networks.
  • Choose static routes for simple topologies or BGP for dynamic route exchange and scale.
  • When using BGP, ensure both sides have unique ASNs and compatible BGP neighbors.

Troubleshooting checklist

Configuring site-to-site VPNs is not strictly required for all certification exams, but understanding how the pieces fit together is valuable for real-world deployments and troubleshooting.
Do not use overlapping IP address ranges between Azure and on-premises networks—this is the most common cause of routing failures and inaccessible resources.

Use these resources as authoritative references when designing and troubleshooting Azure site-to-site VPNs.

Watch Video