Azure site-to-site VPN connection—Part 2: Configure the virtual network

• Author
• Recent Posts

Mohamed Wali

Mohamed is a cloud infrastructure expert with experience in engineering and implementation in AWS and Azure. He currently works as a Cloud Infrastructure Architect at Amazon Web Services.

Latest posts by Mohamed Wali (see all)

• EC2 Image Builder: Build your golden VM images on AWS - Wed, Jan 19 2022
• Configuring DFS Namespaces for Amazon FSx for Windows file servers - Fri, Jan 7 2022
• AWS Systems Manager Session Manager: Securely connect EC2 instances - Wed, Dec 22 2021

Configure the Azure VPN

To configure the Azure VPN, you have to follow these steps:

1. Navigate to More Services and search for Virtual network gateways.
2. Once you open the Virtual network gateways blade, click Add.
   

   Virtual network gateways blade

3. Then you have to specify the following:
   1. Name: The name of the virtual network gateway.
   2. Gateway type: You have two options (VPN or Express Route). In this scenario, I will select VPN.
   3. VPN Type: You have two options (Route based or Policy based). In this scenario, I will select Route based, as it is more flexible and powerful than policy based.
   4. SKU: There are multiple stock-keeping units (SKUs), and you need to select the SKU that would fulfill your needs, such as throughput, service-level agreements (SLAs), and so on. You can check the following link for more information about the differences between the gateway SKUs.
   5. Virtual Network: The virtual network to use for your workloads and applications on Azure that need to communicate with the on-premises environment.
      

      Creating a virtual network gateway

   6. First IP configuration: The public IP of the virtual network gateway. You can either create a new one or select an existing unused one.
   7. Subscription: The subscription to charge for the virtual network gateway.
   8. Location: The location for building the virtual network gateway.
      

      Completing the creation of the virtual network gateway

4. After creating the virtual network gateway, you have to open it and copy its public IP address, as you will need it later.

Configure the local VPN

So far, we've configured the Azure VPN. Now we need to configure the local VPN and use Routing and Remote Access Service (RRAS) as the local VPN in this scenario.

To configure the local VPN, you have to follow the next steps:

1. First, we recommend you have two network interface controllers (NICs) on the server that will act as the local VPN with TCP/IP4 enabled, not TCP/IPv6.
2. Make sure the NIC with the private IP address does not have a gateway assigned to it to ensure that the traffic to and from the internet will pass through the NIC with the public IP address.
3. On the NIC with the public IP, open TCP/IPv4 configurations and click on Advanced. Then select WINS and Disable NetBIOS over TCP/IP.
   

   Disabling NetBIOS over TCP:IP

4. Install the Remote Access role and select Direct Access and VPN as the role service.
5. After installing it, navigate to Server Manager -> Tools -> Routing and Remote Access.
6. Notice we haven't configured the server yet. Therefore, right-click it and select Configure and Enable Routing and Remote Access.
   

   Configuring Routing and Remote Access Service (RRAS)

7. A new wizard will appear. Click Next.
8. For its configuration select Secure connection between two private networks and click Next.
   

   Specify the RRAS configuration

9. For demand-dial connections, select Yes and click Next.
10. You then need either to specify a range of IP addresses for remote clients or let it do it automatically if you are using a DHCP server and click Next.
11. Finally, click Finish on the summary page to complete the configurations.
12. After that, navigate to the Azure portal again, go to More Services, and search for local network gateways.
13. Select this, which will open a new blade. Click Add.
    

    Local network gateways blade

14. This will take you to a new blade, where you have to specify the following:
    1. Name: The name of the local gateway.
    2. IP Address: The public IP address of your local network gateway.
    3. Address space: The range of IP addresses in your local environment.
    4. Subscription: The subscription to charge for this service.
    5. Resource Group: The resource group where this resource will be located.
    6. Location: The location for building this service.
       

       Creating a local network gateway

15. After creating the local network gateway, select it, navigate to Connections, and click Add.
    

    Connections between the local network gateway and the virtual network gateway blade

16. A new blade will appear where you have to specify the following:
    1. Name: The name of the connection between your local gateway and the Azure virtual network gateway.
    2. Virtual Network Gateway: Select the virtual network gateway created earlier.
    3. SharedKey: This must be a very strong and complicated key to avoid compromise, and it can be alphanumeric.
       

       Adding a connection between the local network gateway and the virtual network gateway

17. You then have to navigate to your local environment again.
18. The last time you left your local VPN gateway, you were finishing RRAS configuration. After you finish the configuration, a new wizard will appear. Continue by clicking Next.
19. Enter a name for the local interface to use for the site-to-site VPN connection.
20. Then select it to connect using the VPN.
21. After that, select IKEv2 as the VPN Type.
22. Remember the public IP address I asked you to keep? This is the perfect time to use it, as you have to enter it as the IP address in this step.
23. Next, you have to specify the protocols and security, which you can leave as the defaults.
24. Then you have to specify the static route to the Azure network gateway. Click Add, and a new wizard will appear where you have to enter the following:
    1. Destination: The address space of the Azure network created earlier.
    2. Network mask: The network mask of it.
    3. Metric: Specify an appropriate metric.
       

       Setting a static route between an on premises site and Azure

25. After configuring the static route, enter the dial-out credentials. You can set the user name as Azure and click Next.
26. Finally, you can click Finish on the summary page.
27. After creating the interface, right-click it and select its properties.
    

    Opening the properties of the network interface that connects between the on premises site and Azure

28. Navigate to the Security tab, select Use preshared key for authentication, and enter the key used earlier for the connection between local network gateway and virtual network gateway.
    

    Setting the preshared key

29. Now you can initiate the connection between your on-premises site and Azure by right-clicking the interface and choosing Connect.
    

    Initiating the connection between the on premises site and Azure

After implementing the site-to-site VPN, you can use ping to check the connectivity between your on-premises site and Azure by pinging a VM on the same virtual network created earlier. If it is not pinging, you need to make sure the local machine you are pinging Azure VM from has a static route to the Azure virtual network. In this scenario, you can use the following command:

route -p ADD <address space of the virtual network> MASK <The mask set to the virtual network> <VPN Server IP> METRIC 100

Also, your connection to Azure might not be successful when you try to connect. In this case, you might need to check your configuration again to see if you implemented it accurately or if you misconfigured something.