Azure VPN Gateway for Site to Site Connection

5 minute read

A virtual private network (VPN) is a type of private interconnected network. VPNs use an encrypted tunnel within another network. I will explain what is VPN Gateway and how to deploy in Azure.

Azure VPN gateways

Virtual Network Gateway is of 2 types:

  • VPN Gateway
  • ExpressRoute

ExpressRoute is another gateway type which is most efficient and costly.If your organization uses Office 365. It wants to reduce traffic over the internet and send this traffic over a dedicated connection to Azure. Then ExpressRoute is the best choice. It’s a service that provides a direct connection from your on-premises datacenter to the Microsoft cloud. One disadvantage is it has no encrypted network communication.

I will focus VPN gateway only in this article.

If you want to setup below connections then you need VPN Gateway:

  • Connect on-premises data centers to Azure virtual networks through a site-to-site connection.
  • Connect individual devices to Azure virtual networks through a point-to-site connection.
  • Connect Azure virtual networks to other Azure virtual networks through a network-to-network connection.

🏆 Pro Tip

You can deploy only one VPN gateway in each virtual network, but you can use one gateway to connect to multiple locations.

VPN Types

The main difference of these two types of VPNs is how traffic to be encrypted is specified.

  • policy-based
  • route-based

Policy-based VPNs

Policy-based VPN gateways specify statically the IP address of packets that should be encrypted through each tunnel.

  • Support for IKEv1 only.
  • Used for compatibility with legacy on-premises VPN devices.
  • The source and destination of the tunneled networks are declared in the policy and don’t need to be declared in routing tables.

Rout Based VPN

With route-based gateways, IPSec tunnels are modeled as a network interface or VTI (virtual tunnel interface). IP routing (static routes or dynamic routing protocols) decide across which one of these tunnel interfaces to send each packet.

Both types of VPN gateways (route-based and policy-based) in Azure use pre-shared key as the only method of authentication. Both types also rely on Internet Key Exchange (IKE) in either version 1 or version 2 and Internet Protocol Security (IPSec). IKE is used to set up a security association (an agreement of the encryption) between two endpoints. This association is then passed to the IPSec suite, which encrypts and decrypts data packets encapsulated in the VPN tunnel.

Components of VPN Gateway in Azure

You need below 6 resources to be created and configured in order to setup site-to-site connection with VPN Gateway:

  • VNet: Only one VPN Gateway can be deployed in a Single VNet. While creating VNet give enough address space to accommodate future subnets.
  • GatewaySubnet: You need a dedicated subnet for VPN Gateway. You have to call this as GatewaySubnet. You can not use this subnet for other service. Make sure you give /27 address mask to make sure you have enough IP addresses for future growth. Also remember sometime you want to put 2 VPN Gateways in Active/Standby or Active/Active mode within this subnet in order for redundancy.
  • Virtual Network Gateway: Create Virtual Network Gateway of VPN type. This will route the traffic from on-premise to Azure VNet and vice-versa.
  • Public IP address: Create Dynamic Public IP Address resource. This address will only change if you delete and recreate the VPN. This IP will be internet facing and your on-premise VPN Device can point to this IP Address.
  • Local Network Gateway: This is created to represent on-premise network’s configurations. This configuration includes the on-premises VPN device’s public IPv4 address and the on-premises routable networks. This information is used by the VPN gateway to route packets that are destined for on-premises networks through the IPSec tunnel.
  • Connection: Create a connection resource. Connect VPN Gateway with on-premise VPN Device IPv4 address. Connect VPN Gateway with it’s Public IP Address.

On-Premise resources

You need Physical VPN Device and a Public-Facing IPv4 address in your data center to connect to Azure resources.

High Availability

Since all traffic has to go from VPN Gateway. You must think of what will happen in case of any issues. We have to work on fault tolerance.

You can use 2 VPN Gateways one in Active/Standby and other is in Active/Active mode.

Active / Standby

On any planned maintenance or un-planned interruption affects active instance then within 90 seconds the standby gateway will become active automatically without any human involvement. This is excellent feature.

Active/ Active

In this mode you have to deploy 2 VPN gateways with 2 distinct IP Addresses. Then on-premise will have 2 VPN devices to connect with them. With this you see how much traffic can be distributed among these 2 gateways.

Site to Site VPN Gateway Deployment

Our goal is to create these 2 sites and connect them using vpn.

The first step is to create both sites in Azure.

Let’s create HQ-Network and Azure-VNet1 sites in Azure.

Create Azure VNet

While create VNet, we also create a services subnet. You need Address-Prefixes and Subnet-Prefixes.

az network vnet create \
    --resource-group learn-a6e8a4cb-44d7-4c35-b40c-9a61faff22e0 \
    --name Azure-VNet-1 \
    --address-prefixes \
    --subnet-name Services \

Create GatewaySubnet

We need Gateway subnet to be created and for that we need address-prefixes. GatewaySubnet will remain under Azure-VNet1.

az network vnet subnet create \
    --resource-group learn-a6e8a4cb-44d7-4c35-b40c-9a61faff22e0 \
    --vnet-name Azure-VNet-1 \
    --address-prefixes \
    --name GatewaySubnet

Local Network Gateway representing Head Quarter VNet

The Local Network Gateway(LNG) is a specific object that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection.

Local Network Gateway will point to gateway ip address which is the Public IP(PIP) Address of the Head Quarter Network. I will assign this ip address later once I create PIP of HQ-Network.

az network local-gateway create \
    --resource-group learn-a6e8a4cb-44d7-4c35-b40c-9a61faff22e0 \
    --gateway-ip-address \
    --name LNG-HQ-Network \

Similarly, you go ahead and create Site for Head Quarter Network also.

Verify Network Topology

2nd Step Create a site-to-site VPN gateway by using Azure CLI commands

We will create:

  • VNet for gateway
  • VPN gateways
  • Public IP Address
  • Create connection

Here is the hands on lab link

Thanks for reading my article till end. I hope you learned something special today. If you enjoyed this article then please share to your friends and if you have suggestions or thoughts to share with me then please write in the comment box.

💖 Say 👋 to me!
Rupesh Tiwari
Founder of Fullstack Master