Azure Site-to-Site VPN configuration
This configuration will be helpful when you need to test an application deployed in a VM from Azure Cloud which connects to a VM located on-premises.
This configuration is done via a site-to-site VPN connection using a Virtual Network Gateway.
The configuration diagram and the steps needed to build it are displayed below:
![](https://static.wixstatic.com/media/ee9d49_bcbc6ce87c41441dbcbf33496e0f97d0~mv2.png/v1/fill/w_49,h_20,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_bcbc6ce87c41441dbcbf33496e0f97d0~mv2.png)
Configuration steps:
Create a VNet that will store your Azure VM and the Virtual Network Gateway.
1.1 Create a VNet and give it a name inside your resource group.
1.2 On the IP addresses tab, create an address space: 10.0.0.0/16
1.3 Add a subnet: 10.1.0.0/24 and named it: FrontEnd. This subnet will be used to store the VM from Azure.
![](https://static.wixstatic.com/media/ee9d49_16731ae0844c4625885b4c06e1fc6ede~mv2.png/v1/fill/w_49,h_15,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_16731ae0844c4625885b4c06e1fc6ede~mv2.png)
![](https://static.wixstatic.com/media/ee9d49_4aeb444a5ba34268b35942133f864a62~mv2.png/v1/fill/w_49,h_18,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_4aeb444a5ba34268b35942133f864a62~mv2.png)
The private IP address for the VM is: 10.1.0.4
Create a VM machine in the Azure Cloud and make sure it is using the subnet from above:
![](https://static.wixstatic.com/media/ee9d49_dd6e4e3721e14708a611c8f9b851e270~mv2.png/v1/fill/w_49,h_14,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_dd6e4e3721e14708a611c8f9b851e270~mv2.png)
I have configured the VM to allow RDP connections over port 3389 and ICMP connections required for pinging (or you can disable the Windows firewall):
![](https://static.wixstatic.com/media/ee9d49_660ca4b76b2640169fdad74ce50f5ab0~mv2.png/v1/fill/w_49,h_19,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_660ca4b76b2640169fdad74ce50f5ab0~mv2.png)
2. Create the gateway subnet
2.1 Open the virtual network created before and create a subnet to be used for the Gateway: 10.1.1.0/24
![](https://static.wixstatic.com/media/ee9d49_053d29f339ce4dcab2df65bca5166fe5~mv2.png/v1/fill/w_49,h_17,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_053d29f339ce4dcab2df65bca5166fe5~mv2.png)
3. Create the Virtual Network Gateway
3.1. Create a virtual network gateway named: VNet1GW with the following settings:
![](https://static.wixstatic.com/media/ee9d49_e2b7deeacb6a46dc96b14633bdefd924~mv2.png/v1/fill/w_49,h_24,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_e2b7deeacb6a46dc96b14633bdefd924~mv2.png)
3.2 Give the name for the public ip address as shown below:
![](https://static.wixstatic.com/media/ee9d49_675bfb9968b24682ad579c98a73d2580~mv2.png/v1/fill/w_88,h_71,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_675bfb9968b24682ad579c98a73d2580~mv2.png)
3.3 It will take around 45 mins to 1 hr for the deployment to complete.
3.4 Open the virtual network gateway and notice the Public IP address and the virtual network subnet used, see below:
![](https://static.wixstatic.com/media/ee9d49_1cf24575a8cd40eca1a2e0291cfef91b~mv2.png/v1/fill/w_49,h_13,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_1cf24575a8cd40eca1a2e0291cfef91b~mv2.png)
4. Create the Local Network Gateway
4.1.Use the following site to get the external ip address of your machine:
4.2 Set the ip address for the Local Network Gateway
4.3 Specify the address space for your local network, see below:
![](https://static.wixstatic.com/media/ee9d49_b37954e4f08e4b1daf5cd6083d987eaa~mv2.png/v1/fill/w_49,h_14,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_b37954e4f08e4b1daf5cd6083d987eaa~mv2.png)
5, Create the Routing and Remote Access VPN on the VM server from on-premises
5.1.Create a virtual machine on your local computer.
5.2.Use a Windows Server iso image from Microsoft (I have used 2019).
5.3.Use a client tool to create the VM (I have used Oracle Virtual Box).
![](https://static.wixstatic.com/media/ee9d49_6caee65d4d06471a84d6a5fdabcee056~mv2.png/v1/fill/w_49,h_20,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_6caee65d4d06471a84d6a5fdabcee056~mv2.png)
5.4 Add the following server role, Remote Access, see below:
![](https://static.wixstatic.com/media/ee9d49_e267ad3578244be6ba6082f45be04e42~mv2.png/v1/fill/w_49,h_26,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_e267ad3578244be6ba6082f45be04e42~mv2.png)
5.5 Configure Routing and Remote Access, see below:
![](https://static.wixstatic.com/media/ee9d49_e1a210563ddf46d2b0cab43209aa6e21~mv2.png/v1/fill/w_86,h_49,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_e1a210563ddf46d2b0cab43209aa6e21~mv2.png)
![](https://static.wixstatic.com/media/ee9d49_22c8eedef4244e97b6195f43b4a8ff84~mv2.png/v1/fill/w_49,h_23,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_22c8eedef4244e97b6195f43b4a8ff84~mv2.png)
![](https://static.wixstatic.com/media/ee9d49_967386983cb04647a00c6c49c9fdc079~mv2.png/v1/fill/w_49,h_34,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_967386983cb04647a00c6c49c9fdc079~mv2.png)
![](https://static.wixstatic.com/media/ee9d49_7da4041828ec4579a52843d0bc9b14ae~mv2.png/v1/fill/w_49,h_31,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_7da4041828ec4579a52843d0bc9b14ae~mv2.png)
![](https://static.wixstatic.com/media/ee9d49_b56295cb730945649d2b68bc2aafebb2~mv2.png/v1/fill/w_46,h_39,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_b56295cb730945649d2b68bc2aafebb2~mv2.png)
![](https://static.wixstatic.com/media/ee9d49_33edf197f37a4af59774c17e55016e4a~mv2.png/v1/fill/w_49,h_32,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_33edf197f37a4af59774c17e55016e4a~mv2.png)
Right-click on Network Interfaces and create a new Demand-dial interface, see below:
![](https://static.wixstatic.com/media/ee9d49_cde531934bd34d429f807119c837b934~mv2.png/v1/fill/w_76,h_51,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_cde531934bd34d429f807119c837b934~mv2.png)
Add a name for the interface: Azure S2S
![](https://static.wixstatic.com/media/ee9d49_034b15a63cea4245a9d525b3ab391128~mv2.png/v1/fill/w_88,h_70,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_034b15a63cea4245a9d525b3ab391128~mv2.png)
![](https://static.wixstatic.com/media/ee9d49_c2312c01031148abb6fe97d7336ed7f5~mv2.png/v1/fill/w_89,h_70,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_c2312c01031148abb6fe97d7336ed7f5~mv2.png)
Use the IP address of the Virtual Network Gateway next, see below:
![](https://static.wixstatic.com/media/ee9d49_46e73589dae24e73ac7f6a4564aa8c58~mv2.png/v1/fill/w_49,h_31,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_46e73589dae24e73ac7f6a4564aa8c58~mv2.png)
Next screen keep it as default.
Add a static route of the subnet that contains our virtual machine in the Cloud, see below:
The address I have used is: 10.1.0.0 as opposed with the value in the screen from below:
![](https://static.wixstatic.com/media/ee9d49_684c2623c13a40d0870b4bfa571c4d42~mv2.png/v1/fill/w_48,h_36,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_684c2623c13a40d0870b4bfa571c4d42~mv2.png)
Next window, keep default.
Finish.
Right-click on the Azure S2S network interface and click Properties, see below:
![](https://static.wixstatic.com/media/ee9d49_dd47318f37b34637ae1489c292024079~mv2.png/v1/fill/w_65,h_81,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_dd47318f37b34637ae1489c292024079~mv2.png)
On the next dialog, create a preshared key (I have used: abc1234) that will be used as well by the Site-to-Site VPN connection in Azure:
![](https://static.wixstatic.com/media/ee9d49_40b4e3cbf51d44c6a4f84603da11b794~mv2.png/v1/fill/w_66,h_81,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_40b4e3cbf51d44c6a4f84603da11b794~mv2.png)
6. Create a site-to-site connection
6.1.Open Connections in Azure Portal and create a new connection named: VNet1toSite1, see below:
![](https://static.wixstatic.com/media/ee9d49_f7509eb9343e48e5b5d64fc7d38ac4fa~mv2.png/v1/fill/w_49,h_16,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_f7509eb9343e48e5b5d64fc7d38ac4fa~mv2.png)
6.2. Use Site-to-site for the connection type selection.
6.3 .Choose the virtual network gateway and the local network gateway and the pre-shared key as used before (abc1234)
6.4. Use IKEv2 protocol
6.5. The other configurations are as described below:
![](https://static.wixstatic.com/media/ee9d49_8287a5e76d5648fca93a3aad4b377dbb~mv2.png/v1/fill/w_49,h_61,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_8287a5e76d5648fca93a3aad4b377dbb~mv2.png)
7. Test the configuration
In the Azure S2S network interface, in the VM from on-premises, right-click and click on "Connect".
![](https://static.wixstatic.com/media/ee9d49_8519261912784cc4a3a9ae18f4beb19c~mv2.png/v1/fill/w_49,h_31,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_8519261912784cc4a3a9ae18f4beb19c~mv2.png)
Once the state it is connected, you can verify the state in Azure Portal as well, see below:
![](https://static.wixstatic.com/media/ee9d49_c7d3407758674c9daf38fd8be33a40a8~mv2.png/v1/fill/w_49,h_17,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_c7d3407758674c9daf38fd8be33a40a8~mv2.png)
![](https://static.wixstatic.com/media/ee9d49_e4bc4ae6cfeb4ab3aff28be638fefdff~mv2.png/v1/fill/w_83,h_49,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_e4bc4ae6cfeb4ab3aff28be638fefdff~mv2.png)
You can ping now the VM located on premise from the Azure VM (opened with RDP) , see below:
![](https://static.wixstatic.com/media/ee9d49_9f520c2ef7904dc4978d7ba8f97833d6~mv2.png/v1/fill/w_49,h_31,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_9f520c2ef7904dc4978d7ba8f97833d6~mv2.png)
And the opposite, the VM located in Azure VM from the on-premises VM (opened with the Virtuall Box), see below:
![](https://static.wixstatic.com/media/ee9d49_83794dcb98514768b3ffa83d5367450b~mv2.png/v1/fill/w_49,h_34,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/ee9d49_83794dcb98514768b3ffa83d5367450b~mv2.png)
References: