DEMO: Building a Site-to-Site VPN - Part Two
Start course
1h 5m

This course explores Azure Virtual Networks, how to create them, and how to connect them. It begins with a vNet overview, where you'll learn about basic Azure Virtual Network concepts and about some key best practices. We'll cover communications topics, filtering, routing, and integration, before working through a demo that shows you how to deploy a virtual network in Microsoft Azure.

After covering the basics of Azure Virtual Networks in the first half of this course, we'll use the second half to dive into VPNs, where you'll learn about site-to-site VPNs, point-to-site VPNs, ExpressRoute, and vNet peering. You'll also watch a demonstration from the Azure platform that shows you how to peer two vNets in Azure. 

If you have any feedback relating to this course, feel free to contact us at

Learning Objectives

  • Obtain a foundational understanding of Azure Virtual Networks including key concepts, best practices, communications, filtering, routing, and integration
  • Provision a virtual network
  • Understand what the Azure VPN Gateway is and what it does
  • Build a site-to-site VPN
  • Learn how to connect a single client computer to a virtual network using a point-to-site VPN gateway
  • Learn how to connect your on-premises network to Azure using ExpressRoute
  • Learn how to peer two Azure Virtual Networks

Intended Audience

This course is intended for anyone who wants to learn about Azure Virtual Networks, how to create them, and how to connect them.


To get the most out of this course, you should have a basic understanding of the Azure platform and networking in general.


Okay, welcome back. So our deployment has now completed, and we have the virtual network gateway deployed, and if we click on Go to resource here, we can see MyGateway is now deployed. We can see it's associated with the MyVNet virtual network, and we have a public IP address here of This gateway IP here, this public IP address, is what we will need when we configure the on-prem VPN device because the on-prem VPN device needs to know what the public IP is of the Azure site so it can communicate with it.

So now that we have MyGateway deployed, what we'll do here is we'll note this IP address, and I'll just copy this. I'm going to paste this over into Notepad here, and I'll drag this into my second screen. So now that we have our public IP for our virtual network gateway documented, what we'll do is we'll create a local network gateway.

Now, the local network gateway is the reference to the on-prem VPN device. So essentially, what we do is we deploy the virtual network gateway, which is MyGateway, and this gateway represents the Azure endpoint of the VPN connection. The local network gateway we're about to deploy represents the on-prem VPN device, that endpoint of the VPN connection.

Once we have the virtual network gateway and the local gateway configured, we then deploy a VPN connection, which connects the two, so let's go ahead and deploy our local network gateway, and we'll just search for it here in the marketplace. And we'll go ahead and create. Now, there's not as much to configure for the local network gateway. All we need to do is give the local network gateway a name, and then we need to provide the public IP address of our VPN device in the on-prem environment. We also need to add any additional address ranges that are behind that VPN device so that Azure knows that it's going to be able to talk to those networks, and then of course, we need to decide which subscription it's gonna go in and which resource group, along with the location.

So we're going to call our local gateway just OnPrem-Local, and I'm going to copy, I have the actual public IP of my on-prem VPN device here, and the on-prem address space for the on-prem network is So what this information is doing is telling Azure that the on-prem VPN device can be reached at this public IP, and this address space is the underlying network address range that we can access through the VPN. We're not going to do any BGP stuff, and we will deploy this into our vNetDemos resource group. We'll leave it in Central US since that's where everything else is, so we'll go ahead and create this local gateway, and we'll go back into our resource group here.

Now, the deployment of the local gateway takes far less time than the virtual gateway, and as you can see, it's already been deployed, so we'll refresh here, and we can see our OnPrem-Local. So now that I have the virtual network gateway, which represents the Azure endpoint, and the local gateway, which represents the on-prem VPN endpoint, what we can do is create the VPN connection between those two endpoints.

So we'll go ahead and go back to the Hamburger, create a resource, and we'll search for Connection. And we have Connection here, and we'll go ahead and create the connection. We have a couple different options here for connection type. We can to a VNet-to-VNet, a Site-to-site, or an ExpressRoute. For this demonstration, we're working through the Site-to-site process, so we'll go ahead and click Site-to-site, and again, we'll deploy into our vNetDemos resource group, and we'll okay it.

Now, when we do that, this Settings page appears. Now, what this Settings page does is allow us to specify each of the endpoints of our virtual private network. We need to tell Azure what our virtual network gateway is and what the local network gateway is. This creates the connection between the two. So we'll go ahead and select our virtual network gateway and our local network gateway.

You can see here, it fills in the connection name automatically, and we're going to leave this connection here, although you can change this if you want to.

Now, we also need to specify a shared key. Now, this shared key, whatever we add here, we need to save that because we're going to need to enter that same information into the on-prem VPN device, so that shared key matches both sides, the Azure side and the on-prem VPN device. If we hover over the icon here, we can see that this can be a mixture of numbers and letters, and it's used to establish that encryption for the connection, so what I'll do here is I'll create a shared key. And remember, we'll need this same shared key for our VPN device, and then we can select which protocol we wanna use, IKEv1 or v2.

IKEv2 will work for us, and since we're not using BGP, we do not need to enable it, so we'll go ahead and okay it. This will give me a summary, and we'll go ahead and okay it again. We can go back into vNetDemos here, and it only takes a few moments for the connection to be created, and we can see it's been created, and there's our connection. Now, as we can see here, we have an unknown status, and the status is unknown because we haven't configured the on-prem VPN device yet.

Now, as I mentioned earlier, configuring the VPN device, that process is going to be different, depending on the device itself, but what we can do here is we can download a configuration, and we can choose what device we're configuring on the other side, and this gives us some information that we can use to configure that VPN device.

In the first drop-down, we can select the vendor. For example, if we were configuring a Cisco device, we're configuring an ASA, and then we can select the firmware version, and then what we can do here is download that configuration. If we open this up, we can see we have all of the information we need to configure a Cisco ASA with a firmware of 9.8 or later, and then we would use this to configure the ASA, so let me close this, close this, and give me a few minutes. I will go over and configure my VPN device, and then what we'll do is we'll come back, and we'll see this status change to show Connected.

Okay, so I've configured my on-prem VPN device, and we can now see we have a Not Connected status. We'll give this a few minutes, and what should happen is this should show that we now have a status of Connected. So we'll give it a few moments here, and then we'll refresh. Go ahead and refresh here, and let's give it one more refresh here, and there you have it.

So the process we followed was actually pretty straightforward when you think about it. You first deploy a virtual network in Microsoft Azure. You then deploy a gateway subnet that is attached to that virtual network. Once you have your gateway subnet, you go ahead and you deploy your virtual network gateway in Azure, and that virtual network gateway references the Azure endpoint of the VPN connection. Once you have your virtual network gateway deployed, you create your local gateway, which references the on-prem VPN device. Once you have the local gateway configured, you then create the connection between the virtual network gateway and the local gateway. Once you have that set up, you can go ahead and download the configuration for whatever device it is you're using on-prem, and then you can go ahead and configure your on-prem device so that it can connect to Azure. You need to make sure that your shared key is the same in both Azure and in your on-prem VPN device. Once you configure the on-prem VPN device, you can come back and refresh, and you should see your VPN connection between your Azure virtual network, and your on-prem network shows Connected.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.