Connecting Networks with a Site-to-Site VPN
Start course
1h 26m

This course covers how to implement Azure network security. Through a combination of both theory and practical demonstrations, you will learn how to create and configure a range of Azure services designed to keep your network secure.

This includes topics such as virtual network connectivity, the Azure Front Door Service, NSG configuration, Azure firewall configuration, and application security groups. The course then moves on to the configuration of remote access management via just-in-time access and tools that are used to configure baselines.

We’d love to get your feedback on this course, so please give it a rating when you’re finished. If you have any queries or suggestions, please contact us at

Learning Objectives

  • Understand how to implement Azure network security
  • Learn about the various Azure services and methodologies available to secure your network

Intended Audience

This course is intended for IT professionals who are interested in earning Azure certification and for those who work with Microsoft Azure on a daily basis.


To get the most from this course, you should have at least a basic understanding of Azure network resources such as virtual networks, Azure firewalls, and network security groups.



Hello everyone! And welcome back. In this demonstration, I'm going to walk you through the process of creating a route-based site-to-site VPN connection. What we're going to do here is connect my vNet-Azure virtual network to my on-prem network, using a route-based site-to-site VPN.

In my on-prem network, I have a public-facing VPN device with an IP address of On my VPN device, I've configured a pre-shared key. I'll use that same pre-shared key when I setup the VPN in Azure here.

To begin the VPN setup, I need to deploy a virtual network gateway in Azure. This virtual network gateway will serve as the Azure endpoint, so to speak, of the VPN connection. However, before I create a virtual network gateway, I need to create a gateway subnet within the vNet-azure virtual network.

The gateway subnet doesn't have to be large, since it's only going to host a couple of VPN-related resources that Azure automatically deploys under the covers when creating the virtual network gateway. These resources that Azure deploys cannot be seen, nor can they be managed by me. Because they're used by the Azure platform itself to create the VPN connection. 

To kick things off, let's go ahead and create our gateway subnet. Now, like I mentioned, this subnet can be very small. Only a handful of available IPs are necessary, so we're going to use a /27 range. It's important to note that the gateway subnet that I define must fall within the network address space that's defined for the actual vNet. And I should also point out that it can't overlap any other subnets within my virtual network.

Now, since my virtual network address space for this vNet is, and I already have a subnet of, what I'm going to use is for my gateway subnet.

So, let's go ahead and create the gateway subnet by clicking the plus Gateway subnet link here at the top. You'll notice my gateway subnet is automatically named GatewaySubnet, and I can't change this. This name tells Azure to recognize the subnet as my gateway subnet. So, let me just configure the address range here so it reflects my chosen range of I can leave the rest of the settings here at their defaults and we'll go ahead and click OK here. But before I do that, I do wanna mention, you never ever want to assign a network security group to your gateway subnet. Just keep that in mind. So we'll go ahead and click OK here.

So we now have the gateway subnet deployed. With my gateway subnet deployed, I can begin the deployment of my virtual network gateway. I should point out that the creation of the gateway can take upwards of 45 minutes to complete, so what I'll do here is show you how to create it. And then we'll then cut away and come back once it's deployed.

The virtual network gateway that I deploy here is going to use this gateway subnet that I provisioned. So, let's get this virtual network gateway deployed. In the portal here, what I'm going to do, on the left side, is create a resource here. And then I'll search for Virtual Network Gateway. And then from the search results here, I'll click virtual network gateway. And then from this Virtual network gateway blade, I have to click Create here to begin the process. And what this does is open the virtual network gateway blade. And then from this blade, I need to fill in the values for my gateway.

I'm going to call my gateway GW-Azure. And what I'm going to is deploy into my VPNDemo resource group. However, you'll see here I can't select a resource group until I select a virtual network. And that's because it needs to be in the same resource group. So what we'll do here, is we'll select the region where my vNet-Azure virtual network is. And it's in East US 2. And then what we'll do, is we'll filter on our networks, and select vNet-Azure. And then we can see here the resource group is derived from the virtual networks resource group.

Now, as I mentioned earlier, I'm going to create a route-based VPN. You see we have two options here. If I hover over here on this icon, I can see that this option allows me to choose a route-based VPN if I plan to use point-to-site, inter-virtual network, or multiple site-to-site connections. If I was going to create a VPN to coexist with an ExpressRoute gateway or if I need to use IKEv2, I could also use a route-based gateway. A Policy-based VPN supports only IKEv1.

For this VPNDemo here, I'm going to create a route-based VPN. And what we're going to do is deploy a Basic SKU here. Now hovering over Generation here, we can see that we can choose a generation of VPN gateway. Now that being said, Basic and the VPN GW1 SKUs are always supported on Generation1 only. So that's all we're going to leave it at here.

Now down here, I need to either create a new public IP for my gateway or use an existing one. Now for this demo, I'm going to create a new public IP. This public IP is going to be the IP that my on-prem VPN device is going to communicate with. So we'll go ahead and create a new one here. And we'll call it PublicIP-GWAzure. Now I can only enable active-active mode when I use one of the more advanced SKUs, so I don't have the option available to me here. That said, I would really only enable active-active mode if I was creating an active-active gateway configuration. And I'm not doing anything with BGP in this demo, so I'll leave BGP ASN disabled as well. Now if I hover over the icon for BGP here, I can see that BGP ASN can only be configured with route-based VPN gateways that are supported on SKUs of VPN GW1, 2, or 3, so it wouldn't even be supported for my basic SKU anyway.

So at this point, I need to click Review and Create here to run validation. Now after the validation passes, and I can see it in the green bar here, I can click Create here to deploy my gateway. Now, this can take up to 45 minutes to complete, so what I'll do here is pause the video and then we'll return when it's completed.

Okay, welcome back. Now that the virtual network gateway has been created, I need to create an endpoint in Azure that represents the on-prem VPN device. To do this, I need to create what's called a local network gateway.

To create the local network gateway, I need to click create a resource up top here. And I'll go ahead and search the marketplace for Local network gateway. And from the list of results here, I'll select it. And then we'll create it.

Now when this Create local network gateway page opens, I'm going to give my gateway a name. I'm going to call it GW-OnPrem. And then what I need to do is provide the public IP address of the on-prem VPN device. Now, in this exercise, the public IP of my on-prem VPN device is

Now, in this address space field here, I need to tell Azure what network address ranges that this local network represents. Now, I can add multiple address space ranges here, but for this exercise, I'm simply going to add, which is the only address range for my on-prem network.

Now what Azure will do is route traffic to the address range through the on-prem VPN device IP address. I only have to configure the BGP settings here if I'm using BGP. Since we aren't doing that here, I'll leave this option alone.

I also have to specify the subscription and resource group where I'm deploying these resources. And the location here is the same as Region in other settings. So what I need to do is choose where I want my local gateway to be created. So what I do is I'll select my VPNDemo resource group here. And it'll go in the East US 2. So at this point, I can create my local gateway here by clicking Create at the bottom. And let me go back into my resource group here for my VPNDemo. And we'll wait for our local gateway to complete deployment here, which takes a few minutes. It's not as long as the virtual network gateway.

Alright, so now that I have my gateway subnet, my virtual network gateway, and my local network gateway created, at this point, I need to configure my on-prem VPN device and create the actual VPN connection between the on-prem environment and my Azure network.

To configure my on-prem VPN device, regardless of what type it is, I need to specify the shared key that the Azure virtual network gateway and that on-prem device are going to use to establish connectivity. I also need the Public IP address of my virtual network gateway in Azure.

To get this public IP address via the portal, I can just browse to my virtual network gateway here, and then identify the public IP address. So let's go back to our VPNDemo resource group here.

Now, to configure the VPN device, I'm going to need to download a configuration script for that device. Now before I get that configuration script, I need to create the site-to-site VPN connection between the virtual network gateway and my on-prem device. To do this, I need to open the page for my virtual network gateway. And then from here, I can go to Connections under Settings. We can see we have no current connections. But what I'm going to do here, at the top, I'm going to click Add button here. And then from here, I can configure the values for my connection.

Now I have to give my connection a name and I need to choose a connection type here. So we'll just call this Azure-OnPrem. Now, I can't change the Virtual network gateway because I'm connecting from this gateway. And then my connection type is going to be site-to-site. Now, from here, I need to choose the local network gateway. And this is the one that I created. This local gateway represents the on-prem VPN device. And then the shared key here is the shared key value that I used to configure my VPN device. They need to match. So I'll type this in here.

We can leave our IKE set to IKEv2. And then we can go ahead and click OK. I can see my new connection here. And the status will switch from things like Unknown to Connecting to Successful to Connected, depending on the status of the connection. What I can do here is click on my connection here to see more details.

Now, at this point, I need to download the configuration script for whatever on-prem VPN device I'm using. Now, to do this, I can click the Download Configuration link at the top and then from here I can specify my on-prem device. So let's assume we're using a Cisco ASA. And we can download the configuration.

Now, when I download my script, it comes down as a text file. After downloading it, what I need to do is open it and then search for the keyword "REPLACE" within this text file. And then what I need to do is provide any parameters that need to be added to my script. So if we do Edit, Find, excuse me, Find, Replace. We can see different information regarding our specific device. And then we would fill this information in as necessary. And then what I could do is save my script and use it to configure my on-prem VPN device so that it can connect.

Now I'm not going to get into the configuration of the on-prem device because that process is different for every device, and frankly, Microsoft really doesn't care that you know how to configure a Cisco VPN device. Suffice it to say though, once I've taken this script and configured my on-prem VPN device, I can then verify my VPN connection. So let me hop away here. And I'll go ahead and configure my VPN device. Give me a moment. And then we'll come back and we'll check our connection.

So my on-prem VPN is now configured. And since I'm already on the Connection page here, what I'll see here normally is that my connection is showing Connecting. After a few moments, this will go to Succeeded and then to Connected. So let's give it a few moments here. And as you can see now, we now show a successful connection. So at this point, you now know how to create a route-based site-to-site VPN in Microsoft Azure.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.