Creating a Site-to-Site VPN
Start course

Organizations use site-to-site VPNs and ExpressRoute to connect on-premises networks to Azure. As an organization grows, so does the complexity of implementing and managing connectivity between the cloud and on-premises locations.

In this course, we review Azure Virtual Wide Area Network (WAN). Azure Virtual WAN creates a hub-and-spoke topology that provides a single interface for managing branch connectivity, user access, and connectivity between VNets. We also cover how Azure Virtual WAN hubs connect with other network resources to create a full mesh topology that serves as a backbone of a hybrid network.

Learning Objectives

  • Design an Azure Virtual WAN architecture
  • Understand the SKUs and related features of a Virtual WAN
  • Create a Virtual WAN hub
  • Create a network virtual appliance (NVA) in a virtual hub
  • Configure virtual hub routing
  • Understand connection units and scale units

Intended Audience

  • System or network administrators with responsibilities for connecting an on-premises network to Azure
  • Anyone preparing for the Azure AZ-700: Designing and Implementing Microsoft Azure Networking Solutions exam


  • A basic understanding of networking, routing, and VPN concepts
  • An Azure subscription (sign up for a free trial at if you don’t have a subscription)

Next, we'll add the site-to-site VPN connection between the Virtua WAN Hub and the on-premises location in West Europe. Once that's established, we'll test connectivity between the computers in the West Europe and East US VNet. Let's go to the Virtual WAN in the Azure portal to get started. The computer in West Europe represents an on-premises network. It has the Routing and Remote Access Service installed. That's used to establish a local connection to the VPN. We'll go to the West Europe Hub and create a VPN Site to site. Here, we have the option to create a VPN Gateway in the West European Hub. We can't change the AS Number, set the Scale Units to 1. We'll go over Scale Units shortly.

We have two options for the routing preference, over the Microsoft Network or Internet. With routing over the Microsoft network, traffic will route on the Microsoft private network until the final hop closest to the ISP. Internet routing is cost optimized by passing traffic to the internet, minimizing the amount of traffic passed over the Microsoft Network. Select Microsoft Network and click Create. Creating the gateway can take up to 30 minutes or longer. At this point, we'll pause the video and come back once it's finished. The gateway is finished. From the West Europe Hub, we'll go to VPN Site to site. Create a new VPN Site. Think of this site as a representation of the on-premises location. This is where we place data about the site we're connecting to the Virtual Hub. Select the Region, West Europe for this example. Give it a name, WEuropeRRAS. And in Device vendor, we'll enter Windows. 

Next, add the private IP address space of the remote site. This is how the Virtual WAN will determine where to route traffic. In this example, the IP address is If there are multiple IP blocks at this location, we could enter each in a new line. Go to Links. We can provide multiple links to customer equipment in each gateway. This will provide high availability. Enter the information that corresponds with the remote site. We'll give it the name of WestEurope. Link speed will be 50. This number represents megabits per second. Add the carrier name. This example is in Azure, so that's what we'll use. Provide the IP address or fully qualified name of the remote endpoint. For this example, that'll be the public IP address of the Routing and Remote Access Server. If there's a BGP address and a Link ASN, add that. Otherwise, go to Review and Create. Once validated, click Create.

After that's finished, we'll go back to The Virtual WAN and we can view the site under VPN Sites. Next, we need to connect this site to the West Europe Hub. We'll go to Hubs, and select the West Europe Hub. Go to VPN Site to site. If the Hub association filter is on, remove it. Here's our site showing it's not connected. Select the site and click Connect VPN site. Enter a preshared key. This is used to authenticate both ends of the VPN connection. You can enter one, or leave it blank and Azure will create one for you. Leave the rest as is and click Connect. Notice the gateway is being updated. It may take up to 30 minutes for that to complete updating. We'll pause here and come back once it's finished updating those changes.

Once finished, the provisioning status changes to Succeeded. Connectivity status shows Not connected, however. we need to download the VPN configuration next to identify the Azure VPN Gateway public IP address. This is used to configure the on-premises equipment. We'll download the VPN config. Open the file. This is all the configuration information related to the VPN. There are two public IP addresses for Instance0 and Instance1. The two instances are for high availability. We're not configuring high availability in this example, we just need the one IP address for Instance0. Copy that IP address, it's needed for the next step. Let's move on to the computer in the West Europe region to configure the remote VPN endpoint.

Here we are on the computer in West Europe. This represents an on-premises location that we connect with a site-to-site VPN. For this example, the Windows Routing and Remote Access Service is used as the VPN endpoint. In a production environment, this could be any number of VPN endpoints or devices. We'll start by creating a new dial-on-demand interface. We'll give it a name, AzureWEuropeVWAN, for this example. We'll leave the Connection Type to a virtual private network. For the VPN Type, select IKEv2. For the Destination Address, this is where we add the IP address we got from the config file, the IP address for Instance0. Leave Protocol and Security, and go to Next.

For Static Routes for Remote Networks, go to Add. Here, we'll add the IP block for the East US VNet, And /16 equals a Network Mask of 255-255-0-0. For the metric, we'll use 100. Click OK. Next, leave Dialog Credentials blank, Next, and Finish. Now we have the new interface. Let's open up that interface. Go to Security, and here, select Use preshared key. Here, we add the preshared key that we used to configure the Connect VPN site in Azure. Click OK. And now, from this machine in the 10.200 network, let's try to ping the VM at And you can see we got a timeout, but then it completed successfully. Because it's a demand-dial interface, we have to generate traffic before the connection is established. But now, we should be able to run it again without any timeouts. And if we go back to Routing and Remote Access Service, do a refresh, we can see the connection status is now connected.

Let's go back to the Virtual network. If we go to the West Europe Hub, VPN Site to site, our Connectivity status now shows Connected. And if you happen to be following along, it can take a couple minutes before this updates to Connected. Our East US and West Europe sites are now connected. We've successfully created a Virtual WAN and added a virtual hub in West Europe and East US. We connected the West US Hub to a VNet and added a site-to-site VPN connection to the West Europe Hub. Thanks for joining me in this lecture, I look forward to seeing you in the next.

About the Author

Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.