How VPNs Work

Next steps

Configure active-active S2S VPN connections with Azure VPN Gateways
The following steps help you export the network configuration file to obtain the exact values for the names. Use this example to remove the gateway IP configuration and disable active-active mode. For more information about working with virtual networks, see the Virtual Network Overview. This example so far has configured only one on-premises VPN device, resulting in the diagram shown below:. Pay particular attention to any subnets that may overlap with other networks.

Authentication of S2S VPN

Create a Site-to-Site connection using the Azure portal (classic)

Configure the settings, and then click OK to save the settings. You must create a gateway subnet for your VPN gateway. The 'Optional gateway configuration' page appears. If you don't select the checkbox, you won't see the page to configure the gateway subnet. On the Gateway Configuration page, click Subnet - Configure required settings to open the Add subnet page.

On the Add subnet page, add the gateway subnet. The size of the gateway subnet that you specify depends on the VPN gateway configuration that you want to create. This creates a larger subnet that includes more addresses. Using a larger gateway subnet allows for enough IP addresses to accommodate possible future configurations. Select the gateway Size. This is the gateway SKU that you use to create your virtual network gateway.

Site-to-Site connections to an on-premises network require a VPN device. In this step, you configure your VPN device. When configuring your VPN device, you need the following:. For more information, see Download VPN device configuration scripts. The device configuration links are provided on a best-effort basis.

It's always best to check with your device manufacturer for the latest configuration information. The list shows the versions we have tested. If your OS is not on that list, it is still possible that the version is compatible. For information about editing device configuration samples, see Editing samples. In this step, you set the shared key and create the connection. The key you set is must be the same key that was used in your VPN device configuration.

Currently, this step is not available in the Azure portal. Open your PowerShell console with elevated rights and connect to your account. Use the following example to help you connect:. When working with PowerShell and the classic deployment model, sometimes the names of resources in the portal are not the names the Azure expects to see when using PowerShell. The following steps help you export the network configuration file to obtain the exact values for the names. Create a directory on your computer and then export the network configuration file to the directory.

In this example, the network configuration file is exported to C: Open the network configuration file with an xml editor and check the values for 'LocalNetworkSite name' and 'VirtualNetworkSite name'. Modify the example to reflect the values that you need. When specifying a name that contains spaces, use single quotation marks around the value.

Set the shared key and create the connection. The '-SharedKey' is a value that you generate and specify. In the example, we used 'abc', but you can generate and should use something more complex. The important thing is that the value you specify here must be the same value that you specified when configuring your VPN device. The following steps show one way to navigate to your connection and verify.

On the Site-to-site VPN connections blade, view the information about your site. To view more information about the connection, click the name of the connection to open the Site-to-site VPN Connection blade. If you are having trouble connecting, see the Troubleshoot section of the table of contents in the left pane. For steps, see Reset a VPN gateway.

If you name it something else, your gateway creation fails. Request two public IP addresses to be allocated to the gateway you will create for your VNet. You'll also define the subnet and IP configurations required. Create the virtual network gateway for TestVNet1. Creating a gateway can take a while 45 minutes or more to complete. In this example, the gateway VM with public IP of This information is needed when you set up your on premises VPN devices connecting to the active-active gateway.

The gateway is shown in the diagram below with all addresses:. Once the gateway is created, you can use this gateway to establish active-active cross-premises or VNet-to-VNet connection. The following sections walk through the steps to complete the exercise. To establish a cross-premises connection, you need to create a Local Network Gateway to represent your on-premises VPN device, and a Connection to connect the Azure VPN gateway with the local network gateway.

In this example, the Azure VPN gateway is in active-active mode. Before proceeding, please make sure you have completed Part 1 of this exercise. This exercise will continue to build the configuration shown in the diagram. Be sure to replace the values with the ones that you want to use for your configuration. Before you continue, please make sure you are still connected to Subscription 1.

Create the resource group if it is not yet created. The example below lists the parameters you will enter into the BGP configuration section on your on-premises VPN device for this exercise:. The connection should be established after a few minutes, and the BGP peering session will start once the IPsec connection is established.

This example so far has configured only one on-premises VPN device, resulting in the diagram shown below:. The gateway IP address, address prefix, and BGP peering address for the second local network gateway must not overlap with the previous local network gateway for the same on-premises network.

Once the connection tunnels are established, you will have dual redundant VPN devices and tunnels connecting your on-premises network and Azure:. The instructions below continue from the previous steps listed above. It is important to make sure that the IP address space of the new virtual network, TestVNet2, does not overlap with any of your VNet ranges.

In this example, the virtual networks belong to the same subscription. In this example, both gateways are in the same subscription. You can complete this step in the same PowerShell session. After completing these steps, the connection will be establish in a few minutes, and the BGP peering session will be up once the VNet-to-VNet connection is completed with dual redundancy:.

This section helps you change an existing Azure VPN gateway from active-standby to active-active mode, or vice versa. The following example converts an active-standby gateway into an active-active gateway. When you change an active-standby gateway to active-active, you create another public IP address, then add a second Gateway IP configuration.

Replace the following parameters used for the examples with the settings that you require for your own configuration, then declare these variables. In this step, you enable active-active mode and update the gateway.

Before you begin

Leave a Reply