Latest Posts

S2S VPN Between Azure VPN Gateway and On Prem Firewall

Azure VPN gateways provide cross-premises connectivity between customer premises and Azure. This post is to record some configurations during setup.

  • Create a virtual network
  • Create a VPN gateway
  • Create a local network gateway
  • Create a VPN connection
  • Verify the connection


The following cross-premises virtual network gateway connections are supported:
  • Site-to-site: VPN connection over IPsec (IKE v1 and IKE v2). This type of connection requires a VPN device or RRAS. For more information, see Site-to-site.
  • Point-to-site: VPN connection over SSTP (Secure Socket Tunneling Protocol) or IKE v2. This connection doesn't require a VPN device. For more information, see Point-to-site.
  • VNet-to-VNet: This type of connection is the same as a site-to-site configuration. VNet to VNet is a VPN connection over IPsec (IKE v1 and IKE v2). It doesn't require a VPN device. For more information, see VNet-to-VNet.
  • Multi-Site: This is a variation of a site-to-site configuration that allows you to connect multiple on-premises sites to a virtual network. For more information, see Multi-Site.
  • ExpressRoute: ExpressRoute is a private connection to Azure from your WAN, not a VPN connection over the public Internet. For more information, see the ExpressRoute Technical Overview and the ExpressRoute FAQ.


  • An Azure account with an active subscription. If you don't have one, create one for free.
  • Make sure you have a compatible VPN device and someone who is able to configure it. For more information about compatible VPN devices and device configuration, see About VPN Devices.
  • Verify that you have an externally facing public IPv4 address for your VPN device.
  • If you're unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. None of the subnets of your on-premises network can over lap with the virtual network subnets that you want to connect to.


1. Create a virtual network (VNet)

2. Create a VPN gatewa

The virtual network gateway uses specific subnet called the gateway subnet. The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. It contains the IP addresses that the virtual network gateway resources and services use.

When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The number of IP addresses needed depends on the VPN gateway configuration that you want to create. Some configurations require more IP addresses than others. We recommend that you create a gateway subnet that uses a /27 or /28.

3. Create a local network gateway

The local network gateway is a specific object that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you'll create a connection. You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on-premises network. If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.

4. Configure your VPN device

Site-to-site connections to an on-premises network require a VPN device. In this step, you configure your VPN device. When configuring your VPN device, you need the following values:

  • A shared key. This is the same shared key that you specify when creating your site-to-site VPN connection. In our examples, we use a basic shared key. We recommend that you generate a more complex key to use.
  • The Public IP address of your virtual network gateway. You can view the public IP address by using the Azure portal, PowerShell, or CLI. To find the Public IP address of your VPN gateway using the Azure portal, go to Virtual network gateways, then select the name of your gateway.

To download VPN device configuration scripts:

Depending on the VPN device that you have, you may be able to download a VPN device configuration script. For more information, see Download VPN device configuration scripts.

5. Create VPN connections

Create a site-to-site VPN connection between your virtual network gateway and your on-premises VPN device.

6. Verify the VPN connection

In the Azure portal, you can view the connection status of a VPN gateway by navigating to the connection. The following steps show one way to navigate to your connection and verify.

  1. In the Azure portal menu, select All resources or search for and select All resources from any page.
  2. Select to your virtual network gateway.
  3. On the blade for your virtual network gateway, click Connections. You can see the status of each connection.
  4. Click the name of the connection that you want to verify to open Essentials. In Essentials, you can view more information about your connection. The Status is 'Succeeded' and 'Connected' when you have made a successful connection.


If you're having trouble connecting to a virtual machine over your VPN connection, check the following:

  • Verify that your VPN connection is successful.

  • Verify that you're connecting to the private IP address for the VM.

  • If you can connect to the VM using the private IP address, but not the computer name, verify that you have configured DNS properly. For more information about how name resolution works for VMs, see Name Resolution for VMs.

  • For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.

S2S configurations can be customized in a variety of ways. For more information, see the following articles:

One S2S Example

Virtual Network Gateway

Local Network Gateway 

Connection Configuration:

No comments