Site-to-Site VPN Connection setup on Azure

#azure #vpn

What is s2s VPN?
A Site-to-Site VPN (S2S VPN) is a type of IPsec VPN connection that securely connects two networks (sites) over the public internet.
Typically, between your on-premises network (e.g., a physical office, data center, or Proxmox-hosted Linux box) and your Azure virtual network (VNet) or other cloud network.

Simple Example:
Location Network IP Range
On-prem (Office) Router + Firewall 192.168.1.0/24
Azure VNet Virtual network 10.0.0.0/16

With S2S VPN:

A VM in Azure can talk to your on-prem file server at 192.168.1.10

Your on-prem server can talk to a VM in Azure at 10.0.0.4

All traffic is encrypted using IPsec/IKE protocols.

In the example below, I'm going to simulate the on-premises environment in Azure. Please find below the resource details for reference

Create 1 On-Prem VNet

Name: onpremvnet
Address Range: 172.0.0.0/16
Within an on-premises VNet, create a Gateway Subnet
Subnet Name: GatewaySubnet
Address Range: 172.0.1.0/27

Create 1 Hub VNet
Name: hubvnet
Address Range: 10.100.0.0/16
Within HubVnet, create a Gateway Subnet
Subnet Name: GatewaySubnet
Address Range: 10.100.1.0/27

Create 2 Spoke VNets
Spoke VNet 1: 10.200.0.0/16
Location: Central India

VNet Peering
Peer both Spoke VNets with the Hub VNet

Create 2 VNet Gateways
VNet Gateway 1: In on-premises vnet
VNet Gateway 2: In hubvnet

Create 2 Local Network Gateways
Local Network Gateway 1: Represents Azure hub on the on-prem side
Local Network Gateway 2: Represents on-prem on the Azure hub side

Create 2 VPN Connections
Connection 1: From onpremvnet → hubvnet
Connection 2: From hubvnet → onpremvnet

Step1:
Create a Resource Group for hub, spoke, and on-prem as shown in the screenshot below.

Step2:
Create a VNet corresponding to the resource group that we have already created. Please refer to the screenshot below for reference.
Don’t forget—you need to create three VNets, each corresponding to the resource group. You can create both spoke VNETs in a single spoke resource group

Step 3:
Create a Virtual Network Gateway and a Local Network Gateway for the on-prem VNet and the hub VNet, as shown in the screenshot below.
You can choose any VPN SKU based on your requirements. For this experiment, I’m going to use VPNGW1. Also, disable the active-active mode for the sake of the lab

Local Network Gateway Creation on ONPREM

The local network gateway is a specific object deployed to Azure that represents your on-premises location (the site) for routing purposes.

We have created the on-prem virtual network gateway on the on-prem VNet, so you must enter its public IP address when creating the local network gateway.

In the address space field, I used the full range of the hub/spoke network, so I entered 10.0.0.0/8. You can also enter specific hub network address range, such as 10.100.0.0/16.

For the Sake of the lab, leave the BGP setting as it is

Please, repeat the same step for the Hub Network as well.

Step 4:
Create a connection profile between the on-prem network and the Azure hub network, and vice versa(bidirectional), and check the connection status

Need to establish the connection from the hub to the on-prem network, as shown in the screenshot below. Repeat the same step for on-prem to hub.

Please keep in mind that when you create a connection between the on-prem network and the hub, you need to set a shared key. Just enter a combination of letters and numbers. You’ll also need to use the same value when creating the connection on the other side.

As you can see in the screenshot below, the connection has been successfully established between both networks.