Creating Site-to-Site VPN Connections
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Creating Site-to-Site VPN Connections: A Comprehensive Guide
Introduction: Bridging On-Premises and Cloud Environments
In the modern landscape of hybrid infrastructure, the ability to securely connect an on-premises data center or office network to a cloud provider is a foundational requirement. A Site-to-Site (S2S) VPN serves as a secure tunnel that enables communication between your local network and a Virtual Network (VNet) in the cloud over the public internet. By utilizing IPsec/IKE (Internet Key Exchange) protocols, an S2S VPN ensures that data transmitted between your physical office and your virtual cloud assets remains encrypted and private.
Understanding how to configure these connections is vital for any network administrator or cloud engineer. Whether you are migrating workloads, extending your Active Directory environment, or simply providing your application servers with access to on-premises databases, the S2S VPN is often the first, most cost-effective solution deployed. Unlike a Point-to-Site VPN, which connects individual computers to the network, a Site-to-Site VPN connects two distinct network gateways, making it ideal for connecting entire branches or data centers to your cloud infrastructure.
This lesson explores the architectural components, configuration steps, best practices, and troubleshooting methodologies required to build and maintain high-performing Site-to-Site VPNs. By the end of this module, you will have the knowledge to design secure, resilient connectivity models that bridge the gap between your local hardware and your cloud-based resources.
Understanding the Architecture of an S2S VPN
To successfully implement a Site-to-Site VPN, you must first understand the logical components involved in the connection. An S2S VPN is not merely a "switch" you turn on; it is a collaborative effort between your on-premises hardware and the cloud provider’s virtual gateway.
The Virtual Network Gateway (VNet Gateway)
The Virtual Network Gateway is the software-based appliance that resides within your cloud Virtual Network. It acts as the endpoint for the VPN tunnel on the cloud side. This gateway is responsible for routing traffic, performing encryption and decryption, and managing the IPsec policies that dictate how data is exchanged. You must select a "Gateway SKU" (Stock Keeping Unit) when creating this, which determines the performance throughput and the number of concurrent connections the gateway can support.
The Local Network Gateway (LNG)
The Local Network Gateway acts as a logical representation of your on-premises network. You provide the cloud provider with the public IP address of your physical office router and the address space (IP prefixes) that exists behind that router. By defining this in the cloud, you are essentially telling the cloud gateway where to send traffic that is destined for your office.
The Connection Resource
The "Connection" is the link between the Virtual Network Gateway and the Local Network Gateway. It contains the shared key (pre-shared key) that both sides use to authenticate the tunnel. Without a matching shared key, the connection will fail to initialize. This resource also tracks the state of the tunnel and provides metrics regarding the amount of data transferred.
Callout: Site-to-Site vs. Point-to-Site It is common for newcomers to confuse Site-to-Site (S2S) and Point-to-Site (P2S) VPNs. An S2S VPN is persistent and connects two network subnets, allowing any device in your office to talk to any device in the cloud without needing individual VPN software. A P2S VPN is designed for individual users working remotely, requiring each laptop to install a VPN client. S2S is for infrastructure-to-infrastructure connectivity, while P2S is for user-to-infrastructure connectivity.
Pre-requisites and Network Planning
Before touching the cloud console or your on-premises router, you must perform careful network planning. A common failure point in VPN configuration is IP address overlap.
Addressing Schemes
Your cloud VNet and your on-premises network must have non-overlapping IP address spaces. If your office uses the 10.0.0.0/16 range and your cloud VNet also uses 10.0.0.0/16, routing will fail because the gateway will not know whether to send traffic to the local network or the cloud network. Always map out your IP ranges beforehand to ensure complete isolation between your networks.
Public IP Requirements
Your on-premises VPN device must have a static, public-facing IPv4 address. While some routers can handle dynamic IPs with specialized configuration, the reliability of an S2S VPN is significantly higher with a static IP. You must ensure that this public IP is not hidden behind a restrictive NAT (Network Address Translation) that blocks ESP (Encapsulating Security Payload) packets or UDP ports 500 and 4500.
Supported Devices
Not all hardware routers are compatible with every cloud provider's VPN gateway. Most providers support standard IPsec/IKEv2 protocols, which are widely implemented by major vendors like Cisco, Juniper, Fortinet, and Palo Alto. Always verify that your specific device model is on the vendor’s "validated" list to avoid compatibility headaches.
Step-by-Step Configuration Workflow
Configuring an S2S VPN involves three primary phases: creating the cloud-side gateway, defining the local network representation, and establishing the connection.
Phase 1: Creating the Virtual Network Gateway
- Navigate to your cloud portal and select "Virtual Network Gateways."
- Choose the Region that matches your Virtual Network.
- Select the Gateway Type (VPN) and the VPN Type (Route-based is highly recommended over Policy-based for modern configurations).
- Select the SKU (e.g., VpnGw1 for standard workloads).
- Create a new Public IP address for the gateway. This is the endpoint that your on-premises router will point to.
Phase 2: Creating the Local Network Gateway
- Navigate to "Local Network Gateways."
- Enter the public IP address of your on-premises router.
- Input the address prefixes of your local network (e.g.,
192.168.1.0/24). This tells the cloud gateway exactly which traffic should be sent through the tunnel.
Phase 3: Establishing the Connection
- Go to your Virtual Network Gateway resource.
- Select "Connections" and click "Add."
- Choose "Site-to-Site (IPsec)" as the connection type.
- Select the Local Network Gateway you created in Phase 2.
- Enter a "Shared Key." This is a long, complex string that acts as your password. Ensure both the cloud and your on-premises router are configured with this exact key.
Tip: Security Best Practice Never use simple passwords for your Shared Key. Use a randomly generated string of at least 32 characters, including numbers, uppercase letters, and special characters. Since this key is the only thing preventing unauthorized access to your VPN tunnel, treating it with the same level of security as a root password is essential.
Configuring the On-Premises Device
Once the cloud side is ready, you must configure your physical router. Most cloud providers offer downloadable configuration scripts for common hardware vendors.
Using Configuration Scripts
These scripts provide the necessary IPsec policies, transform sets, and tunnel interfaces. When applying these, pay close attention to:
- IKE Phase 1 and Phase 2 settings: These must match the cloud provider’s requirements exactly. If the cloud expects AES-256 and you configure AES-128, the tunnel will not come up.
- Dead Peer Detection (DPD): Enable this to ensure the tunnel automatically restarts if the connection drops.
- Access Control Lists (ACLs): Ensure your firewall rules allow traffic between the local subnet and the cloud subnet.
Example Configuration Snippet (Generic IPsec)
While syntax varies by vendor, a typical IPsec configuration on a router involves defining the peer address and the encryption parameters:
# Define the crypto map
crypto ikev2 proposal PROPOSAL-CLOUD
encryption aes-cbc-256
integrity sha256
group 14
# Define the connection to the cloud gateway
crypto ikev2 profile PROFILE-CLOUD
match identity remote address 13.x.x.x
authentication local pre-share
authentication remote pre-share
keyring local KEYRING-CLOUD
# Apply the map to the interface
interface GigabitEthernet0/1
crypto map MAP-CLOUD
Note: The above is a simplified example. Always refer to your specific router vendor documentation for the exact command syntax for IKEv2 tunnels.
Troubleshooting Common Issues
Even with careful planning, VPNs often face initialization challenges. Here is how to diagnose the most common problems.
The "Tunnel Down" State
The most common issue is a mismatch in the IPsec parameters. Check the following:
- Shared Key: Is there a hidden space or character difference? Re-type both sides to be sure.
- IKE Version: Ensure both sides are using the same version (IKEv2 is modern and preferred).
- Phase 1/Phase 2 Proposals: Ensure the encryption (AES/3DES), hashing (SHA/MD5), and Diffie-Hellman groups match exactly on both ends.
Traffic Not Flowing
If the tunnel is "Connected" but you cannot ping a virtual machine in the cloud, check your routing tables and security groups:
- Route Tables: Does your cloud subnet have a route that directs traffic to the VNet Gateway?
- Network Security Groups (NSGs): Have you explicitly allowed the local IP range in your cloud firewall rules?
- On-Premises Firewalls: Does your local hardware have a policy that permits traffic destined for the cloud address space?
Warning: Asymmetric Routing Asymmetric routing occurs when traffic leaves via one path and returns via another. This can cause firewalls to drop packets because they see a return packet for a connection they didn't see initiate. Ensure your network path is symmetric, especially if you have redundant VPN connections.
Advanced Configurations: BGP and Redundancy
For production environments, a single VPN tunnel is often insufficient. You need to consider high availability and dynamic routing.
Border Gateway Protocol (BGP)
BGP is a routing protocol that allows your on-premises router and your cloud gateway to "talk" to each other about network changes. Instead of manually updating static routes, BGP automatically updates the routing tables on both sides when a network segment is added or removed. This is highly recommended for complex environments.
Redundant VPN Connections
You can configure a second VPN tunnel to provide failover. If the primary tunnel goes down, the secondary tunnel takes over automatically. To do this, you create two Virtual Network Gateways or use an Active-Active gateway configuration. This ensures that your business-critical applications remain accessible even if one internet service provider or one VPN tunnel experiences an outage.
Comparison of VPN Gateway SKUs
| Feature | Basic SKU | Standard SKU | High Performance SKU |
|---|---|---|---|
| Max Throughput | 100 Mbps | 650 Mbps | 1 Gbps+ |
| BGP Support | No | Yes | Yes |
| Tunnel Count | 1 | 10 | 30+ |
| Use Case | Dev/Test | Small Production | Large Enterprise |
Best Practices for Long-Term Management
Managing S2S VPNs is an ongoing task. Security policies and network requirements change, and your configuration must adapt.
Regular Audits
Periodically review your VPN connections. Are there tunnels that are no longer in use? Are there old, insecure encryption protocols (like DES or 3DES) still enabled? Disable any unused tunnels to reduce the attack surface of your cloud environment.
Monitoring and Alerting
Set up alerts for "Tunnel Disconnected" events. Most cloud providers offer built-in monitoring tools that can send an email or push notification to your team if the VPN tunnel status changes from "Connected" to "Disconnected." Do not wait for a user to report that they cannot access a database; know about the failure before they do.
Documentation
Document the IP ranges, the shared keys (stored securely in a password manager), and the specific hardware router models used at each site. In a disaster recovery scenario, having this information readily available can mean the difference between a 30-minute recovery and a 5-hour outage.
Common Questions (FAQ)
Q: Why is my VPN tunnel showing "Connected" but I can't reach any resources?
A: This usually points to a routing or firewall issue. Check the Network Security Groups (NSGs) in the cloud to ensure the traffic is permitted, and check your on-premises firewall to ensure it isn't blocking the return traffic.
Q: Can I connect multiple sites to the same VNet?
A: Yes. You can connect multiple Local Network Gateways to a single Virtual Network Gateway. This allows multiple branch offices to connect to the same central cloud hub.
Q: Does an S2S VPN encrypt all traffic?
A: Yes, an IPsec VPN encrypts all data sent between the two gateways. However, it does not encrypt traffic within your internal network unless you have additional layers of security (like TLS for application traffic).
Q: Should I use Route-based or Policy-based VPNs?
A: Always use Route-based VPNs for modern deployments. They are more flexible, support BGP, and are significantly easier to manage as your network grows. Policy-based VPNs are considered legacy and should be avoided unless you have specific hardware limitations.
Key Takeaways
- Preparation is Critical: Always perform a complete IP address audit before starting to prevent overlapping address spaces, which is the most common cause of routing failures.
- Infrastructure Representation: Understand that an S2S VPN requires three distinct components: the Virtual Network Gateway (cloud-side), the Local Network Gateway (on-premises representation), and the Connection resource.
- Security Standards: Always use strong, randomly generated pre-shared keys and modern encryption standards like IKEv2 and AES-256 to ensure data privacy.
- Dynamic Routing: For production environments, utilize BGP to automate routing updates and ensure that your network infrastructure can adapt to changes without manual intervention.
- Resilience Matters: Never rely on a single tunnel for critical business applications. Implement redundant tunnels and monitor their status continuously to ensure high availability.
- Troubleshooting Mindset: When a tunnel fails, always start by verifying the IPsec policy match on both sides, then move to firewall/NSG rules, and finally investigate routing table entries.
- Maintenance: Treat your VPN configuration as a living part of your infrastructure. Audit it regularly, update documentation, and keep your router firmware patched to ensure both performance and security.
Creating a Site-to-Site VPN is a straightforward process once the underlying concepts of routing, encryption, and gateway communication are mastered. By following the structured approach outlined in this lesson, you can build a reliable, secure, and scalable bridge between your local operations and your cloud-based digital transformation.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons