Azure Site-to-Site VPN

 Azure Site-to-Site VPN — Detailed Resource-by-Resource Creation

This explains exactly how every Azure resource is created, what it does, where it resides, and how all components connect in Microsoft Azure.

On-Prem Network (192.168.1.0/24)

        |

   [Firewall/VPN Device]

        |

   Public IP: 1.2.3.4

        |

================ INTERNET =================

        |

   Azure VPN Gateway (Public IP)

        |

   GatewaySubnet

        |

   Azure VNet (10.0.0.0/16)

        |

 ┌──────────────┬──────────────┐

 |              |              |

AppSubnet    DBSubnet      WebSubnet

10.0.1.0/24 10.0.2.0/24 10.0.3.0/24


๐Ÿ—️ STEP 1 — CREATE RESOURCE GROUP

FieldValue
Resource Group   RG-Network-Prod
Region   Central India


๐Ÿ“Œ Why first?

Every Azure resource must belong to a resource group.


๐Ÿงฑ STEP 2 — CREATE VIRTUAL NETWORK (VNet)

๐Ÿ“Œ What it is

The VNet is the private Azure network.

Equivalent to:

  • Corporate network
  • Data center network

๐Ÿ”ง Portal Steps

Go to:

Virtual Networks
→ Create


FieldExample
NameProd-VNet
RegionCentral India


IP Address Tab
Address Space
Example:
10.0.0.0/16
Meaning:
  • Entire VNet range

    • 

  • Supports many subnets


๐Ÿ“Œ Why /16?

Allows many subnet allocations later.


SubnetPurpose
WebSubnetWeb servers
AppSubnetAPIs
DBSubnetDatabases
GatewaySubnetVPN gateway


๐ŸŒ STEP 4 — CREATE GATEWAYSUBNET (VERY IMPORTANT)


๐Ÿ“Œ What it is

Special subnet used ONLY for:

  • VPN Gateway
  • ExpressRoute Gateway

FieldValue
NameGatewaySubnet
Range10.0.255.0/27


๐Ÿ“Œ Why /27?

VPN gateways need multiple IPs internally.


⚠️ NEVER place:

  • VMs
  • Firewalls
  • Apps

inside GatewaySubnet.


๐ŸŒ STEP 5 — CREATE PUBLIC IP FOR VPN GATEWAY


๐Ÿ“Œ What it is

Azure VPN Gateway needs public internet visibility.


๐Ÿ”ง Portal Steps

Go to:

Public IP Addresses
→ Create

FieldValue
NameVPNGW-PIP
SKUStandard
AssignmentStatic


๐Ÿ“Œ Why Static?


VPN endpoint must not change IP.

๐Ÿ›ฐ️ STEP 6 — CREATE VIRTUAL NETWORK GATEWAY

๐Ÿ“Œ What it is


This is the actual Azure VPN appliance managed by Microsoft.
It:
  • Terminates VPN tunnels

  • Encrypts traffic

  • Routes packets into VNet

    • 

๐Ÿ”ง Portal Steps


Go to:


Virtual Network Gateway
→ Create

FieldValue
NameProd-VPNGW
Gateway TypeVPN
VPN TypeRoute-based
SKUVpnGw1
GenerationGen2
VNetProd-VNet
Public IPVPNGW-PIP

๐Ÿ“Œ Route-based vs Policy-based
Route-based (recommended)
Uses routing table logic.
Supports:
  • BGP

  • Modern VPNs

  • Better scalability

๐Ÿ“Œ Deployment Time


Usually:


30–45 minutes



๐Ÿข STEP 7 — CREATE LOCAL NETWORK GATEWAY


๐Ÿ“Œ What it represents


Represents ON-PREMISES network in Azure.


๐Ÿ”ง Portal Steps


Go to:


Local Network Gateway
→ Create

FieldExample
NameHQ-OnPrem
Public IP1.2.3.4
Address Space192.168.1.0/24

๐Ÿ“Œ Meaning
Tells Azure:
  • Where on-prem VPN device exists

  • Which network is behind it

    • 

๐Ÿ” STEP 8 — CREATE VPN CONNECTION

๐Ÿ“Œ What it is


Creates IPsec tunnel relationship.

๐Ÿ”ง Portal Steps


Go to:
Connections
→ Add

FieldValue
Connection TypeSite-to-site (IPsec)
VNet GatewayProd-VPNGW
Local Network GatewayHQ-OnPrem
Shared Key (PSK)MySecret123


๐Ÿ“Œ What PSK is
Shared secret used for:
  • Authentication

  • Tunnel encryption

๐Ÿ”ฅ STEP 9 — CONFIGURE ON-PREM VPN DEVICE




๐Ÿ“Œ What happens here
Configure:
  • Firewall/router

  • VPN tunnel

  • IPsec policies

    • 





Example Devices
  • Cisco ASA

  • Palo Alto

  • Fortinet

  • pfSense


Here’s a real-world, most commonly used example of a Site-to-Site VPN setup between a branch office FortiGate and Microsoft Azure.


This is basically what you’ll see in many production environments.


๐Ÿ”ฅ Example Scenario (Very Common in Companies)

SideDetails
On-prem branch officeFortiGate firewall
Azure VNet10.20.0.0/16
Office LAN192.168.10.0/24
Azure VPN Gateway IP52.172.45.10
Pre-shared keyForti@2026Secure!


⚙️ STEP-BY-STEP (REALISTIC CONFIG)


STEP 1 — Create VPN Tunnel


On FortiGate:

VPN → IPsec Tunnels → Create New → Custom
Tunnel name: AZURE-S2S


STEP 2 — Set Azure Public IP

Remote Gateway: Static IP
IP Address: 52.172.45.10

This is the Azure VPN Gateway public IP.


STEP 3 — Set Authentication


Authentication Method: Pre-shared Key
Key: Forti@2026Secure!


This must match Azure exactly.
Internet Key Exchange
STEP 4 — Configure IKE Phase 1 (MOST COMMON STANDARD)
This is what 80% of companies use:

SettingValue
IKE VersionIKEv2
EncryptionAES256
AuthenticationSHA256
DH Group14
Lifetime28800
STEP 5 — Configure IPsec Phase 2

SettingValue
Local Subnet192.168.10.0/24
Remote Subnet10.20.0.0/16
EncryptionAES256
AuthenticationSHA256
PFSEnabled
DH Group14
Lifetime3600
STEP 6 — Create Routes (VERY IMPORTANT)
Network → Static Routes → Create New
FieldValue
Destination10.20.0.0/16
GatewayIPsec tunnel (AZURE-S2S)

STEP 7 — Firewall Policies
LAN → Azure
  • Source: 192.168.10.0/24

  • Destination: 10.20.0.0/16

  • NAT: ❌ Disabled

  • Service: ALL

  • Action: ACCEPT
Azure → LAN
  • Source: 10.20.0.0/16

  • Destination: 192.168.10.0/24

  • NAT: ❌ Disabled

  • Action: ACCEPT


STEP 8 — Bring Tunnel UP
VPN → IPsec Monitor → Bring Up
Expected status:
Tunnel: UP

Comments

Post a Comment

Popular posts from this blog

Azure Migrate

Image
 Azure Site Recovery an earlier tool for migration: Thought purpose built for Disaster Recovery ASR: Azure Site Recovery Yes — Azure Site Recovery (ASR) is commonly used as a migration tool , even though its primary purpose is disaster recovery. How ASR Is Used for Migration Organizations use ASR to perform: Lift-and-shift migrations VMware to Azure migrations Hyper-V to Azure migrations Physical server to Azure migrations ASR replicates workloads continuously from on-premises infrastructure to Azure. During the final cutover, the replicated VM is started in Azure with minimal downtime. Migration Workflow Using ASR Typical Flow Discover on-prem servers Enable replication Continuous data synchronization Test failover (optional) Planned failover/cutover Azure VM becomes production workload This approach minimizes: Downtime Data loss Manual rebuild effort Why ASR Is Popular for Migration ASR vs Azure Migrate Real-World Use Case Example: Company has 200 VMware VMs on-premises. The...
Read more

Azure -- All Networking Components

   1. Virtual Network (VNet) ๐Ÿ“Œ One-paragraph explanation A Virtual Network (VNet) is the core private networking space in Azure where all cloud resources communicate securely. It is used to isolate workloads, control IP ranges, and create a private environment similar to a traditional data center network but fully software-defined in the cloud. ๐Ÿ” Details Where used: Hosting VMs, AKS clusters, databases, internal services Connected services: VM, Load Balancer, Application Gateway, Azure Firewall, Private Endpoint Dependencies: None (foundation component) Purpose in architecture: Acts as the main “network boundary” for all resources ๐Ÿงฉ 2. Subnet ๐Ÿ“Œ One-paragraph explanation A subnet is used to divide a VNet into smaller logical networks so that different layers of an application (web, app, database) can be separated and controlled independently for security and traffic management. ๐Ÿ” Details Where used: Tiered architectures (web/app/db layers), microse...
Read more

All Kuberneters - Components

  Kubernetes Core Resources Explained 1. Pods What It Is A Pod is the smallest deployable unit in Kubernetes. It contains one or more containers that share: Network Storage Lifecycle Used For Running application containers Grouping tightly coupled containers together Example A web application container running inside a pod. 2. Deployments What It Is A Deployment manages Pods and ReplicaSets. Used For Rolling updates Application version upgrades Scaling applications Self-healing applications Example Deploying 3 replicas of an NGINX application. 3. ReplicaSets What It Is A ReplicaSet ensures a specified number of pod replicas are always running. Used For High availability Maintaining desired pod count Example Keeping 5 backend pods running at all times. 4. DaemonSets What It Is A DaemonSet ensures one pod runs on every node (or selected nodes). Used For Monitoring agents Log collectors Security agents Example Running Fluentd or Prometheus Node Exporter on all nodes. 5. StatefulSets W...
Read more