Tutorial: Create a Cross-Premises Virtual Network for Site-to-Site Connectivity
This tutorial walks you through the steps to create an example cross-premises virtual network with a site-to-site connection.
If you want to create a cloud-only virtual network, see Tutorial: Create a Cloud-Only Virtual Network in Azure. If you want to create a point-to-site VPN by using certificates and a VPN client, see Configure a Point-to-Site VPN in the Management Portal.
This tutorial assumes you have no prior experience using Azure. It's meant to help you become familiar with the steps required to create an example cross-premises virtual network. If you're looking for design scenarios and advanced information about Virtual Network, see the Azure Virtual Network Overview.
After completing this tutorial, you will have an example cross-premises virtual network. The following figure shows the details, based on the example settings in this tutorial.
For a copy of this figure and one that you can use to depict your own cross-premises virtual network, see Example cross-premises virtual network figure from tutorial topic.
Note that the example configuration settings used in this tutorial are not customized for your organization's network. If you configure the virtual network and the site-to-site connection using the example configuration settings described in this topic, it will not work. To configure a cross-premises virtual network that does work, you must work with your IT department and network administrator to obtain the correct settings. For more information, see the Prerequisites section of this topic.
For information about adding a virtual machine and extending your on-premises Active Directory to Azure Virtual Network, see the following:
For guidelines about deploying AD DS on Azure Virtual Machines, see Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines.
For additional Virtual Network configuration procedures and settings, see Azure Virtual Network Configuration Tasks.
In this tutorial you will learn:
If you are using this tutorial to configure a working cross-premises virtual network that is customized for your organization, you need the following:
The private IPv4 address spaces (in CIDR notation) for the virtual network and its subnets.
The name and IP address of an on-premises DNS server.
A VPN device with a public IPv4 address. You'll need the IP address in order to complete the wizard. The VPN device cannot be located behind a network address translator (NAT) and must meet the minimum device standards. See About VPN Devices for Virtual Network for more information.
Note: You can use Routing and Remote Access Service (RRAS) in Windows Server as part of your VPN solution. However, this tutorial doesn't walk you through the RRAS configuration steps. For RRAS configuration information, see Routing and Remote Access Service templates.
Experience with configuring a router for an IPsec tunnel mode connection or someone that can help you with this step.
The set of address spaces (in CIDR notation) that summarize the reachable locations of your on-premises network (also known as your local network).
Create a Virtual Network
Start the gateway and gather information for your network administrator
Configure your VPN device
To create an example virtual network that connects to a company network:
Log in to the Azure Management Portal.
In the lower left-hand corner of the screen, click New. In the navigation pane, click Networks, and then click Virtual Network. Click Custom Create to begin the configuration wizard.
On the Virtual Network Details page, enter the following information, and then click the next arrow on the lower right. For more information about the settings on the details page, see the Virtual Network Details section in About Configuring a Virtual Network using the Management Portal.
- Name: Name your virtual network. For the example in this tutorial, type YourVirtualNetwork.
- Location: From the drop-down list, select the desired region. Your virtual network will be created at the Azure datacenter located in the specified region.
On the DNS Servers and VPN Connectivity page, enter the following information, and then click the forward arrow on the lower right.
It's possible to select both Point-To-Site and Site-To-Site configurations on this page concurrently. For the purposes of this tutorial, we will select to configure only Site-To-Site. For more information about the settings on this page, see the DNS Servers and VPN Connectivity page in About Configuring a Virtual Network using the Management Portal.
- **DNS SERVERS:** Enter the DNS server name and IP address that you want to use for name resolution. Typically this would be a DNS server that you use for on-premises name resolution. This setting does not create a DNS server. For the example in this tutorial, type **YourDNS** for the name and **10.1.0.4** for the IP address.
- **Configure Point-To-Site VPN:** Leave this field blank.
- **Configure Site-To-Site VPN:** Select checkbox.
- **LOCAL NETWORK:** Select **Specify a New Local Network** from the drop-down list.
On the Site-To-Site Connectivity page, enter the information below, and then click the checkmark in the lower right of the page. For more information about the settings on this page, see the Site-to-Site Connectivity page section in About Configuring a Virtual Network using the Management Portal.
- NAME: For the example in this tutorial, type YourCorpHQ.
- VPN DEVICE IP ADDRESS: For the example in this tutorial, type 126.96.36.199. Otherwise, enter the public IP address of your VPN device. If you don't have this information, you'll need to obtain it before moving forward with the next steps in the wizard. Note that your VPN device cannot be behind a NAT. For more information about VPN devices, see About VPN Devices for Virtual Network.
- ADDRESS SPACE: For the example in this tutorial, type 10.1.0.0/16.
- Add address space: This tutorial does not require additional address space.
On the Virtual Network Address Spaces page, enter the information below, and then click the checkmark on the lower right to configure your network.
Address space must be a private address range, specified in CIDR notation from the 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 address spaces (as specified by RFC 1918). For more information about the settings on this page, see Virtual Network Address Spaces page in About Configuring a Virtual Network using the Management Portal.
- Address Space: For the example in this tutorial, click CIDR in the upper right corner, then enter the following:
- Starting IP: 10.4.0.0
- CIDR: /16
- Add subnet: For the example in this tutorial, enter the following:
- Rename Subnet-1 to FrontEndSubnet with the starting IP 10.4.2.0/24.
- Add a subnet called BackEndSubnet with the starting IP 10.4.3.0/24.
- Add a subnet called ADDNSSubnet with the starting IP 10.4.4.0/24.
- Add a gateway subnet with the starting IP 10.4.1.0/24.
- For the example in this tutorial, verify that you now have three subnets and a gateway subnet created, and then click the checkmark on the lower right to create your virtual network.
After clicking the checkmark, your virtual network will begin to create. When your virtual network has been created, you will see Created listed under Status on the networks page in the Management Portal.
After creating your Azure Virtual Network, use the following procedure to configure the virtual network gateway in order to create your site-to-site VPN. This procedure requires that you have a VPN device that meets the minimum requirements. For more information about VPN devices and device configuration, see About VPN Devices for Virtual Network.
To start the gateway:
When your virtual network has been created, the networks page will show Created as the status for your virtual network.
In the NAME column, click YourVirtualNetwork (for the example created in this tutorial) to open the dashboard.
Click DASHBOARD at the top of the page. On the Dashboard page, on the bottom of the page, click CREATE GATEWAY. Select either Dynamic Routing or Static Routing for the type of Gateway that you want to create.
Note that if you want to use this virtual network for point-to-site connections in addition to site-to-site, you must select Dynamic Routing as the gateway type. Before creating the gateway, verify that your VPN device will support the gateway type that you want to create. See About VPN Devices for Virtual Network. When the system prompts you to confirm that you want the gateway created, click YES.
When the gateway creation starts, you will see a message letting you know that the gateway has been started.
It may take up to 15 minutes for the gateway to be created.
After the gateway has been created, you'll need to gather the following information that will be used to configure the VPN device.
- Gateway IP address
- Shared key
- VPN device configuration script template
The next steps walk you through this process.
To locate the Gateway IP Address: The Gateway IP address is located on the virtual network DASHBOARD page. Here is an example:
To acquire the Shared Key: The shared key is located on the virtual network DASHBOARD page. Click Manage Key at the bottom of the screen, and then copy the key displayed in the dialog box. You will need this key to configure the IPsec tunnel on your company's VPN device.
To download the VPN device configuration script template: On the dashboard, click Download VPN Device Script.
On the Download a VPN Device Configuration Script dialog box, select the vendor, platform, and operating system for your company's VPN device. Click the checkmark button and save the file.
If you don't see your VPN device in the drop-down list, see About VPN Devices for Virtual Network in the MSDN library for additional script templates.
Because each VPN device is different, this is only a high-level procedure. This procedure should be done by your network administrator.
You can get the VPN configuration script from the Management Portal or from the About VPN Devices for Virtual Network, which also explains routing types and the devices that are compatible with the routing configuration that you select to use.
For additional information about configuring a virtual network gateway, see Configure the Virtual Network Gateway in the Management Portal and consult your VPN device documentation.
This procedure assumes the following:
The person configuring the VPN device is proficient at configuring the device that has been selected. Due to the number of devices that are compatible with virtual network and the configurations that are specific to each device family, these steps do not walk through device configuration at a granular level. Therefore, it's important that the person configuring the device is familiar with the device and its configuration settings.
The device that you have selected to use is compatible with virtual network. Check here for device compatibility.
To configure the VPN device:
Modify the VPN configuration script. You will configure the following:
a. Security policies
b. Incoming tunnel
c. Outgoing tunnel
Run the modified VPN configuration script to configure your VPN device.
Test your connection by running one of the following commands:
|- ||Cisco ASA ||Cisco ISR/ASR ||Juniper SSG/ISG ||Juniper SRX/J |
|Check main mode SAs ||show crypto isakmp sa ||show crypto isakmp sa ||get ike cookie ||show security ike security-association |
|Check quick mode SAs ||show crypto ipsec sa ||show crypto ipsec sa ||get sa ||show security ipsec security-association |
To extend your on-premises Active Directory to the virtual network you just created, continue with the following tutorials:
If you want to export your virtual network settings to a network configuration file in order to back up your configuration or to use it as a template, see Export Virtual Network Settings to a Network Configuration File.