Design a site-to-site VPN connection, including high availability

2.1 Site-to-Site (S2S) VPN Connectivity

📘Microsoft Azure Networking Solutions (AZ-700)

1. What is a Site-to-Site VPN?

A Site-to-Site (S2S) VPN is a secure, encrypted connection between two networks over the Internet.

  • One network is typically your on-premises network (like your office network).
  • The other network is your Azure Virtual Network (VNet).

Think of it as creating a private tunnel over the public internet, so both networks can communicate securely.

Key Points for the Exam:

  • S2S VPNs are used for branch offices, on-premises networks, or other cloud networks.
  • Data sent through the VPN is encrypted using IPsec/IKE protocols.

2. Components of a Site-to-Site VPN in Azure

To create a S2S VPN, you need these components:

ComponentPurpose
Azure Virtual Network (VNet)Your private network in Azure where resources like VMs exist.
Virtual Network GatewayConnects your Azure VNet to the VPN. It’s the “VPN device” in Azure.
Local Network GatewayRepresents your on-premises network in Azure. You provide your public IP and address ranges.
VPN Device / Firewall (On-Prem)Your on-premises device (router/firewall) that supports IPsec/IKE VPN.
IPsec/IKE VPN TunnelSecure encrypted connection over the internet.

3. Steps to Design a Site-to-Site VPN Connection

When designing a S2S VPN in Azure, follow these steps:

Step 1: Plan your IP addressing

  • Decide which IP ranges (subnets) in Azure and on-premises will communicate.
  • Make sure no overlapping IP addresses exist; otherwise, traffic cannot route properly.

Step 2: Create a Virtual Network Gateway

  • Choose gateway type: VPN.
  • Choose VPN type: Route-based (recommended for most scenarios).
  • SKU selection: This determines performance, throughput, and high availability.

Common SKUs:

  • Basic
  • VpnGw1, VpnGw2, VpnGw3 (higher numbers = higher throughput & more tunnels)

Tip for exams: Know that route-based gateways are generally used for S2S VPNs in Azure.

Step 3: Create a Local Network Gateway

  • Enter the public IP address of your on-premises VPN device.
  • Enter the address ranges of your on-premises network (so Azure knows where to send traffic).

Step 4: Create the VPN Connection

  • Connect the Virtual Network Gateway to the Local Network Gateway.
  • Specify the shared key (pre-shared key / PSK). This is used to encrypt traffic.

Optional: Configure IKE/IPsec policies if you have specific security requirements (like encryption algorithms, hashing algorithms, etc.)

4. High Availability (HA) Considerations

High Availability ensures your VPN connection stays online even if one component fails.

Azure Side HA

  • Azure VPN gateways have active-active or active-standby configurations.
  • Active-active: Both VPN tunnels are used simultaneously.
  • Active-standby: One tunnel is primary; the other is backup.

On-Premises Side HA

  • You can configure redundant VPN devices (two firewalls or routers) for failover.
  • Each device can establish a VPN tunnel to Azure.

Tunnels for HA

  • Two tunnels per VPN connection are recommended for high availability.
  • Each tunnel can connect to different IP addresses if using active-active.

Exam Tip: Azure supports up to 10 S2S tunnels per VPN gateway (depending on SKU).

5. Monitoring and Troubleshooting

Once deployed, you need to monitor and maintain the VPN:

  • Check tunnel status in Azure Portal.
  • Use Azure Network Watcher for diagnostics and logging.
  • Check on-premises device logs to ensure tunnels are up.

Tip: If a tunnel fails, Azure automatically tries the secondary tunnel if configured for HA.

6. Key Exam Takeaways

When designing a S2S VPN for the AZ-700 exam, remember:

  1. S2S VPN is for secure network-to-network connectivity over the internet.
  2. Route-based VPN is the default/recommended type.
  3. Use Virtual Network Gateway and Local Network Gateway to connect Azure and on-premises networks.
  4. High availability is achieved using active-active VPN gateway and redundant tunnels.
  5. Plan IP ranges carefully to avoid overlaps.
  6. Tunnels are encrypted using IPsec/IKE.
  7. Monitoring via Azure Network Watcher is essential for uptime.

Quick Visual Flow (Simplified)

[On-Premises Network] --IPsec/IKE--> [VPN Device / Firewall]
           |
           v
[Public Internet]
           |
           v
[Azure Virtual Network Gateway] --> [Azure VNet]
  • For HA, you’ll have two tunnels connecting both networks.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by