Create and configure a local network gateway

2.1 Site-to-Site (S2S) VPN Connectivity

📘Microsoft Azure Networking Solutions (AZ-700)

What is a Local Network Gateway?

A Local Network Gateway (LNG) is an Azure resource that represents the on-premises network (or another cloud network) inside Azure.

Azure needs a way to understand:

  • Where the remote network is
  • How to reach it
  • What IP address ranges exist on that remote side

The Local Network Gateway provides this information.

In short:
Local Network Gateway = Azure’s definition of the remote network

Without a Local Network Gateway, Azure cannot create a Site-to-Site VPN connection.

Why is a Local Network Gateway Required for S2S VPN?

In a Site-to-Site VPN:

  • One side is Azure
  • The other side is on-premises or another cloud network

Azure must know:

  1. The public IP address of the remote VPN device
  2. The private IP address ranges that exist on the remote network

This information is stored in the Local Network Gateway.

Key Components of a Local Network Gateway

For the AZ-700 exam, you must clearly understand each configuration item.

1. Name

  • A logical name for the Local Network Gateway
  • Used only for identification in Azure
  • No impact on connectivity

Example format:

lng-onprem
lng-branch1

2. Endpoint (Important Exam Area)

The endpoint defines how Azure identifies the remote VPN device.

There are two options:

a. IP Address

  • Most commonly used
  • You enter the public IPv4 address of the remote VPN device
  • Required for traditional Site-to-Site VPN

Exam note:
If the remote VPN device has a static public IP, use this option.

b. Fully Qualified Domain Name (FQDN)

  • Used when the remote VPN device:
    • Has a dynamic public IP
    • Or the IP may change
  • Azure resolves the FQDN to an IP address

Exam note:
FQDN support is useful for environments where the public IP is not fixed.

3. Address Space (Very Important)

The address space defines:

  • The private IP ranges that exist in the remote network

These IP ranges:

  • Are used by Azure to:
    • Route traffic correctly
    • Avoid IP conflicts
  • Must not overlap with Azure VNet address space

Example formats:

10.0.0.0/16
192.168.1.0/24

Exam rules:

  • You can add multiple address spaces
  • Overlapping IP ranges will cause routing issues
  • Azure uses this list to decide which traffic should go through the VPN

4. Location

  • The Azure region where the Local Network Gateway is created
  • It does not need to match the VNet Gateway region
  • Used only for Azure resource placement

5. BGP Settings (Optional but Exam-Relevant)

If Border Gateway Protocol (BGP) is used, additional settings are required.

BGP Fields:

a. ASN (Autonomous System Number)
  • Identifies the remote network in BGP routing
  • Must match the ASN configured on the remote VPN device
b. BGP Peer IP Address
  • The IP address used for BGP communication
  • Must be reachable through the VPN tunnel

Exam note:

  • BGP is optional
  • Used for dynamic routing
  • Useful when routes change frequently

How Local Network Gateway Works in S2S VPN

The Local Network Gateway does not create a VPN tunnel by itself.

The full flow is:

  1. Create Virtual Network (VNet)
  2. Create Virtual Network Gateway
  3. Create Local Network Gateway
  4. Create a VPN Connection
    • This connection links:
      • Virtual Network Gateway
      • Local Network Gateway

Only after step 4 does the VPN tunnel become active.

Local Network Gateway vs Virtual Network Gateway

FeatureLocal Network GatewayVirtual Network Gateway
RepresentsRemote networkAzure network
Stores IP rangesYes (remote side)No
Creates tunnelNoYes
Used in S2SYesYes
Used aloneNoNo

Exam tip:
These two gateways work together, not independently.

Common Configuration Mistakes (Exam Traps)

Be aware of these common issues:

1. Overlapping IP Address Spaces

  • Azure will not route traffic correctly
  • Exam questions often test this

2. Incorrect Public IP Address

  • VPN tunnel will fail to connect
  • Must match the remote VPN device

3. Missing Address Spaces

  • Traffic will not reach the remote network
  • Azure only routes traffic to defined ranges

4. BGP Mismatch

  • ASN mismatch causes routing failure
  • BGP Peer IP must be correct

When to Modify a Local Network Gateway

You may need to update it when:

  • New subnets are added on the remote network
  • Public IP of the remote VPN device changes
  • BGP configuration changes

Exam note:
Updating address spaces does not require recreating the VPN tunnel, but it may cause brief connectivity impact.

Exam-Focused Summary

For AZ-700, remember:

  • Local Network Gateway represents the remote network
  • Required for Site-to-Site VPN
  • Contains:
    • Remote public IP or FQDN
    • Remote private address spaces
    • Optional BGP settings
  • Does not create VPN tunnels
  • Must be connected to a Virtual Network Gateway
  • Address spaces must not overlap with Azure VNets
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by