Which components are necessary to configure an aws site to site vpn connection successfully
Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Tutorial: Create a site-to-site VPN connection in the Azure portal
In this articleAzure VPN gateways provide cross-premises connectivity between customer premises and Azure. This tutorial shows you how to use the Azure portal to create a site-to-site VPN gateway connection from your on-premises network to the VNet. You can also create this configuration using Azure PowerShell or Azure CLI.
In this tutorial, you learn how to:
Prerequisites
Create a virtual networkIn this section, you'll create a virtual network (VNet) using the following values:
Note When using a virtual network as part of a cross-premises architecture, be sure to coordinate with your on-premises network administrator to carve out an IP address range that you can use specifically for this virtual network. If a duplicate address range exists on both sides of the VPN connection, traffic will route in an unexpected way. Additionally, if you want to connect this virtual network to another virtual network, the address space cannot overlap with the other virtual network. Plan your network configuration accordingly.
Create a VPN gatewayIn this step, you create the virtual network gateway for your VNet. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU. About the gateway subnetThe virtual network gateway uses specific subnet called the gateway subnet. The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. It contains the IP addresses that the virtual network gateway resources and services use. When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The number of IP addresses needed depends on the VPN gateway configuration that you want to create. Some configurations require more IP addresses than others. We recommend that you create a gateway subnet that uses a /27 or /28. If you see an error that specifies that the address space overlaps with a subnet, or that the subnet isn't contained within the address space for your virtual network, check your VNet address range. You may not have enough IP addresses available in the address range you created for your virtual network. For example, if your default subnet encompasses the entire address range, there are no IP addresses left to create additional subnets. You can either adjust your subnets within the existing address space to free up IP addresses, or specify an additional address range and create the gateway subnet there. Create the gatewayCreate a virtual network gateway (VPN gateway) using the following values:
You can see the deployment status on the Overview page for your gateway. A gateway can take up to 45 minutes to fully create and deploy. After the gateway is created, you can view the IP address that has been assigned to it by looking at the virtual network in the portal. The gateway appears as a connected device. Important When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating a network security group to this subnet may cause your virtual network gateway (VPN and Express Route gateways) to stop functioning as expected. For more information about network security groups, see What is a network security group?. View the public IP addressYou can view the gateway public IP address on the Overview page for your gateway.
To see additional information about the public IP address object, select the name/IP address link next to Public IP address. Create a local network gatewayThe local network gateway is a specific object that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you'll create a connection. You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on-premises network. If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later. Create a local network gateway using the following values:
Configure your VPN deviceSite-to-site connections to an on-premises network require a VPN device. In this step, you configure your VPN device. When configuring your VPN device, you need the following values:
To download VPN device configuration scripts: Depending on the VPN device that you have, you may be able to download a VPN device configuration script. For more information, see Download VPN device configuration scripts. See the following links for additional configuration information:
Create VPN connectionsCreate a site-to-site VPN connection between your virtual network gateway and your on-premises VPN device. Create a connection using the following values:
To configure additional connection settings (optional)You can configure additional settings for your connection, if necessary. Otherwise, skip this section and leave the defaults in place.
Verify the VPN connectionIn the Azure portal, you can view the connection status of a VPN gateway by navigating to the connection. The following steps show one way to navigate to your connection and verify.
Connect to a virtual machineYou can connect to a VM that is deployed to your VNet by creating a Remote Desktop Connection to your VM. The best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather than computer name. That way, you're testing to see if you can connect, not whether name resolution is configured properly.
Troubleshoot a connection If you're having trouble connecting to a virtual machine over your VPN connection, check the following:
Optional stepsResize a gateway SKUThere are specific rules regarding resizing vs. changing a gateway SKU. In this section, we'll resize the SKU. For more information, see Gateway settings - resizing and changing SKUs.
Reset a gatewayResetting an Azure VPN gateway is helpful if you lose cross-premises VPN connectivity on one or more site-to-site VPN tunnels. In this situation, your on-premises VPN devices are all working correctly, but aren't able to establish IPsec tunnels with the Azure VPN gateways.
Add another connectionYou can create a connection to multiple on-premises sites from the same VPN gateway. If you want to configure multiple connections, the address spaces can’t overlap between any of the connections.
Additional configuration considerationsS2S configurations can be customized in a variety of ways. For more information, see the following articles:
Clean up resourcesIf you're not going to continue to use this application or go to the next tutorial, delete these resources using the following steps:
Next stepsOnce you've configured a S2S connection, you can add a P2S connection to the same gateway. FeedbackSubmit and view feedback for Which components are required to build a siteSite-to-Site VPN Components. Virtual private gateway.. Transit gateway.. Customer gateway device.. Customer gateway.. What is required for siteIn order to set up an internet-based site-to-site VPN between two sites, a VPN gateway (router, firewall, VPN concentrator, or security appliance) such as the Cisco Adaptive Security Appliance (ASA) is required at both sites.
Which is the connection point on the AWS side for siteOn the AWS side of the Site-to-Site VPN connection, a virtual private gateway or transit gateway provides two VPN endpoints (tunnels) for automatic failover.
Which network security protocol is used with AWS siteAmazon supports Internet Protocol security (IPsec) VPN connections. IPsec is a protocol suite for securing IP communications by authenticating and encrypting each IP packet in a data stream. Each Site-to-Site VPN connection consists of two encrypted IPsec VPN tunnels that link AWS and your network.
|