← Back to Dashboard

Design 19: Site-to-Site VPN

Summary

This design connects your On-Premises network to Azure using an encrypted Site-to-Site (S2S) VPN.

Topology: The VPN Gateway sits in the Hub VNet. All Spoke VNets use this gateway to communicate with On-Premises. This design details the configuration of that connection.

1. Key Design Decisions (ADR)

ADR-01: Gateway Placement

  • Decision: Place VPN Gateway in the Hub.
  • Rationale: Avoids paying for a gateway in every spoke. Centralizes security logging.

ADR-02: VPN Type

  • Decision: Route-Based VPN.
  • Rationale: Required for IKEv2 and coexistence with ExpressRoute.

2. High-Level Design (HLD)

+--------------+           +--------------------------+           +--------------+
|  On-Premises |           |        HUB VNet          |           |  SPOKE VNet  |
|  Router      |           |       (10.0.0.0/16)      |           | (10.1.0.0/16)|
| (192.168.1.1)|<--------->|   [VPN Gateway]          |<--------->|  [Workload]  |
|              |   IPsec   |   (10.0.0.4)             |  Peering  |              |
+--------------+  Tunnel   +--------------------------+           +--------------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| HUB VNet: vnet-hub (10.0.0.0/16)                                      |
|   +-----------------------+                                           |
|   | GatewaySubnet         |                                           |
|   | (10.0.0.0/24)         |                                           |
|   | [Local Network Gw]    | (Represents On-Prem IP)                   |
|   | [Virtual Network Gw]--|--(Connection)---> IPsec Tunnel            |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v (Peering)                                             |
+---------------|-------------------------------------------------------+
                |
+---------------|-------------------------------------------------------+
| SPOKE VNet: vnet-spoke (10.1.0.0/16)                                  |
|   +-----------------------+                                           |
|   | VM: vm-workload       |                                           |
|   | (Routes 192.168.x.x   |                                           |
|   |  to Virtual Gw)       |                                           |
|   +-----------------------+                                           |
+---------------|-------------------------------------------------------+
                |
                | (Config Replication)
                v
+-----------------------------------------------------------------------+
| SECONDARY REGION (West US) - DR Site                                  |
|                                                                       |
|   +-----------------------+                                           |
|   | VPN Gateway (Standby) |                                           |
|   | (Not Connected)       |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

4. Component Rationale

  • Local Network Gateway (LNG): An Azure resource that tells the VPN Gateway *where* to connect (On-Prem Public IP) and *what* subnets exist on-prem (192.168.1.0/24).
  • Connection: The logical link binding the VPN Gateway to the LNG.

5. Strategy: High Availability (HA)

  • Active-Standby: Default. One instance active, one standby.
  • Active-Active: (Optional) Deploy two active instances for higher throughput and SLA.

6. Strategy: Disaster Recovery (DR)

  • Implementation: Cold Standby.
  • Process:

* Deploy a VPN Gateway in West US Hub.

* Do *not* connect it (to save cost/complexity) or keep it connected with high routing cost (BGP).

* In disaster, update On-Prem router to point to West US IP.

7. Strategy: Backup

  • Config: Backup the Shared Key (PSK) and Router Config scripts.

8. Strategy: Security

  • Encryption: AES-256 encryption over the Internet.
  • Firewall: On-Prem firewall must allow UDP 500, 4500.

9. Well-Architected Framework Analysis

  • Reliability: High. 99.9% SLA.
  • Security: High. Encrypted tunnel.
  • Cost Optimization: High. Shared resource.
  • Operational Excellence: Medium. Troubleshooting VPN logs can be complex.
  • Performance Efficiency: Medium. Limited by Internet bandwidth (max 1 Gbps for VpnGw1).

10. Detailed Traffic Flow

1. Spoke VM: Sends packet to 192.168.1.5 (On-Prem Server).

2. Peering: Packet routes to Hub Gateway (due to "Use Remote Gateway").

3. Gateway: Encrypts packet. Wraps in IPsec. Sends to On-Prem Public IP.

4. Internet: Packet traverses public internet.

5. On-Prem Router: Decrypts packet. Forwards to Server.

11. Runbook: Deployment Guide (Azure Portal)

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Prerequisites (Hub)

1. Ensure vnet-hub exists (Design 5).

2. Ensure GatewaySubnet exists in vnet-hub.

Phase 2: Create Local Network Gateway (Represents On-Prem)

1. Search: "Local network gateways" -> + Create.

2. Name: lng-office.

3. Resource Group: rg-hub-prod.

4. Region: East US.

5. IP address: Enter your *Office Public IP* (e.g., 203.0.113.5).

* *Note: If you don't have a static public IP, you cannot do this step easily.*

6. Address Space: Enter your *Office Local Subnet* (e.g., 192.168.1.0/24).

7. Create.

Phase 3: Create VPN Gateway

1. Search: "Virtual network gateways" -> + Create.

2. Name: vpngw-hub.

3. Region: East US.

4. Gateway type: VPN.

5. VPN type: Route-based.

6. SKU: VpnGw1.

7. Virtual network: vnet-hub.

8. Public IP address: Create new pip-vpngw.

9. Create.

* *Warning: This takes 45 minutes.*

Phase 4: Create Connection

1. Go to vpngw-hub -> Connections -> + Add.

2. Name: Hub-to-Office.

3. Connection type: Site-to-site (IPsec).

4. Local network gateway: Select lng-office.

5. Shared key (PSK): Enter a strong password (e.g., Secret123!).

6. IKE Protocol: IKEv2.

7. Create.

Phase 5: Configure On-Prem Router

1. Go to the Connection Hub-to-Office.

2. Download configuration (Top bar).

3. Device vendor: Select yours (e.g., Cisco, Ubiquiti, Generic).

4. Download.

5. Apply: Open the text file and apply the config to your local router.

Phase 6: Verify

1. Go to Connection. Status should change from Connecting to Connected.

2. Ping: From an Azure VM (10.0.x.x), ping an On-Prem Server (192.168.1.x).

3. It should reply.