Azure - Site-to-Site IPSEC


In order to establish Site-To-Site IPSEC VPN connection between Azure and Perimeter 81 please follow the steps below:


1. Create Gateway subnet

a. In the portal, navigate to the virtual network for which you want to create a virtual network gateway
b. In the Settings section of your VNet page, click Subnets to expand the Subnets page
c. On the Subnets page, click ״+Gateway subnet״ at the top to open the ״Add subnet״ page
d. The Name for your subnet is automatically filled in with the value 'GatewaySubnet'
e. Adjust the auto-filled Address range values to match your configuration requirements


2. Create Virtual Network Gateway

a. On the left side of the portal page, click + and type 'Virtual Network Gateway' in search
b. Locate and click Virtual network gateway
c. On the Create virtual network gateway page, specify the values for your virtual network gateway

  • Name: Name your gateway. This is not the same as naming a gateway subnet. It's the name of the
    gateway object you are creating.
  • Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN
  • VPN type: Select VPN
  • SKU: Select the gateway SKU from the dropdown. The SKUs listed in the dropdown depend on the
    VPN type you select
  • Location: You may need to scroll to see Location. Adjust the Location field to point to the location
    where your virtual network is located. For example, West US. If the location is not pointing to the
    region where your virtual network resides, when you select a virtual network in the next step, it will
    not appear in the drop-down list
  • Virtual network: Choose the virtual network to which you want to add this gateway. Click Virtual
    network to open the 'Choose a virtual network' page. Select the VNet. If you don't see your VNet,
    make sure the Location field is pointing to the region in which your virtual network is located
  • Gateway subnet address range: You will only see this setting if you did not previously create a
    gateway subnet for your virtual network. If you previously created a valid gateway subnet, this
    setting will not appear
  • Public IP address: This setting specifies the public IP address object that gets associated to the
    VPN gateway. The public IP address is dynamically assigned to this object when the VPN gateway is created.
  • Leave Configure BGP ASN deselected
  • Click Create to begin creating the VPN gateway
    It can take up to 45 minutes to complete the task.

3. Create Local Network Gateway

a. In the portal, click +Create a resource
b. In the search box, type Local network gateway, then press Enter to search. This will return a list of
results. Click Local network gateway, then click the Create button to open the Create local network
gateway page
c. On the Create local network gateway page, specify the values for your local network gateway

  • Name: Specify a name for your local network gateway object.
  • IP address: This is the public IP address of the VPN device that you want Azure to connect to.
    Specify a valid public IP address. If you don't have the IP address right now, you can use the values
    shown in the example, but you'll need to go back and replace your placeholder IP address with the
    public IP address of your VPN device. Otherwise, Azure will not be able to connect.
  • Address Space refers to the address ranges for the network that this local network represents. You
    can add multiple address space ranges. Make sure that the ranges you specify here do not overlap
    with ranges of other networks that you want to connect to
  • Subscription: Verify that the correct subscription is showing.
  • Resource Group: Select the resource group that you want to use. You can either create a new
    resource group, or select one that you have already created.
  • Location: Select the location that this object will be created in. You may want to select the same
    location that your VNet resides in, but you are not required to do so
    d. When you have finished specifying the values, click the Create button at the bottom of the page to
    create the local network gateway

3. Create the IPSEC tunnel connection

a. Navigate to and open the page for your virtual network gateway. There are multiple ways to
navigate. You can navigate to the gateway 'VNet1GW' by going to YourVNet -> Overview ->
Connected devices -> YourVNetGW
b. On the page for VNet1GW, click Connections. At the top of the Connections page, click +Add to
open the Add connection page
c. On the Add connection page, configure the values for your connection

  • Name: Name your connection.
  • Connection type: Select Site-to-site(IPSec).
  • Virtual network gateway: The value is fixed because you are connecting from this gateway.
  • Local network gateway: Click Choose a local network gateway and select the local network
    gateway that you want to use.
  • Shared Key: the value here must match the value that you are using for your local on-premises
    VPN device
  • The remaining values for Subscription, Resource Group, and Location are fixed
  • Click OK to create your connection. You'll see Creating Connection flash on the screen

4. Perimeter81 Setting

a. Go to the Gateway in your network from which you want to create the tunnel to Azure
b. Click on the 3 dots and press "Add Tunnel"
c. Name - Set name for the Tunnel
d. Shared Secret - Put the same Shared secret you set in Azure
e. "Public IP" and "Remote ID" - put Azure "Virtual network gateway" Public IP address
f. In "Perimeter 81 Gateway Proposal Subnets" Choose Any or Specific Subnet"
g. In "Remote Gateway Proposal Subnets" put your Azure VNet subnet
h. Advanced Settings:

  • IKE Version - V2
  • IKE Lifetime - 8h
  • Tunnel Lifetime - 1h
  • Dead Peer Detection Delay - 10s
  • Dead Peer Detection Timeout - 30s
  • Encryption (Phase 1) - aes256
  • Integrity (Phase 1) - sha1
  • Deffie-Hellman Groups (Phase 1) - 2
  • Encryption (Phase 2) - aes256
  • Integrity (Phase 2) - sha1
  • Deffie-Hellman Groups (Phase 1) - 2
    i. Press "Add Tunnel"

5. Verify the VPN connection

  1. In Azure click "All Resources"
  2. Click on "Virtual network gateway"
  3. Go to "Connections"
  4. Click on your connection
  5. In Overview check that the "Status" is "Connected"
0 out of 0 found this helpful



Please sign in to leave a comment.