Configure a VNet-to-VNet VPN gateway connection by using the Azure portal

This article helps you connect virtual networks (VNets) by using the VNet-to-VNet connection type using the Azure portal. The virtual networks can be in different regions and from different subscriptions. When you connect VNets from different subscriptions, the subscriptions don't need to be associated with the same Active Directory tenant. This type of configuration creates a connection between two virtual network gateways. This article doesn't apply to VNet peering. For VNet peering, see the Virtual Network peering article.

VNet to VNet diagram.

You can create this configuration using various tools, depending on the deployment model of your VNet. The steps in this article apply to the Azure Resource Manager deployment model and the Azure portal. To switch to a different deployment model or deployment method article, use the dropdown.

About connecting VNets

The following sections describe the different ways to connect virtual networks.

VNet-to-VNet

Configuring a VNet-to-VNet connection is a simple way to connect VNets. When you connect a virtual network to another virtual network with a VNet-to-VNet connection type (VNet2VNet), it's similar to creating a Site-to-Site IPsec connection to an on-premises location. Both connection types use a VPN gateway to provide a secure tunnel with IPsec/IKE and function the same way when communicating. However, they differ in the way the local network gateway is configured.

When you create a VNet-to-VNet connection, the local network gateway address space is automatically created and populated. If you update the address space for one VNet, the other VNet automatically routes to the updated address space. It's typically faster and easier to create a VNet-to-VNet connection than a Site-to-Site connection. However, the local network gateway isn't visible in this configuration.

  • If you know you want to specify additional address spaces for the local network gateway, or plan to add additional connections later and need to adjust the local network gateway, you should create the configuration using the Site-to-Site steps.
  • The VNet-to-VNet connection doesn't include Point-to-Site client pool address space. If you need transitive routing for Point-to-Site clients, then create a Site-to-Site connection between the virtual network gateways, or use VNet peering.

Site-to-Site (IPsec)

If you're working with a complicated network configuration, you may prefer to connect your VNets by using a Site-to-Site connection instead. When you follow the Site-to-Site IPsec steps, you create and configure the local network gateways manually. The local network gateway for each VNet treats the other VNet as a local site. These steps allow you to specify additional address spaces for the local network gateway to route traffic. If the address space for a VNet changes, you must manually update the corresponding local network gateway.

VNet peering

You can also connect your VNets by using VNet peering.

Why create a VNet-to-VNet connection?

You may want to connect virtual networks by using a VNet-to-VNet connection for the following reasons:

Cross region geo-redundancy and geo-presence

  • You can set up your own geo-replication or synchronization with secure connectivity without going over internet-facing endpoints.
  • With Azure Traffic Manager and Azure Load Balancer, you can set up highly available workload with geo-redundancy across multiple Azure regions. For example, you can set up SQL Server Always On availability groups across multiple Azure regions.

Regional multi-tier applications with isolation or administrative boundaries

  • Within the same region, you can set up multi-tier applications with multiple virtual networks that are connected together because of isolation or administrative requirements.

VNet-to-VNet communication can be combined with multi-site configurations. These configurations lets you establish network topologies that combine cross-premises connectivity with inter-virtual network connectivity, as shown in the following diagram:

VNet connections diagram.

This article shows you how to connect VNets by using the VNet-to-VNet connection type. When you follow these steps as an exercise, you can use the following example settings values. In the example, the virtual networks are in the same subscription, but in different resource groups. If your VNets are in different subscriptions, you can't create the connection in the portal. Use PowerShell or CLI instead. For more information about VNet-to-VNet connections, see VNet-to-VNet FAQ.

Example settings

Values for VNet1:

  • Virtual network settings

    • Name: VNet1
    • Address space: 10.1.0.0/16
    • Subscription: Select the subscription you want to use.
    • Resource group: TestRG1
    • Location: East US
    • Subnet
      • Name: FrontEnd
      • Address range: 10.1.0.0/24
  • Virtual network gateway settings

    • Name: VNet1GW
    • Resource group: East US
    • Generation: Generation 2
    • Gateway type: Select VPN.
    • VPN type: Select Route-based.
    • SKU: VpnGw2
    • Virtual network: VNet1
    • Gateway subnet address range: 10.1.255.0/27
    • Public IP address: Create new
    • Public IP address name: VNet1GWpip
  • Connection

    • Name: VNet1toVNet4
    • Shared key: You can create the shared key yourself. When you create the connection between the VNets, the values must match. For this exercise, use abc123.

Values for VNet4:

  • Virtual network settings

    • Name: VNet4
    • Address space: 10.41.0.0/16
    • Subscription: Select the subscription you want to use.
    • Resource group: TestRG4
    • Location: West US
    • Subnet
    • Name: FrontEnd
    • Address range: 10.41.0.0/24
  • Virtual network gateway settings

    • Name: VNet4GW
    • Resource group: West US
    • Generation: Generation 2
    • Gateway type: Select VPN.
    • VPN type: Select Route-based.
    • SKU: VpnGw2
    • Virtual network: VNet4
    • Gateway subnet address range: 10.41.255.0/27
    • Public IP address: Create new
    • Public IP address name: VNet4GWpip
  • Connection

    • Name: VNet4toVNet1
    • Shared key: You can create the shared key yourself. When you create the connection between the VNets, the values must match. For this exercise, use abc123.

Create and configure VNet1

If you already have a VNet, verify that the settings are compatible with your VPN gateway design. Pay particular attention to any subnets that may overlap with other networks. Your connection won't work properly if you have overlapping subnets.

To create a virtual network

Note

When using a virtual network as part of a cross-premises architecture, be sure to coordinate with your on-premises network administrator to carve out an IP address range that you can use specifically for this virtual network. If a duplicate address range exists on both sides of the VPN connection, traffic will route in an unexpected way. Additionally, if you want to connect this virtual network to another virtual network, the address space cannot overlap with the other virtual network. Plan your network configuration accordingly.

  1. Sign in to the Azure portal.

  2. In Search resources, service, and docs (G+/), type virtual network. Select Virtual network from the Marketplace results to open the Virtual network page.

    Screenshot shows the Azure portal Search bar results and selecting Virtual Network from Marketplace.

  3. On the Virtual network page, select Create. This opens the Create virtual network page.

  4. On the Basics tab, configure the VNet settings for Project details and Instance details. You'll see a green check mark when the values you enter are validated. The values shown in the example can be adjusted according to the settings that you require.

    Screenshot shows the Basics tab.

    • Subscription: Verify that the subscription listed is the correct one. You can change subscriptions by using the drop-down.
    • Resource group: Select an existing resource group, or select Create new to create a new one. For more information about resource groups, see Azure Resource Manager overview.
    • Name: Enter the name for your virtual network.
    • Region: Select the location for your VNet. The location determines where the resources that you deploy to this VNet will live.
  5. Select IP Addresses to advance to the IP Addresses tab. On the IP Addresses tab, configure the settings. The values shown in the example can be adjusted according to the settings that you require.

    Screenshot shows the IP Addresses tab.

    • IPv4 address space: By default, an address space is automatically created. You can select the address space and adjust it to reflect your own values. You can also add more address spaces by selecting the box below the existing address space and specifying the values for the additional address space.
    • + Add subnet: If you use the default address space, a default subnet is created automatically. If you change the address space, you need to add a subnet. Select + Add subnet to open the Add subnet window. Configure the following settings, then select Add at the bottom of the page to add the values.
      • Subnet name: In this example, we named the subnet "FrontEnd".
      • Subnet address range: The address range for this subnet.
  6. Select Security to advance to the Security tab. At this time, leave the default values.

    • BastionHost: Disable
    • DDoS Protection Standard: Disable
    • Firewall: Disable
  7. Select Review + create to validate the virtual network settings.

  8. After the settings have been validated, select Create to create the virtual network.

Create the VNet1 gateway

In this step, you create the virtual network gateway for your VNet. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU. If you're creating this configuration as an exercise, see the Example settings.

The virtual network gateway uses specific subnet called the gateway subnet. The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. It contains the IP addresses that the virtual network gateway resources and services use.

When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The number of IP addresses needed depends on the VPN gateway configuration that you want to create. Some configurations require more IP addresses than others. We recommend that you create a gateway subnet that uses a /27 or /28.

If you see an error that specifies that the address space overlaps with a subnet, or that the subnet isn't contained within the address space for your virtual network, check your VNet address range. You may not have enough IP addresses available in the address range you created for your virtual network. For example, if your default subnet encompasses the entire address range, there are no IP addresses left to create additional subnets. You can either adjust your subnets within the existing address space to free up IP addresses, or specify an additional address range and create the gateway subnet there.

To create a virtual network gateway

  1. In Search resources, services, and docs (G+/) type virtual network gateway. Locate Virtual network gateway in the Marketplace search results and select it to open the Create virtual network gateway page.

    Screenshot of Search field.

  2. On the Basics tab, fill in the values for Project details and Instance details.

    Screenshot of Instance fields.

    • Subscription: Select the subscription you want to use from the dropdown.
    • Resource Group: This setting is autofilled when you select your virtual network on this page.
    • Name: Name your gateway. Naming your gateway not the same as naming a gateway subnet. It's the name of the gateway object you're creating.
    • Region: Select the region in which you want to create this resource. The region for the gateway must be the same as the virtual network.
    • Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.
    • VPN type: Select the VPN type that is specified for your configuration. Most configurations require a Route-based VPN type.
    • SKU: Select the gateway SKU you want to use from the dropdown. The SKUs listed in the dropdown depend on the VPN type you select. Make sure to select a SKU that supports the features you want to use. For more information about gateway SKUs, see Gateway SKUs.
    • Generation: Select the generation you want to use. For more information, see Gateway SKUs.
    • Virtual network: From the dropdown, select the virtual network to which you want to add this gateway. If you can't see the VNet for which you want to create a gateway, make sure you selected the correct subscription and region in the previous settings.
    • Gateway subnet address range: This field only appears if your VNet doesn't have a gateway subnet. It's best to specify /27 or larger (/26,/25 etc.). This allows enough IP addresses for future changes, such as adding an ExpressRoute gateway. We don't recommend creating a range any smaller than /28. If you already have a gateway subnet, you can view GatewaySubnet details by navigating to your virtual network. Select Subnets to view the range. If you want to change the range, you can delete and recreate the GatewaySubnet.
  1. Specify in the values for Public IP address. These settings specify the public IP address object that gets associated to the VPN gateway. The public IP address is dynamically assigned to this object when the VPN gateway is created. The only time the Public IP address changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

    Screenshot of public IP address field.

    • Public IP address type: In most cases, you want to use the Basic Public IP address type. If you don't see this field on the portal page, you may have selected a gateway SKU that pre-selects this value for you.
    • Public IP address: Leave Create new selected.
    • Public IP address name: In the text box, type a name for your public IP address instance.
    • Public IP address SKU: This field is controlled by the Public IP Address Type setting.
    • Assignment: VPN gateway supports only Dynamic.
    • Enable active-active mode: Only select Enable active-active mode if you're creating an active-active gateway configuration. Otherwise, leave this setting Disabled.
    • Leave Configure BGP as Disabled, unless your configuration specifically requires this setting. If you do require this setting, the default ASN is 65515, although this value can be changed.
  2. Select Review + create to run validation.

  3. Once validation passes, select Create to deploy the VPN gateway.

You can see the deployment status on the Overview page for your gateway. A gateway can take 45 minutes or more to fully create and deploy. After the gateway is created, you can view the IP address that has been assigned to it by looking at the virtual network in the portal. The gateway appears as a connected device.

Important

When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating a network security group to this subnet may cause your virtual network gateway (VPN and Express Route gateways) to stop functioning as expected. For more information about network security groups, see What is a network security group?.

Create and configure VNet4

After you've configured VNet1, create VNet4 and the VNet4 gateway by repeating the previous steps and replacing the values with VNet4 values. You don't need to wait until the virtual network gateway for VNet1 has finished creating before you configure VNet4. If you're using your own values, make sure the address spaces don't overlap with any of the VNets to which you want to connect.

Configure the VNet1 gateway connection

When the virtual network gateways for both VNet1 and VNet4 have completed, you can create your virtual network gateway connections. In this section, you create a connection from VNet1 to VNet4. VNets in the same subscription can be connected using the portal, even if they are in different resource groups. However, if your VNets are in different subscriptions, you must use PowerShell to make the connections.

  1. In the portal, go to your virtual network gateway. For example, VNet1GW.

  2. On the virtual network gateway page, go to Connections. Select +Add.

    Screenshot showing the connections page.

  3. On the Add connection page, fill in the connection values.

    Screenshot showing the Add Connection page.

    • Name: Enter a name for your connection. For example, VNet1toVNet4.

    • Connection type: Select VNet-to-VNet from the drop-down.

    • First virtual network gateway: This field value is automatically filled in because you're creating this connection from the specified virtual network gateway.

    • Second virtual network gateway: This field is the virtual network gateway of the VNet that you want to create a connection to. Select Choose another virtual network gateway to open the Choose virtual network gateway page.

      Screenshot showing Choose a virtual network gateway page with another gateway selected.

      • View the virtual network gateways that are listed on this page. Notice that only virtual network gateways that are in your subscription are listed. If you want to connect to a virtual network gateway that isn't in your subscription, use the PowerShell.

      • Select the virtual network gateway to which you want to connect.

    • Shared key (PSK): In this field, enter a shared key for your connection. You can generate or create this key yourself. In a site-to-site connection, the key you use is the same for your on-premises device and your virtual network gateway connection. The concept is similar here, except that rather than connecting to a VPN device, you're connecting to another virtual network gateway.

  4. Select OK to save your changes.

Configure the VNet4 gateway connection

Next, create a connection from VNet4 to VNet1. In the portal, locate the virtual network gateway associated with VNet4. Follow the steps from the previous section, replacing the values to create a connection from VNet4 to VNet1. Make sure that you use the same shared key.

Verify your connections

  1. Locate the virtual network gateway in the Azure portal.

  2. On the Virtual network gateway page, select Connections to view the Connections page for the virtual network gateway. After the connection is established, you'll see the Status values change to Connected.

    Screenshot showing the Connections page to verify the connections.

  3. Under the Name column, select one of the connections to view more information. When data begins flowing, you'll see values for Data in and Data out.

    Screenshot shows a resource group with values for Data in and Data out.

Add additional connections

If you want to add additional connections, navigate to the virtual network gateway from which you want to create the connection, then select Connections. You can create another VNet-to-VNet connection, or create an IPsec Site-to-Site connection to an on-premises location. Be sure to adjust the Connection type to match the type of connection you want to create. Before you create additional connections, verify that the address space for your virtual network doesn't overlap with any of the address spaces you want to connect to. For steps to create a Site-to-Site connection, see Create a Site-to-Site connection.

VNet-to-VNet FAQ

See the VPN Gateway FAQ for VNet-to-VNet frequently asked questions.

Next steps

  • For information about how you can limit network traffic to resources in a virtual network, see Network Security.

  • For information about how Azure routes traffic between Azure, on-premises, and Internet resources, see Virtual network traffic routing.