Today I will be writing about creating a Site to Site (S2S) Virtual Private Network from your Azure virtual network to your on-premises network without the need to use a dedicated VPN hardware device.
Requirements:
-
active Azure subscription
-
Azure Resource Group
-
Azure virtual network
-
on-premises VM to install Windows Server 2019
-
proper firewall settings.
-
some networking knowledge
We will start by logging on to https://portal.azure.com.
You can use an existing resource group if you already have networks and VMs in it or create a new resource group.
I will create a new one :

After creating the resource group I will go and create a Virtual Network. Go to + Create a resource and search for Virtual Network like below:

Then press Create:

Give the virtual network a meaningful name, choose the resource group and region in which to deploy, then click Next: IP Addresses

Create an IP address space that will be different from your on-premises space:
Create a subnet by pressing Add subnet to which you want your resources (VMs) to connect and to which on premise traffic will be routed.
Define the subnet name and address space:

Then press Add:

Click on Next: Security:

Leave settings as default, and click Review+Create. Make sure Validation passed, then click on Create

Wait for the deployment to finish:

Click Go to resource:

Click Subnets

Then click on the + Gateway subnet. You can use the defaults or customize the gateway network (this will be used by the VPN gateway) based on your needs:

Click OK and wait for the subnet to be added:

The next step is to create the Virtual Network Gateway which is our VPN gateway actually. We will deploy a new one from the Marketplace.
Click on + Create a resource and type in the search box virtual network, then select Virtual Network Gateway:
Then press Create:

Select the subscription, the resource group, give it a meaningful name, select the region (make sure it is the same as the virtual network), the Gateway type is VPN and the VPN type is Route Based. Select the SKU based on your bandwidth needs, the Generation and virtual network (the one we just created). Create a new Public IP address as this will be our connection point for the VPN. If you want to create an active-active VPN with BGP you can configured that also ( I will write another article on that). Then click Review + create:

Make sure Validation passed, then click on Create

Be patient (this will take around 20-30 minutes) and Wait for the deployment to finish:

Then click Go to resource

Check that is was created and that it has a public IP assigned:

The next step is to create a Local Network Gateway. To do this go to + Create a resource and search for local network gateway (this will be the definition for the on premise gateway) and click on it:

Click Create

Give the Local Network Gateway a meaningful name, your public IP address for your on-premise device or RRAS server, select the on premise address range that you want to route to Azure:

Click Create and wait for the deployment to finish:

Then click Go to resource

The next step is to create the VPN connection. For this we need to go to Connections and click + Add

Give it a meaningful name, select the Virtual Network Gateway we created earlier and the Local Network Gateway, add a passphrase for the share key and leave the protocol as IKEv2, then click OK

Wait for the connection to get created

This finished the Azure part of the configuration.
Now we will need to configure our on premises RRAS server. For this I have created a VM, installed Windows Server 2019 on it and now we will install the needed roles on it, then configure the connection. For the routing to work correctly we will need to give the VM 2 network adapters – 1 connected to the external or DMZ network and the 2nd connected to our internal network.
Below are the configured NICs:

Now let’s install the RRAS role. Go to Server manager – Manage – Add Roles and Features. Select Role-Based or feature-based installation.

Select the server

Select the Remote Access role

On features click next, then on the Remote Access click next. On Role Services select DirectAccess and VPN (RAS), then click on Add Features

Click Next

On the Web Server Role (IIS) click next, same on role services

Click Install

Wait for the installation to finish.

After the installation has finished click Close, then open the Routing and Remote Access console

Right Click the server name and then click on Configure and Enable Routing and Remote Access

Click Next

Select Secure connection between two private networks

Select Yes

If you have a DHCP server in your environment select Automatically. Else select From a specified range of addresses and define the range. I will select Automatically, then click Next

Click Finish and wait for the configuration to finish.

On the new wizard for the Demand Dial click next

Give the connection a meaningful name and click Next

Select Connect using virtual private networking (VPN)

For the protocol select IKEv2 (same as we select on the Azure side), click Next

Go to the VPN gateway on azure and get the Public IP of the VPN gateway.

Enter the Public IP of the gateway

Make sure Route IP Packets on this interface is selected and click Next

On the Static Router click Add

Add the address space you defined on the Azure Virtual Network and on the Subnet you defined for your VMs, add a low metric, then click OK

It should look like this, click Next

On the credentials page put just Azure, click Next

Click Finish

After the configuration has been finished expand it then go to Network Interfaces

Right click Azure S2S, select Properties

Go to Security, select Use preshared key for authentication and add the key that was configured on the Azure VPN gateway, then click OK

Right click the connection and select connect

And he now have a VPN connection to our Azure VNET

Now we need to add the route to our VNET in the configuration. Go to IPv4, right click Static Routes and select New static route

Add the address space of your Azure subnet, selecting a low metric, click OK

I have quickly deployed a test VM on my subnet and tried to ping it from my RAS gateway machine:

Plus I can now RDP on the internal interface so no need for public RDP:

This is how you deploy a site to site VPN from on premise to Azure for without the need for expensive hardware.
Thank you for reading it all up.
In a future article I will show you how to be able to use a VPN with a dynamic IP address with minimal downtime.