VNET to VNET VPN Connection
Pratul
Prerequisites:
This blog is intended for readers who are familiar with Azure and its services.
I started my project by implementation of VPN among VNET so that seamless communication is established among resources within Subnets of respective VNETS.
AIM
My first objective is getting hold of concepts relating to VPN, which can be vnet-to-vnet (V2V), site-to-site (S2S) & point-to-site (P2S).
I relied on Virtual Network Gateway only to achieve the above task.
MY LAB
I configured two VNETs with subnets as below configurations:
VNET1: mrt-vnet (10.0.0.0/16)
| Subnet | Name | Address Space |
| Frontend Subnet | mrt-front-subnet | 10.0.0.0/24 |
| Back Subnet | mrt-back-subnet | 10.0.2.0/24 |
| Gateway Subnet | GatewaySubnet | 10.0.255.0/27 |
VNET2: sz-vnet (192.168.0.0/16)
| Subnet | Name | Address Space |
| Frontend Subnet | web-subnet | 192.168.1.0/24 |
| Back Subnet | db-subnet | 192.168.2.0/24 |
| Gateway Subnet | GatewaySubnet | 192.168.0.224/27 |
NOTE: A Gateway Subnets are essential to configure Virtual Remote Gateway in respective VNETs.
The gateway subnet contains the IP addresses that the virtual network gateway VMs and services use. Never deploy anything else (for example, more VMs) to the gateway subnet. The gateway subnet must be named 'GatewaySubnet' to work properly. Naming the gateway subnet 'GatewaySubnet' let’s Azure know that this is the subnet to which it should deploy the virtual network gateway VMs and services. While it's possible to create a gateway subnet as small as /29 (applicable to the Basic SKU only), all other SKUs require a gateway subnet of size /27 or larger (/27, /26, /25 etc.). You might want to create a gateway subnet larger than /27 so that the subnet has enough IP addresses to accommodate possible future configurations.
Once VNETs are configured, I built VMs within subnets by providing dynamic private IP addresses to it as per my given diagram plan.
NOTE: For workaround I built only one VM in every subnet.
NOTE: By default, NSGs are assigned on every subnet with mostly connecting ports (22, 3389) opened.
Finally, Virtual Network Gateways are setup.
To establish a successful V2V VPN, its essential each VNET have Virtual Remote Network Gateway configured.
Configuration
| VPN
Gateway
Generation | SKU | S2S/VNet-to-VNet
Tunnels | P2S
SSTP Connections | P2S
IKEv2/OpenVPN Connections | Aggregate
Throughput Benchmark | BGP | Zone-redundant | Supported Number of VMs in the Virtual Network | | --- | --- | --- | --- | --- | --- | --- | --- | --- | | Generation1 | Basic | Max. 10 | Max. 128 | Not Supported | 100 Mbps | Not Supported | No | 200 | | Generation1 | VpnGw1 | Max. 30 | Max. 128 | Max. 250 | 650 Mbps | Supported | No | 450 | | Generation1 | VpnGw2 | Max. 30 | Max. 128 | Max. 500 | 1 Gbps | Supported | No | 1300 | | Generation1 | VpnGw3 | Max. 30 | Max. 128 | Max. 1000 | 1.25 Gbps | Supported | No | 4000 | | Generation1 | VpnGw1AZ | Max. 30 | Max. 128 | Max. 250 | 650 Mbps | Supported | Yes | 1000 | | Generation1 | VpnGw2AZ | Max. 30 | Max. 128 | Max. 500 | 1 Gbps | Supported | Yes | 2000 | | Generation1 | VpnGw3AZ | Max. 30 | Max. 128 | Max. 1000 | 1.25 Gbps | Supported | Yes | 5000 |
NOTE: For my LAB purpose, I relied on VpnGw1 to perform my activity.
NOTE: VpnGw1AZ, VpnGw2AZ & VpnGw3AZ SKUs are featured with Availability Zones.
AZ brings resiliency, scalability, and higher availability to virtual network gateways. Deploying gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures.
Once Virtual Network Gateways are configured, it’s essential to create Connection.
Configuration
Under Instance details, configure the following settings:
Connection type: Select Vnet-To-Vnet (IPSec).
* Name: Name your connection.
* Region: Select the region for this connection.
* Establish bidirectional connectivity need to be set as Enabled
(Azure will automatically create the reverse connection*. Both virtual networks will be able to* communicate with each other without additional manual configuration*. In this case, its between VPN - “mrt-gateway” & ‘‘sz-gateway “).*
NOTE: Make sure the region set for Connection needs to be same as Virtual Network Gateway. If different, it will throw an error.
NOTE:
REFERENCES
Subscribe to my newsletter
Read articles from Pratul directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Pratul
Pratul
A passionate L1 Server Engineer with a growing focus on DevOps practices. With experience in server administration, troubleshooting and infrastructure management, I am skilled at optimizing workflows through automation and CI/CD pipelines. Currently working with cloud platforms like AWS & Azure, virtualization technologies, and configuration management tools. Committed to enhancing efficiency and productivity. Through this blog, I will be sharing hands-on insights, tutorials, and practical tips aimed at helping fellow professionals in server engineering and DevOps.