Bird
Raised Fist0
Azurecloud~10 mins

VPN Gateway for hybrid connectivity in Azure - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
Sometimes your cloud and your office network need to talk securely. A VPN Gateway creates a safe tunnel between them so they can share data without risks.
When you want your office computers to access cloud resources securely.
When you have apps running partly in the cloud and partly on your own servers and they need to connect.
When you want to extend your company network to the cloud without exposing it to the internet.
When you need to connect multiple office locations to the same cloud network.
When you want to protect data moving between your cloud and on-premises systems.
Config File - vpn-gateway-template.json
vpn-gateway-template.json
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "virtualNetworkGatewayName": {
      "type": "string",
      "defaultValue": "myVpnGateway"
    },
    "publicIpAddressName": {
      "type": "string",
      "defaultValue": "myVpnGatewayPublicIP"
    },
    "location": {
      "type": "string",
      "defaultValue": "eastus"
    },
    "virtualNetworkId": {
      "type": "string"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Network/publicIPAddresses",
      "apiVersion": "2021-05-01",
      "name": "[parameters('publicIpAddressName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Basic"
      },
      "properties": {
        "publicIPAllocationMethod": "Dynamic"
      }
    },
    {
      "type": "Microsoft.Network/virtualNetworkGateways",
      "apiVersion": "2021-05-01",
      "name": "[parameters('virtualNetworkGatewayName')]",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpAddressName'))]"
      ],
      "properties": {
        "ipConfigurations": [
          {
            "name": "vnetGatewayConfig",
            "properties": {
              "publicIPAddress": {
                "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpAddressName'))]"
              },
              "subnet": {
                "id": "[concat(parameters('virtualNetworkId'), '/subnets/GatewaySubnet')]"
              }
            }
          }
        ],
        "gatewayType": "Vpn",
        "vpnType": "RouteBased",
        "enableBgp": false,
        "activeActive": false,
        "sku": {
          "name": "VpnGw1",
          "tier": "VpnGw1"
        }
      }
    }
  ]
}

This template creates a VPN Gateway in Azure.

  • publicIPAddresses: Creates a public IP for the gateway to be reachable.
  • virtualNetworkGateways: Defines the VPN Gateway with its IP config and links it to the virtual network's GatewaySubnet.
  • parameters: Allow you to set names, location, and the virtual network ID where the gateway will be deployed.
Commands
Create a virtual network with a special subnet named GatewaySubnet, which is required for the VPN Gateway.
Terminal
az network vnet create --resource-group myResourceGroup --name myVnet --address-prefix 10.0.0.0/16 --subnet-name GatewaySubnet --subnet-prefix 10.0.255.0/27 --location eastus
Expected OutputExpected
{ "newVNet": { "addressSpace": { "addressPrefixes": [ "10.0.0.0/16" ] }, "location": "eastus", "name": "myVnet", "resourceGroup": "myResourceGroup", "subnets": [ { "addressPrefix": "10.0.255.0/27", "name": "GatewaySubnet" } ] } }
--subnet-name - Defines the subnet name; must be 'GatewaySubnet' for VPN Gateway.
--subnet-prefix - Sets the IP range for the GatewaySubnet.
Deploy the VPN Gateway using the ARM template, linking it to the virtual network created earlier.
Terminal
az deployment group create --resource-group myResourceGroup --template-file vpn-gateway-template.json --parameters virtualNetworkId=/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet
Expected OutputExpected
{ "properties": { "provisioningState": "Succeeded" }, "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/myVpnGateway", "name": "myVpnGateway", "type": "Microsoft.Network/virtualNetworkGateways" }
--template-file - Specifies the ARM template file to deploy.
--parameters - Passes parameters to the template, here the virtual network ID.
Create a VPN connection between the Azure VPN Gateway and your on-premises local gateway using a shared key for security.
Terminal
az network vpn-connection create --resource-group myResourceGroup --name myVpnConnection --vnet-gateway1 myVpnGateway --local-gateway2 myLocalGateway --shared-key MySharedKey123
Expected OutputExpected
{ "connectionStatus": "Connecting", "egressBytesTransferred": 0, "ingressBytesTransferred": 0, "name": "myVpnConnection", "resourceGroup": "myResourceGroup", "type": "Microsoft.Network/connections" }
--vnet-gateway1 - Specifies the Azure VPN Gateway name.
--local-gateway2 - Specifies the on-premises local gateway name.
--shared-key - Sets the shared secret key for the VPN tunnel.
Check the status of the VPN connection to confirm it is established and working.
Terminal
az network vpn-connection show --resource-group myResourceGroup --name myVpnConnection
Expected OutputExpected
{ "connectionStatus": "Connected", "egressBytesTransferred": 12345, "ingressBytesTransferred": 67890, "name": "myVpnConnection", "resourceGroup": "myResourceGroup", "type": "Microsoft.Network/connections" }
Key Concept

If you remember nothing else from this pattern, remember: the VPN Gateway creates a secure tunnel between your cloud network and your on-premises network using a special subnet called GatewaySubnet.

Common Mistakes
Not creating the GatewaySubnet in the virtual network before deploying the VPN Gateway.
The VPN Gateway requires a subnet named GatewaySubnet; without it, deployment fails.
Always create a GatewaySubnet with the correct IP range in your virtual network before deploying the VPN Gateway.
Using a public IP address that is not dynamic or not linked properly to the VPN Gateway.
The VPN Gateway needs a public IP address resource with dynamic allocation to function correctly.
Create a public IP address resource with dynamic allocation and link it to the VPN Gateway's IP configuration.
Not verifying the VPN connection status after creation.
Without checking, you might miss connection issues and think the tunnel is ready when it is not.
Use the command to show the VPN connection status and confirm it is 'Connected'.
Summary
Create a virtual network with a GatewaySubnet to host the VPN Gateway.
Deploy the VPN Gateway using an ARM template that includes a public IP and links to the GatewaySubnet.
Create a VPN connection between the Azure VPN Gateway and your on-premises gateway using a shared key.
Check the VPN connection status to ensure the secure tunnel is active.

Practice

(1/5)
1. What is the primary purpose of an Azure VPN Gateway in hybrid connectivity?
easy
A. To manage Azure Active Directory users
B. To securely connect an Azure virtual network with an on-premises network
C. To provide public internet access to Azure resources
D. To host web applications in Azure

Solution

  1. Step 1: Understand VPN Gateway role

    An Azure VPN Gateway creates a secure tunnel between Azure and on-premises networks.

  2. Step 2: Identify correct purpose

    Among the options, only connecting Azure virtual network with on-premises securely matches the VPN Gateway's role.

  3. Final Answer:

    To securely connect an Azure virtual network with an on-premises network -> Option B

  4. Quick Check:

    VPN Gateway = Secure hybrid connection [OK]
Hint: VPN Gateway links cloud and local networks securely [OK]
Common Mistakes:
  • Confusing VPN Gateway with web hosting services
  • Thinking VPN Gateway manages user identities
  • Assuming VPN Gateway provides public internet access
2. Which subnet name must you use when creating a VPN Gateway in an Azure virtual network?
easy
A. PublicSubnet
B. VPNSubnet
C. Subnet1
D. GatewaySubnet

Solution

  1. Step 1: Recall required subnet for VPN Gateway

    Azure requires a subnet named exactly 'GatewaySubnet' for VPN Gateway deployment.

  2. Step 2: Verify option correctness

    Only 'GatewaySubnet' matches the required name; others are invalid for VPN Gateway.

  3. Final Answer:

    GatewaySubnet -> Option D

  4. Quick Check:

    VPN Gateway subnet = GatewaySubnet [OK]
Hint: Always name VPN Gateway subnet as GatewaySubnet [OK]
Common Mistakes:
  • Using generic subnet names instead of GatewaySubnet
  • Confusing VPNSubnet with GatewaySubnet
  • Not creating a dedicated subnet for VPN Gateway
3. Given this Azure CLI command snippet to create a VPN Gateway: 
az network vnet-gateway create --name MyVpnGateway --public-ip-address MyPublicIP --resource-group MyResourceGroup --vnet MyVNet --gateway-type Vpn --vpn-type RouteBased --sku VpnGw1
What VPN type is being used here?
medium
A. RouteBased
B. PointToSite
C. ExpressRoute
D. PolicyBased

Solution

  1. Step 1: Analyze the command parameters

    The parameter '--vpn-type RouteBased' explicitly sets the VPN type to RouteBased.

  2. Step 2: Confirm VPN type meaning

    RouteBased VPN supports flexible connections and is commonly used for hybrid networks.

  3. Final Answer:

    RouteBased -> Option A

  4. Quick Check:

    --vpn-type RouteBased means RouteBased VPN [OK]
Hint: Look for --vpn-type parameter to identify VPN type [OK]
Common Mistakes:
  • Confusing PolicyBased with RouteBased
  • Assuming ExpressRoute is a VPN type
  • Mixing PointToSite with Site-to-Site VPN types
4. You deployed a VPN Gateway but the connection to your on-premises network fails. Which of these is a likely misconfiguration?
medium
A. The virtual network has too many subnets
B. The VPN Gateway SKU is set to Basic for high throughput needs
C. The GatewaySubnet is missing or incorrectly named
D. The public IP address is assigned to a VM instead of the VPN Gateway

Solution

  1. Step 1: Check subnet configuration

    VPN Gateway requires a correctly named GatewaySubnet; missing or wrong name causes failure.

  2. Step 2: Evaluate other options

    Too many subnets is not a direct cause; SKU Basic may limit performance but not cause failure; public IP must be assigned to VPN Gateway, not VM.

  3. Final Answer:

    The GatewaySubnet is missing or incorrectly named -> Option C

  4. Quick Check:

    GatewaySubnet misconfiguration causes VPN failure [OK]
Hint: Verify GatewaySubnet exists and is named correctly [OK]
Common Mistakes:
  • Ignoring GatewaySubnet naming requirements
  • Assigning public IP to wrong resource
  • Assuming SKU affects connection establishment
5. You want to set up a hybrid network with Azure using a VPN Gateway. Your on-premises network uses static routing. Which VPN type should you choose for maximum flexibility and why?
hard
A. RouteBased, because it supports both static and dynamic routing
B. PolicyBased, because it supports static routing only
C. ExpressRoute, because it is faster than VPN
D. PointToSite, because it supports multiple clients

Solution

  1. Step 1: Understand VPN types and routing

    PolicyBased VPN supports only static routing; RouteBased supports static and dynamic routing.

  2. Step 2: Match VPN type to flexibility needs

    RouteBased VPN is more flexible and recommended for hybrid networks with static or dynamic routing.

  3. Step 3: Exclude other options

    ExpressRoute is a different service, not a VPN type; PointToSite is for individual client connections, not site-to-site.

  4. Final Answer:

    RouteBased, because it supports both static and dynamic routing -> Option A

  5. Quick Check:

    RouteBased VPN = flexible routing support [OK]
Hint: Choose RouteBased VPN for static and dynamic routing support [OK]
Common Mistakes:
  • Choosing PolicyBased for flexibility
  • Confusing ExpressRoute with VPN Gateway
  • Using PointToSite for site-to-site connectivity