Loading...

Vnet-to-Vnet VPN - antusnet.ca

  • Home
  • /
  • Vnet-to-Vnet VPN

Azure Quick Links

Networking

VNet-toVNet VPN

Private Endpoint

DNS Name Resolution

Public Load Balancer

 

Security

Azure Firewall Rule

Container Registry

Privileged Access and Monitoring

User & Identity Security

Microsoft Defender for Cloud

Compute & Storage

Azure File Sync

Azure AI Services

Create Storage with Terraform

ARM Template Deployment

Bicep template deployment

Disaster recovery plan

AD Lab for Hybrid Azure

Expert-level projects

Azure Data Factory & Synapse

Databricks Analytics

Securing Azure SQL Database

Azure Sentinel & playbook

Azure & Power BI Visualizations

Hybrid Identity Synchronization

Site-to-Site VPN

VNet Peering

Point-to-Site VPN

DevOps

App service deployment

Agents, Pipelines & Secrets

DevOps IaC Pipeline

*

Microsoft Fabric

 Fabric Data Engineering & Analytics Pipeline

Power BI

Advanced Data Preparation

Model the data

Visualization & Report Creation

Report Deployment & Management

*

*

Back to Projects

Azure Cloud Projects

VNet-to-VNet VPN

Creating a secure connection between Azure virtual networks using a VNet-to-VNet VPN gateway

Task Details

If you have resources deployed in different resource groups across multiple regions and need a secure connectivity solution that doesn't rely on internet-facing endpoints, you can deploy VPN gateways in the rg_eastus and rg_westus resource groups and configure gateway connections between VNet1 and VNet2. By creating virtual networks in both resource groups and establishing VPN gateways, you can ensure secure connectivity between the two networks.

  1. Create VNet1 in rg_eastus with a non-overlapping address space and a default subnet.

  2. Create VNet2 in rg_westus with a non-overlapping address space and a default subnet.

  3. Add a GatewaySubnet to both VNet1 and VNet2.

  4. Create a Virtual Network Gateway in rg_eastus for VNet1 (use VPN type: route-based).

  5. Create a Virtual Network Gateway in rg_westus for VNet2 (use VPN type: route-based).

  6. Wait for both VPN gateways to complete deployment (may take 20–45 minutes).

  7. Create a connection from the VNet1 gateway to the VNet2 gateway using a shared key.

  8. Create a connection from the VNet2 gateway to the VNet1 gateway using the same shared key.

  9. Verify that the connection status for both is "Connected".

  10. Test cross-VNet communication by pinging or accessing resources across VNets.

Architecture Diagram

Steps

1. Create a virtual network named Vnet1 in the East US region, using your selected subscription and resource group. Within the virtual network, create a subnet named Virtual network gateway.

In the Azure portal, navigate to "Virtual networks" > "+ Create". Configure Project details (Subscription, rg_eastus Resource group) and Instance details (Name: vnet1, Region: East US). Define IP addresses and subnets, then create.

*

2. In the IP addresses tab, change the address space to 10.1.0.0.
Click the default subnet to modify it, then set Subnet purpose to Virtual network gateway, this auto-renames it to GatewaySubnet.
Review the settings and click Review + create.

*

3. Create a VPN gateway in the East US region using the virtual network that contains the subnet named Virtual network gateway. Ensure that the gateway subnet is properly configured before deployment.

From the Azure portal, search "VPN Gateway", select Hybrid connectivity, then click "Set up VPN Gateway" under the VPN Gateway section

*

4. Create a Virtual Network Gateway in the East US region, using the rg_eastus resource group. Fill in the required parameters as follows, then click the "Review + create" button to proceed.

Project details:

  • Confirm your Subscription.
  • Note the Resource group (e.g., rg_eastus).

Instance details:

  • Enter a Name for the gateway (e.g., VPNgateway_east).
  • Select the Region (e.g., East US).
  • Choose Gateway type as VPN.
  • Select the SKU (e.g., VpnGw2).
  • Choose Generation (e.g., Generation2).
  • Ensure Enable Advanced Connectivity is Disabled.
  • Select your Virtual network (e.g., vnet1).
  • Confirm the Subnet (e.g., GatewaySubnet (10.1.0.0/24)).

Public IP address:

  • Choose Create new.
  • Enter the Public IP address name (e.g., gw_east_ip).
  • Keep Public IP address SKU as Standard.
  • Ensure Assignment is Dynamic.
  • Ensure Enable active-active mode is Disabled.

SECOND PUBLIC IP ADDRESS:

  • Choose Create new.
    Enter the Public IP address name (e.g., gw_east_ip2).
    Keep Public IP address SKU as Standard.

Note: Public IP address needs to be configured on a Virtual Network Gateway if you intend to enable Active-Active mode.

*

5. You should have the following resources in rg_eastus resource group installed:

*

6. Create a virtual network in the West US region with a subnet named Virtual network gateway.

Note: The steps are identical to those used when creating the virtual network and VPN gateway in the East US region. (steps 1 to 2)

*

7. In the IP addresses tab, change the address space to 10.22.0.0.
Click the default subnet to modify it, then set Subnet purpose to Virtual network gateway, this auto-renames it to GatewaySubnet.
Review the settings and click Review + create.

*

8. Create a Virtual Network Gateway in the West US region, using the rg_westus resource group.

From the Azure portal, search "VPN Gateway", select Hybrid connectivity, then click "Set up VPN Gateway" under the VPN Gateway section(Follow step 3)

On the "Create virtual network gateway" page:

Project details:

  • Confirm your Subscription.
  • Note the Resource group (e.g., rg_westus).

Instance details:

  • Enter a Name for the gateway (e.g., VPNgateway_west).
  • Select the Region (e.g., West US).
  • Choose Gateway type as VPN.
  • Select the SKU (e.g., VpnGw2).
  • Choose Generation (e.g., Generation2).
  • Ensure Enable Advanced Connectivity is Enabled.
  • Select your Virtual network (e.g., Vnet2).
  • Confirm the Subnet (e.g., GatewaySubnet (10.22.0.0/24)).

Public IP address:

  • Choose Create new.
  • Enter the Public IP address name (e.g., gw_west_ip).
  • Keep Public IP address SKU as Standard.
  • Ensure Assignment is Static.
  • Enable active-active mode to Enabled.

SECOND PUBLIC IP ADDRESS:

  • Choose Create new.
  • Enter the Public IP address name (e.g., gw_west_ip2).
  • Keep Public IP address SKU as Standard.

Note: Public IP address needs to be configured on a Virtual Network Gateway if you intend to enable Active-Active mode.

Fill in the following parameters, then click the "Review + create" button to continue.

*

9. You should have the following resources in rg_westus resource group installed:

*

10. Set up gateway connections on each virtual network to complete the VPN configuration.

From your Virtual Network Gateway "VPNgateway_east", select Connections under "Settings" in the left menu.

On the Connections page, click + Add.

*

11. Configure the connection on the East VPN gateway "VPNgateway_east" using the following settings:

  • On the "Create connection" page:
  • Select your Resource group (e.g., rg_eastus).
  • Set Connection type to VNet-to-VNet.
  • Enter a Name (e.g., east-to-west-vpn).

Then Click "Next: Settings" button.

*

12. On the "Settings" tab of the "Create connection" page:

  • Select VPNgateway_east as the First virtual network gateway.
  • Select VPNgateway_west as the Second virtual network gateway.
  • Choose Shared Key(PSK) as the Authentication Method.
  • Enter your shared key in the Shared Key(PSK) field (e.g., VPNkey).

Click the "Review + Create" button.

Note: The Shared Key (pre-shared key or PSK) functions like a password used by the VNets to authenticate and establish a secure connection. You can specify your own custom PSK during configuration.

*

13. Configure the connection on the VPNgateway_west using the following settings:

 Configure the connection on the East VPN gateway "VPNgateway_east" using the following settings:

  • On the "Create connection" page:
  • Select your Resource group (e.g., rg_westus).
  • Set Connection type to VNet-to-VNet.
  • Enter a Name (e.g., west-to-east-vpn).

Click the "Next: Settings" button.

*

14. On the "Settings" tab of the "Create connection" page:

  • Select VPNgateway_west as the First virtual network gateway.
    Select VPNgateway_east as the Second virtual network gateway.
    Choose Shared Key(PSK) as the Authentication Method.
    Enter your shared key in the Shared Key(PSK) field (e.g., VPNkey).

Click the "Review + Create" button.

Note: The Shared Key (pre-shared key or PSK) functions like a password used by the VNets to authenticate and establish a secure connection. You can specify your own custom PSK during configuration.

*

15. On both the East and West VPN gateways, after approximately 10-15 minutes, you may need to refresh the page to see the connection status as 'Connected'. This confirms that the VNet-to-VNet VPN tunnel has been successfully established in both directions, enabling secure communication between the virtual networks.

Note:

The deployment steps for VNet-to-VNet and Site-to-Site VPN connections in Azure are almost identical. In both cases, you:

  1. Create a Virtual Network Gateway on each side.

  2. Define a Local Network Gateway to represent the remote network.

  3. Configure a shared key (PSK) for authentication.

  4. Establish a VPN connection.

The key difference lies in the connection type:

  • VNet-to-VNet → Use VNet2VNet (both sides are Azure VNets).

  • Site-to-Site → Use IPsec (one side is Azure, the other is an on-premises VPN device).

In short: same process, different connection type.

Alternative Connectivity Option:
While this guide focused on configuring a secure VNet-to-VNet VPN connection, Azure also offers VNet peering as an alternative method for connecting virtual networks. VNet peering provides faster, lower-latency connectivity over the Azure backbone without the encryption overhead of a VPN. It can be more cost-effective when both VNets are in the same region and encryption is not required. However, peering and VPN should not be configured simultaneously between the same VNets. If your scenario prioritizes performance over encryption, consider replacing the VPN connection with VNet peering rather than combining the two.

Send us a message if you’d like us to create a dedicated step-by-step guide for VNet peering.

*

Conclusion

Once a VNet-to-VNet connection is successfully established, you can securely connect resources across different Azure regions or resource groups without relying on public internet endpoints. This setup allows virtual machines, databases, and services in separate VNets to communicate privately using their internal IP addresses. It enables scenarios such as cross-region application architectures, centralized management of services like DNS or Active Directory, and secure backup or disaster recovery strategies. From a security perspective, the traffic between VNets is encrypted through IPsec tunnels, ensuring data confidentiality and integrity in transit. Additionally, by applying network security groups (NSGs) and route tables, you can maintain fine-grained control over the traffic flow between regions, aligning with zero-trust and least-privilege network design principles. This approach not only enhances security but also supports scalable, resilient cloud infrastructures.

*

Written by Kirill.A - Azure & Cybersecurity Consultant at AntusNet

➤ Want more? Browse all our Azure implementation guides.

Need help implementing secure Azure solutions?

Contact us for a free consultation.

    error: Content is protected !!