Create a S2S VPN connection using RRAS 2016 between Azure and an on-premise network

A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it.

The communication between your on-premises VPN device and an Azure VPN gateway is sent through an encrypted tunnel over the internet.

Also it exists two others possibilities to connect a cloud environnement with an on-prem one which are P2S (Point-to-site) and ExpressRoute.

P2S establish a connection between Azure and an individual computer using the SSTP protocol with certificate. This is a practical solution when you only need few people to connect to your environnement in Azure.

ExpressRoute is the top notch connection and is a private connection that does not go over internet. It offers offers more reliability, faster bandwidth speeds, lower latencies and higher security.


Lets starts with the configuration in Azure.

Create a VNET in Azure

Go to the portal, search Virtual Networks in the service and click Add

Select a name for your virtual network.

Address space : – The complete range of IP that define your virtual network.

Subnet : FrontEnd – A logical partition that define your virtual network.

Address range for the subnet : – The range of IP that define your subnet.

Keep the other options as is.


Create the VPN Gateway

Go the portal and select Virtual Network Gateways in the services and click Add

Create a name

Gateway type / VPN Type : Keep the default options

SKU : Select Basic

Virtual network : Select your Vnet previously created

Public IP address : Create new and assign a name



The VPN gateway must be in the same region as the VNET and only one VPN gateway is possible per VNET.

Create the local network gateway

In the portal, search local network gateways service, click Add and set a name

Create a new one and set a name

IP Address : This is the public IP of the on-premise. This IP cannot be behind a NAT.

Address space : Those are the ranges of IP that is defined in the on-premise and that need to be accessible

Keep the other options as is.

Complete the VPN gateway configuration

Return to the Virtual network gateways service

Select the VPN Gateway, click Connections, click Add and set a name

Connection type : Site-to-Site IPSEC

Local Network Gateway :  Select the one previously created

Shared key : Define a key

Keep the other options as is.



Configure the RRAS 2016 server (on-premise)

Im using a Vmware workstation for the test purpose with one NIC.

This NIC is in NAT with my host computer so i dont have to configure anything network wise and my network is in the range with automatic DHCP.

Install the necessary tool on the server

In Server Manager, click Add Roles and Features 

Image result for remote access role vpn 2016

Once installed, start the wizard and select VPN Only


Click on the Network Interfaces and New Demand-dial interface

Set a name for the interface

Select connect using a Virtual private Networking (VPN)

Select IKE V2

Set the host name IP : This is the Public IP of the VPN gateway in Azure

Keep Route IP Packets on the interface options

Static Route : This represent the range of IP previously created in Azure


Once completed, select the demand-dial interface and click Properties

Set the pre-shared key that you previously set in the Azure VPN Gateway.


All you have to do is to connect 🙂

5You can return to Azure and see that you have connectivity.


Test from Azure to on-premise and from on-premise to Azure

I use a simple telnet on port 3389 on both machines to test if the network is correctly interconnected. Beforehand, be sure 3389 is correctly opened on both machines.

From the VM in Azure that is under the same Vnet as the VPN Gateway

telnet 3389

From a local machine on-premise the VM Azure.

telnet 3389

To see the route table  : route print -4

Troubleshoot to connect the VPN Gateway

If it doesnt work, there is few options to validate if the configuration is properly working. First is to determine if the vpn gateway in Azure is “really” reachable.

I encountered few issues to make mine works and here are what i used.


The tunnel use the port 4500 and 500 by UDP. You cannot use a simple telnet to validate if the port is reachable due to the fact that UDP is unreliable and the sender wont have any validation if the transmission of packets has been successful.

In NMAP, run :  nmap -T4 -A -v IP OF THE VPN GATEWAY

Test it outside and from the RRAS server in case you would have messed up with a static route that you could have previously set on the RRAS server.

If you have an unreachable VPN as i encountered, you can reset it from Azure and retry the nmap again.


There is also a health probe to validate if the VPN is healthy. Replace the IP address with your public IP.


Primary Instance: GatewayTenantWorker_IN_0 GatewayTenantVersion: X.X.X.X OSVersion: Windows Server 2012 R2 Datacenter




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s