You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-vmware/configure-site-to-site-vpn-gateway.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,7 @@ title: Configure a site-to-site VPN in vWAN for Azure VMware Solution
3
3
description: Learn how to establish a VPN (IPsec IKEv1 and IKEv2) site-to-site tunnel into Azure VMware Solutions.
4
4
ms.topic: how-to
5
5
ms.service: azure-vmware
6
-
ms.date: 2/27/2024
6
+
ms.date: 2/2/2026
7
7
ms.custom:
8
8
- engagement-fy23
9
9
- sfi-image-nochange
@@ -25,7 +25,7 @@ You must have a public-facing IP address terminating on an on-premises VPN devic
25
25
26
26
## Create a virtual hub
27
27
28
-
A virtual hub is a virtual network that is created and used by Azure Virtual WAN. It's the core of your Virtual WAN network in a region. It can contain gateways for site-to-site and ExpressRoute.
28
+
A virtual hub is a virtual network that is created and used by Azure Virtual WAN. It's the core of your Virtual WAN network in a region. It can contain gateways for site-to-site and ExpressRoute.
29
29
30
30
>[!TIP]
31
31
>You can also [create a gateway in an existing hub](../virtual-wan/virtual-wan-expressroute-portal.md#existinghub).
@@ -57,14 +57,14 @@ A virtual hub is a virtual network that is created and used by Azure Virtual WAN
57
57
***Private address space** - The CIDR IP address space located on your on-premises site. Traffic destined for this address space is routed to your local site. The CIDR block is only required if you [BGP](../vpn-gateway/bgp-howto.md) isn't enabled for the site.
58
58
59
59
>[!NOTE]
60
-
>If you edit the address space after creating the site (for example, add an additional address space) it can take 8-10 minutes to update the effective routes while the components are recreated.
60
+
>If you edit the address space (adding an additional address space) after creating the site , it can take 8-10 minutes to update the effective routes while the components are recreated.
61
61
62
62
1. Select **Links** to add information about the physical links at the branch. If you have a Virtual WAN partner CPE device, check with them to see if this information gets exchanged with Azure as a part of the branch information upload set up from their systems.
63
63
64
64
Specifying link and provider names allow you to distinguish between any number of gateways that can eventually be created as part of the hub. [BGP](../vpn-gateway/vpn-gateway-bgp-overview.md) and autonomous system number (ASN) must be unique inside your organization. BGP ensures that both Azure VMware Solution and the on-premises servers advertise their routes across the tunnel. If disabled, the subnets that need to be advertised must be manually maintained. If subnets are missed, HCX fails to form the service mesh.
65
65
66
66
>[!IMPORTANT]
67
-
>By default, Azure assigns a private IP address from the GatewaySubnet prefix range automatically as the Azure BGP IP address on the Azure VPN gateway. The custom Azure APIPA BGP address is needed when your onpremises VPN devices use an APIPA address (169.254.0.1 to 169.254.255.254) as the BGP IP. Azure VPN Gateway will choose the custom APIPA address if the corresponding local network gateway resource (on-premises network) has an APIPA address as the BGP peer IP. If the local network gateway uses a regular IP address (not APIPA), Azure VPN Gateway will revert to the private IP address from the GatewaySubnet range.
67
+
>By default, Azure assigns a private IP address from the GatewaySubnet prefix range automatically as the Azure BGP IP address on the Azure VPN gateway. The custom Azure APIPA BGP address is needed when on-premises VPN devices use an APIPA address (169.254.0.1 to 169.254.255.254) as the BGP IP. Azure VPN Gateway chooses the custom APIPA address if the corresponding local network gateway resource (on-premises network) has an APIPA address as the BGP peer IP. If the local network gateway uses a regular IP address (not APIPA), Azure VPN Gateway reverts to the private IP address from the GatewaySubnet range.
68
68
69
69
:::image type="content" source="../../includes/media/virtual-wan-tutorial-site-include/site-links.png" alt-text="Screenshot showing the Create VPN site page with the Links tab open." lightbox="../../includes/media/virtual-wan-tutorial-site-include/site-links.png":::
70
70
@@ -77,15 +77,15 @@ A virtual hub is a virtual network that is created and used by Azure Virtual WAN
>This is an optional step and applies only to policy-based VPNs.
80
+
>This optional step only applies to policy-based VPNs.
81
81
82
-
[Policy-based VPN setups](../virtual-wan/virtual-wan-custom-ipsec-portal.md) require on-premises and Azure VMware Solution networks to be specified, including the hub ranges. These ranges specify the encryption domain of the policy-based VPN tunnel on-premises endpoint. The Azure VMware Solution side only requires the policy-based traffic selector indicator to be enabled.
82
+
[Policy-based VPN setups](../virtual-wan/virtual-wan-custom-ipsec-portal.md) require on-premises and Azure VMware Solution networks to be specified, including the hub ranges. These ranges specify the encryption domain of the policy-based VPN tunnel on-premises endpoint. The Azure VMware Solution side only requires the policy-based traffic selector indicator to be enabled.
83
83
84
84
1. In the Azure portal, go to your Virtual WAN hub site and, under **Connectivity**, select **VPN (Site to site)**.
85
85
86
86
2. Select the VPN Site for which you want to set up a custom IPsec policy.
87
87
88
-
3. Select your VPN site name, select **More** (...) at the far right, and then select **Edit VPN Connection**.
88
+
3. Select your VPN site name, select **More (...)** at the far right, and then select **Edit VPN Connection**.
89
89
90
90
:::image type="content" source="../virtual-wan/media/virtual-wan-custom-ipsec-portal/contextmenu.png" alt-text="Screenshot showing the context menu for an existing VPN site." lightbox="../virtual-wan/media/virtual-wan-custom-ipsec-portal/contextmenu.png":::
91
91
@@ -116,7 +116,7 @@ A virtual hub is a virtual network that is created and used by Azure Virtual WAN
116
116
>[!TIP]
117
117
>If you don't have a previously defined key, you can leave this field blank. A key is generated for you automatically.
118
118
119
-
:::image type="content" source="../../includes/media/virtual-wan-tutorial-connect-vpn-site-include/connect.png" alt-text="Screenshot that shows the Connected Sites pane for Virtual HUB ready for a Pre-shared key and associated settings. ":::
119
+
:::image type="content" source="../../includes/media/virtual-wan-tutorial-connect-vpn-site-include/connect.png" alt-text="Screenshot that shows the Connected Sites pane for Virtual HUB ready for a Preshared key and associated settings. ":::
120
120
121
121
1. If you're deploying a firewall in the hub and it's the next hop, set the **Propagate Default Route** option to **Enable**.
0 commit comments