Azure is rapidly gaining market share in the cloud space. Clients are migrating on-prem infrastructure to Azure more than ever. Despite public cloud gaining popularity, there will always be a need to have on-prem infrastructure for various reasons.One example would be to have your compute in the public cloud and your data on your private network, or to connect your employees to your public cloud infrastructure. This blog is about creating a secure connection between your Azure virtual network and your on-prem physical network.

To achieve that, we need a compatible VPN device on our physical network, which in my lab is pfSense running on dedicated appliance connected to the internet. pfSense will connect to Azure virtual network over an IPsec/IKE (IKEv2 in my case) VPN tunnel.

so lets get started ….

Azure Infrastructure

We will begin by creating the required infrastructure in Azure. I created a virtual network vnet1 with address space and one subnet called default with address space in Australia East location. I will also be creating an additional Gateway subnet ( in this network. For this exercise, I will also create a virtual network gateway in the same location as the network of SKU type VpnGw1 and Generation 1. The VPN gateway will associate to the gateway subnet created earlier we will also create a basic  dynamic public ip address for this demo. It can take about 20 minutes for the VPN gateway to provision.

Once the VPN gateway is created, note down the public IP address.

Next, we will be creating a local network gateway. This refers to the on-premises location which is my Lab. Give it a name and an ip address, which will be the same as the pfSense WAN interface ip. Next, in the Address Space enter the address ranges for the network that this local network represents. In my case it is which is the address space of my lab. The Location will be the same as the location of the virtual network and VPN gateway.

Once this is done, go to the VPN gateway and connections menu. Here, we will add a connection to the on-premise VPN. Click on the add connection button and select the connection type as Site-to-Site (IPSec). Virtual network gateway will be preselected so select the local network gateway as the one that we created above. Enter a long and random shared key. This key has to be entered on both the peers (Azure VPN gateway and pfSense). 

Once the connection is created, we move on to pfSense.

Configure pfSense

Now our Azure infrastructure is created, we move on to configuring IPsec tunnel on pfSense. To do this, go to VPN > IPsec menu. IPsec is configured in 2 phases. New IPsec tunnel is defined in phase 1 and the parameters for traffic encryption are defined in phase 2.

Click the “Add P1” button tp configure the tunnel. Here we will update the Key Exchange version to IKEv2. Enter the public IP address of the VPN gateway in the Remote Gateway field and select Authentication Method as Mutual PSK. Enter the preshared key that was used above when creating the connection in Azure gateway.

Save and Apply Changes.

Now configure the Phase 2 by going to the Add P2 button just below the phase 1. Enter the subnet of your Azure virtual network that you wish to make accessible from your on-premise in the Remote Network  field. Save and Apply Changes.

Once this is done, go to Status > IPSec and check the status of the tunnel. It should be connected to Azure VPN gateway.

Thank you for stopping by……

Categories: Azure


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *