When it comes to Microsoft Azure certification exams, the new model emphasizes job roles. For example, taking the AZ-700: Designing and Implementing Microsoft Azure Networking Solutions exam will result in you earning the Microsoft Certified: Azure Network Engineer Associate certification. So this means that the cert validates skills in implementing and configuring network-focused Azure services.
In this post, I’ll show you how to set up a site-to-site (S2S) VPN gateway, which is then used to connect Azure networks and on-prem networks to create a hybrid environment. This is something I cover in more detail in my AZ-700 Microsoft Azure Network Engineer Associate course (along with my co-author Matt Ulassien) here at A Cloud Guru and Pluralsight. Please join us in learning to get even more knowledge about Azure networking technologies!
Your keys to a better career
Get started with ACG today to transform your career with courses and real hands-on labs in AWS, Microsoft Azure, Google Cloud, and beyond.
How hard is the AZ-700 exam?
Before we get started, I want to give you a rundown of what’s covered in the AZ-700 exam.
The domains featured in the AZ-700 exam are as follows (most recently updated by Microsoft on November 23, 2021):
- Design, implement, and manage hybrid networking (10 – 15%)
- Create VPNs to connect our on-prem and Azure environments
- Design and implement core networking infrastructure (20 – 25%)
- Example: Create virtual networks for our resources in Azure
- Design and implement routing (25 – 30%)
- Example: Direct all traffic through a firewall
- Secure and monitor networks (15 – 20%)
- Example: Use Azure Firewall to secure networks and Network Watcher to troubleshoot our networks
- Design and implement private access to Azure Services (10 – 15%)
- Example: Use private endpoints to give non-Azure services an endpoint in our Azure Virtual Networks
So is the AZ-700 exam hard? Well, nothing is easy, but all of these domains are covered in our cert prep course. So we’ve got your back.
Creating a site-to-site (S2S) VPN gateway in Azure
Now that we’ve seen which domains are covered in the official AZ-700 exam, let’s walk through the steps of setting up a S2S VPN between our Azure Virtual Network (VNet) and our on-prem network for a hybrid environment.
1. Getting our ducks in a row
First, we need to complete the following prerequisites:
- Have an Azure subscription (I recommend using our Azure Cloud Sandbox to emulate this component).\
- Have a compatible VPN device (Hint: You can use two VNets, one to act as the Azure network and the other to emulate your on-prem network—I cover this in a demonstration in the course.)
- Have a public IP for your VPN device (preferably static assignment)
- Know your private IP space that you want to connect into Azure and ensure there is no IP overlapping between on-prem and Azure.
2. Creating our S2S VPN setup
Next, we can began creating our S2S VPN setup by following these steps:
- Sign into the Azure portal. (This is always step 1!)
- Get the region and private IP space of our Azure VNet. (Create the VNet if it does not already exist using the defaults.)
- Example region: East US
- Example IP space: 10.0.0.0/16
- Create a VNet gateway using the following, along with the default config options:
- Example region: East US (This must match the VNet region.)
- Gateway type: VPN
- VPN type: Route-based
- SKU: VpnGw2
- Generation: Generation 2
- Virtual network: InsertYourVNetName
- Gateway subnet address range: 10.0.255.0/27 (/27 is the recommended CIDR for the gateway subnet)
- The gateway subnet will be used by the VNet gateway to connect our S2S on the Azure side.
- Public IP address: Create new
- Public IP address name: InsertYourPublicIPName
- Create a local network gateway. (This represents the on-prem VPN device.)
- IP address: YourOnPremVPNPublicIP
- Address space: YourOnPremisePrivateIPRange
- Region: East US (This must match the region.)
- Create a VPN connection from the VNet gateway resource.
- Connection type: Site-to-site
- Select local network gateway and virtual network gateway
- Specify pre-shared key
- IKE Protocol: Select IKEv2
- Configure the on-prem VPN device.
This one will depend on your VPN device. (I recommend seeing if an existing configuration script from Microsoft suits your needs.)
Want to learn more about Azure certifications?
Check out our Azure Certifications and Learning Paths.
3. Checking our connection
Now we’ve created our S2S VPN from Azure to on-prem, and we can confirm this by checking the status of our connection from the Azure portal by navigating to our VNet gateway and looking under its connection blade to see that the status of our connection is “connected”.
Alright, so this seemed easy enough! Joking! Nothing in Azure is ever viewed as easy—and it shouldn’t be because these are valuable skills that translate into high-paying roles in technology.
If you want to learn more about how to connect our on-prem networks with Azure, or even just use Azure Network technologies, make sure to check out our AZ-700 course and use it to prepare for the AZ-700 exam so that you can validate your skills in the job marketplace. Thanks for joining me in this blog post, and for now keep being awesome gurus!