Creating an Azure S2S VPN

You need two network connections: one connection to the public Internet, which will connect to Azure (this connection should be configured with the default gateway) and a second connection that will connect to your internal network (this connection doesn't have a default gateway). Note that because the internal NIC doesn't have a default gateway, you'll need to add routes for other local subnets to enable traffic flow.

When you create the gateway in Azure, ensure that you select the dynamic gateway type and wait for the gateway to be created before continuing.

Once the gateway is created in Azure, use the Download VPN Device Script option and select the RRAS option. Waiting for the gateway to be completed allows all the values in the PowerShell code to be populated, including the Azure IP address and the connection key.

Run the downloaded PowerShell code (which might require a reboot after enabling RRAS; this is called out in the script).

To check on the connection status, use the Get-VpnS2SInterface PowerShell cmdlet, which should show Connected. Note that the Azure portal might take a few minutes to update.

If your Azure on-premises gateway isn't the default gateway for your network, you'll need to update the routing tables on OS instances that need to communicate to Azure via the gateway; for example:

Route add -p 10.0.19.0 mask 255.255.255.0 10.0.16.25

where 10.0.19.0/24 is the Azure subnet and 10.0.16.25 is the local IP address of the Azure VPN gateway on your network.