Welcome to the final installment of our series addressing the deprecation of direct internet access for Azure Virtual Machines (VMs). Throughout this journey, we’ve explored several robust solutions to maintain and secure outbound internet connectivity:
- Part 1: Implemented a NAT Gateway for scalable and simplified outbound connectivity.
- Part 2: Deployed an Azure Firewall to enhance security and control over network traffic.
- Part 3: Leveraged Network Virtual Appliances (NVAs) for advanced networking capabilities.
- Part 4: Using Azure Load Balancer with Outbound Rules as an method to provide outbound internet traffic.
In this final part we will explore the solution using VPN Gateways connected to an on-prem environment and leverage a default site configuration to send traffic back to on-prem for internet access.
Introduction
Modern enterprise connectivity is shifting. Today’s organisations are leaving behind the legacy of direct internet access on Azure VMs in favor of more secure, manageable, and scalable models. In this installment, we detail how to implement an Azure VPN Gateway using a Site-to-Site VPN approach—and equip you with the tools to configure a “default site” that streamlines your routing. Whether you prefer a hands-on GUI approach via the Azure Portal, an automated deployment using Bicep, or fine-tuning with PowerShell, this guide covers all bases. We’ve also included a diagram (in Mermaid) to visualize the network path as your traffic journeys from Azure, through the VPN Gateway, into your on-premises network, and finally out to the internet.
Prerequisites
Before you begin, ensure you have the following:
- Resource Group: A dedicated container for your Azure resources.
- Virtual Network (VNet) & Gateway Subnet: Your VNet should contain an appropriately sized gateway subnet.
- Public IP Address: Provisioned and associated with the VPN Gateway.
- Access Tools:
- Azure Portal: For GUI-based deployment.
- Bicep: For Infrastructure-as-Code deployments.
- PowerShell (Az Module): For post-deployment configuration adjustments.
Deployment Options
In this guide, we’ll walk through three deployment methods:
- Azure Portal Deployment – A visual, step-by-step process.
- Bicep Template Deployment – Automated infrastructure-as-code for repeatable builds.
- PowerShell Configuration – Post-deployment tweaks to set the default site property.
Azure Portal Deployment
The Azure Portal provides an intuitive process to deploy your VPN Gateway. Follow these steps:
-
Sign In and Prepare:
- Log into the Azure Portal.
- Confirm that your Resource Group, Virtual Network, and Gateway Subnet are in place.
- Create a Public IP Address resource if it isn’t already available.
-
Create the Virtual Network Gateway:
- Click Create a resource and search for Virtual network gateway.
- In the Basics tab, provide:
- Subscription and Resource Group: Select your existing group.
- Name: For example,
MyVpnGateway
. - Region: Ensure it matches your VNet’s region.
- Gateway Type: Choose VPN.
- VPN Type: Select Route-based.
- SKU: Pick an option such as
VpnGw1
.
-
Configure Networking:
- Under Virtual Network, select your preconfigured VNet.
- Confirm the correct Gateway Subnet appears.
- Associate the Public IP Address you prepared.
-
Set the Default Site:
- If provided in the deployment wizard, specify the default site name (e.g.,
DefaultSite
). - If the option is missing from the GUI, you can adjust it later using PowerShell (see below).
- If provided in the deployment wizard, specify the default site name (e.g.,
-
Review and Create:
- Review all settings and click Create.
- After creation, validate the gateway’s connectivity using Azure Monitor or Network Watcher.
Bicep Template Deployment
For those seeking repeatable, automated deployments, the following Bicep template provisions an Azure VPN Gateway with the default site property configured.
Save the content below as deployVpnGateway.bicep
:
|
|
To deploy via the Azure CLI:
-
Sign in:
1
az login
-
Run the deployment command:
1 2 3
az deployment group create \ --resource-group MyResourceGroup \ --template-file deployVpnGateway.bicep
Monitor the output to confirm the VPN Gateway and the default site have been established correctly.
PowerShell Configuration for the Default Site
If you didn’t set the default site during deployment (or need to modify it), the following PowerShell commands let you update the VPN Gateway configuration.
-
Establish Your Variables:
1 2 3
$resourceGroupName = "MyResourceGroup" $gatewayName = "MyVpnGateway" $defaultSiteName = "DefaultSite"
-
Retrieve and Update the Gateway:
1 2 3 4 5 6 7 8
# Retrieve the existing VPN Gateway $gateway = Get-AzVirtualNetworkGateway -ResourceGroupName $resourceGroupName -Name $gatewayName # Update the default site property $gateway.DefaultSite = $defaultSiteName # Apply the configuration update Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gateway
-
Verify the Change:
1
Get-AzVirtualNetworkGateway -ResourceGroupName $resourceGroupName -Name $gatewayName | Select-Object Name, DefaultSite
This confirms that all unmatched traffic will follow the specified default path, simplifying your routing configuration.
Network Traffic Flow
To capture the journey of your traffic—from Azure workloads, through the VPN Gateway (configured with your default site), into your on-premises network, and finally out to the internet—consider the following Mermaid diagram:
(Default Site)"] C[On-Premises Network] D[Internet] A -->|Outbound Traffic| B B -->|Routes to| C C --> D
This diagram illustrates the complete network path: traffic leaves an Azure workload, is routed through the VPN Gateway configured with a default site, traverses your on-premises network, and ultimately exits to the internet.
Final Thoughts
Transitioning from direct Azure VM internet access to a centralized connectivity model via a VPN Gateway is not merely a technical upgrade—it’s a strategic evolution. By deploying an Azure VPN Gateway with a comprehensive Site-to-Site VPN configuration and a default site, you enhance security and simplify network management in a scalable manner. Whether you deploy via the Azure Portal, automate with Bicep, or fine-tune via PowerShell, you’re laying the foundation for a resilient and future-proof infrastructure.
Have you faced challenges during your migration journey? Let’s discuss best practices, performance tuning, and monitoring enhancements as we continue navigating the complexities of modern cloud connectivity.