Site-to-site (S2S) VPN Gateway between Azure and On-Premises A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. On-Prem Network Azure VNet S2S VPN Tunnel IPsec IKE (IKEv1 or IKEv2) Subnet(s) Firewall VPN GW VPN GW Firewall Subnet(s) On-Prem Configuration Required VPN device configuration script On-Prem VPN GW & Firewall Setup Guidance A compatible VPN device is needed on-prem to create the VPN connection with Azure. A qualified IT Pro/Network engineer to configure the on-prem VPN Gateway (GW) and Firewall changes. An external facing public IPv4 address for the on-prem VPN device that is not located behind a NAT. Azure VPN uses PSK (Pre-Shared Key) authentication that must be shared between the two VPN GWs. A generic configuration file will be generated by the Azure VPN GW to provide details for the on-prem VPN GW setup. The IT Pro/Network engineer must specify the IP address range prefixes that Azure will route to the on-prem location. None of the subnets of the on-prem network can over lap with the virtual network subnets that are connected to on Azure.  IP Address Block Reserved for Azure 10.64.0.0 - 10.67.0.0/14   Netmask 255.252.0.0   Usable Networks 1024 at /24  Azure Gateway SKUs by tunnel, connection, and throughput 1

Azure S2S & P2S VPN Gateways Co-exist with Azure ExpressRoute On-Prem Network HQ Azure VNet PIP PIP ExpressRoute On-Prem WAN Edge ExpressRoute GW Private WAN connectivity PIP PIP S2S VPN Tunnel On-Prem VPN GW VPN GW On-Prem Network Site2 Subnet(s) PIP S2S VPN Tunnel On-Prem VPN GW P2S SSTP Tunnel VPN Client P2S IKEv2 Tunnel VPN Client https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways 2