SALES: 1-800-867-1380

Configure a Virtual Network Gateway in the Management Portal

Updated: April 14, 2015

A virtual network gateway is required to create a secure cross-premises connection. After creating your virtual network, use the following steps to configure the virtual network gateway and gather the information you’ll need to configure your VPN device.

  1. Start the virtual network gateway

  2. Gather information for your VPN device configuration

  3. Configure your VPN Device

  4. Verify your Local Network ranges and Gateway IP address

  1. On the Networks page, verify that the status column for your virtual network is Created.

  2. In the Name column, click the name of your virtual network.

  3. On the Dashboard page, notice that this VNet doesn’t have a gateway configured yet. You’ll see this status as you go through the steps to configure your gateway.

    Gateway Not Created
  4. At the bottom of the page, click Create Gateway. You can select either Static Routing or Dynamic Routing.

    The routing type you select depends on a number of factors. For example, what your VPN device will support and whether you need to support point-to-site connections. Check About VPN Devices for Virtual Network Connectivity to verify the routing type that you need. Once the gateway has been created, you can’t change between gateway types without deleting and re-creating the gateway. When the system prompts you to confirm that you want the gateway created, click Yes.

    Gateway Type

  5. When your gateway is creating, notice the gateway graphic on the page changes to yellow and says Creating Gateway. It may take up to 15 minutes for the gateway to create. You’ll have to wait until the gateway is complete before you can move forward with other configuration settings.

    Gateway Creating
  6. When the gateway changes to Connecting, you can gather the information you’ll need for your VPN device.

    Gateway Connecting

After the gateway has been created, gather information for your VPN device configuration. This information is located on the Dashboard page for your virtual network:

  1. Gateway IP address - The IP address can be found on the Dashboard page. You won’t be able to see it until after your gateway has finished creating.

  2. Shared key - Click Manage Key at the bottom of the screen. Click the icon next to the key in order to copy it to your clipboard, and then paste and save the key.

    Manage Key
  3. VPN Configuration Script Template - On the Dashboard page, under quick glance, click Download VPN Device Script. On the Download VPN Device Config Script dialog box, select the vendor, platform, and operating system for your company’s VPN device. Click the checkmark button and save the file. If you don’t see your VPN device in the drop-down list, see About VPN Devices for Virtual Network Connectivity in the MSDN library for additional script templates. If you will be using RRAS as your VPN device, see Configure a Site-to-Site VPN using Windows Server 2012 Routing and Remote Access Service (RRAS) for more information about using the PowerShell script.

    This is also a good time to make sure that you’ve created the right Gateway Type (Dynamic or Static Routing).

    VPN Device Template

After completing the previous steps, you or your network administrator will need configure the VPN device in order to create the connection. See About VPN Devices for Virtual Network Connectivity for more information about VPN devices.

After the VPN device has been configured, you can view your updated connection information on the Dashboard page for your VNet.

You can also run one of the following commands to test your connection:


  Cisco ASA Cisco ISR/ASR Juniper SSG/ISG Juniper SRX/J

Check main mode SAs

show crypto isakmp sa

show crypto isakmp sa

get ike cookie

show security ike security-association

Check quick mode SAs

show crypto ipsec sa

show crypto ipsec sa

get sa

show security ipsec security-association

For gateway to connect properly, the IP address for your VPN device must be correctly configured for the Local Network that you specified for your cross-premises configuration. Typically, this is configured during the site-to-site configuration process. However, if you previously used this local network with a different device, or the IP address has changed for this local network, you’ll want to edit the settings to specify the correct Gateway IP address.

  1. To verify your gateway IP address, click Networks on the left portal pane and then select Local Networks at the top of the page. You’ll see the VPN Gateway Address for each local network that you have created. To edit the IP address, select the VNet and click Edit at the bottom of the page.

  2. On the Specify your local network details page, edit the IP address, and then click the next arrow at the bottom of the page.

  3. On the Specify the address space page, click the checkmark on the lower right to save your settings.

For the correct traffic to flow through the gateway to your on-premises location, you’ll need to verify that you have listed each IP address range that you want to include in your local network configuration. Depending on the network configuration of your on-premises location, this can be a somewhat large task because each range must be listed in your Azure Local Networks configuration. Traffic that is bound for an IP address that is contained within the ranges listed will then be sent through the virtual network gateway. The IP address ranges that you list do not have to be private ranges, although you will want to verify that your on-premises configuration is able to receive the inbound traffic.

To add or edit the ranges for a Local Network, follow the procedure below.

  1. To edit the IP address ranges for a local network, click Networks on the left portal pane and then select Local Networks at the top of the page. In the portal, the easiest way to view the ranges that you’ve listed is on the Edit page. To see your ranges, select the VNet and click Edit at the bottom of the page.

  2. On the Specify your local network details page, don’t make any changes. Click the next arrow at the bottom of the page.

  3. On the Specify the address space page, make your network address space changes. Then click the checkmark to save your configuration.

You can view your gateway and gateway traffic from your Virtual Network Dashboard page.

On the Dashboard page you can view the following:

  • The amount of data that is flowing through your gateway, both data in and data out.

  • The names of the DNS servers that are specified for your virtual network.

  • The connection between your gateway and your VPN device.

  • The shared key that is used to configure your gateway connection to your VPN device.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft