Cisco
Login
Search
Software Secure Access
Activity Manage

Cisco Secure Access Help Network Tunnel Configuration Configure a Site-to-Site VPN tunnel with Microsoft Azure Configure S2S Tunnels with Dynamic Routing with BGP Step 1: Create a VPN Gateway in Microsoft Azure

Last updated: Aug 07, 2025

Step 1: Create a VPN Gateway in Microsoft Azure

The Azure S2S IPsec tunnel is sourced from the VPN Gateway. If you have already deployed a VPN Gateway in your Azure environment, you can skip this section.

  1. In the Azure admin portal, navigate to your resource group and click Create.
  2. Search the marketplace for Virtual network, then click Create.
  3. Configure the virtual network.

    • Basics: Select the Subscription and Resource group with the resources that you want to make available via the S2S VPN tunnel.

    • IP addresses: Configure a virtual network address with the IPv4 and IPv6 addresses and subnets you need. This example uses the range 192.168.0.0/16.

    • Review the configuration and click Create. Azure will deploy the virtual network and update the dashboard when deployment is complete.

  4. Create the gateway subnet.
    1. Navigate to Go to resource > Settings > Subnets.
    2. Click + Subnet and configure the following:
      1. Subnet purpose: Virtual Network Gateway.
      2. Enable Include an IPv4 address space (it is enabled by default).
      3. IPv4 address range will default to the address space you configured when you created the virtual network. This example uses the range 192.168.0.0/16.
      4. Starting address: This example uses 192.168.255.0.
      5. Size: This example uses /27 (32 addresses)
      6. Click Add.
  5. Create the virtual network gateway.
    1. Navigate to Overview > Resource group (click the name of your resource group) > + Create.
    2. Search the marketplace for Virtual network gateway, then click Create.
  6. Configure the virtual network gateway.
    1. SKU: VpnGw2AZ. For more information, see About gateway SKUs.
    2. Generation: Generation2.
    3. Virtual network: Select the virtual network you created in the previous step.
    4. Public IP address: Create new.
      1. Public IP address name: Enter a descriptive name for the primary IP address.
      2. Enable active-active mode: Enabled.
    5. SECOND PUBLIC IP ADDRESS: Create new
      1. Public IP address name: Enter a descriptive name for the primary IP address.
      2. Configure BGP: Enabled.
      3. Autonomous system number (ASN): Enter an ASN that is not in use by your other branches and that is not reserved by Azure or IANA. For more information, see Microsoft Azure documentation on BGP and routing. This example uses ASN 64515.
      4. You do not need to enter custom Azure APIPA BGP IP addresses.

    • Review the configuration, then click Create. Azure will deploy the virtual network gateway and update the dashboard with the two public IP address resources when deployment is complete.

    • To review your configuration after deployment is complete, navigate to Settings > Properties.

Previous topic Configure S2S Tunnels with Dynamic Routing with BGP Next topic Step 2: Create a network tunnel group in Secure Access