Document Details

Storage Files Configure S2S Vpn
Home / Scan #41 / Storage Files Configure S2S Vpn
Sad Tux - Windows bias detected
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Detected Bias Types
windows_tools
windows_first
Summary
The documentation page demonstrates a mild Windows bias. In the prerequisites, Windows Server's RRAS is the only on-premises VPN appliance called out by name, with a direct link to its documentation, while no Linux-based VPN solutions (such as strongSwan, Libreswan, or OpenSwan) are mentioned or linked. Additionally, the Windows tool is mentioned before the general statement about device agnosticism, and before any Linux alternatives. However, the rest of the documentation is largely cross-platform, with Azure Portal, PowerShell, and CLI instructions, and explicit links to mounting instructions for Windows, macOS, and Linux. There are no PowerShell-heavy or missing Linux example issues in the Azure resource configuration steps.
Recommendations
  • In the prerequisites section, add explicit mention of popular Linux-based VPN solutions (e.g., strongSwan, Libreswan, OpenSwan) as supported on-premises VPN appliances, and provide links to their configuration guides.
  • Where Windows RRAS is mentioned, add a parallel sentence and link for Linux VPN solutions, e.g., 'If you don't have an existing network appliance, you can use strongSwan on Linux. See [strongSwan documentation](https://wiki.strongswan.org/) for configuration guidance.'
  • Consider including a brief example or reference for obtaining the public IP address of the Azure VPN gateway using Azure CLI, not just PowerShell, in the 'Configure on-premises network appliance' section.
  • Ensure that any references to on-premises configuration are balanced between Windows and Linux, especially in sections where specific tools or roles are named.
GitHub Create Pull Request

Scan History

Date Scan Status Result
2026-01-22 01:38 #286 completed Biased Biased
2026-01-14 00:00 #250 in_progress Biased Biased
2026-01-13 00:00 #246 completed Biased Biased
2026-01-11 00:00 #240 completed Biased Biased
2026-01-10 00:00 #237 completed Biased Biased
2026-01-09 00:34 #234 completed Biased Biased
2026-01-08 00:53 #231 completed Biased Biased
2025-08-19 00:01 #85 completed Clean Clean
2025-07-13 21:37 #48 completed Biased Biased
2025-07-12 23:44 #41 cancelled Biased Biased

Flagged Code Snippets

1. If you want to add a new virtual network and gateway subnet, run the following script. If you have an existing virtual network that you want to use, then skip this step and proceed to step 3. Be sure to replace `<your-subscription-id>`, `<resource-group>`, and `<storage-account-name>` with your own values. If desired, provide your own values for `$location` and `$vnetName`. The `-AddressPrefix` parameter defines the IP address blocks for the virtual network and the subnet, so replace those with your respective values.

   
1. To allow traffic only from specific virtual networks, use the `Update-AzStorageAccountNetworkRuleSet` command and set the `-DefaultAction` parameter to Deny.

   
[!INCLUDE [Configure VPN device](../../../includes/vpn-gateway-configure-vpn-device-rm-include.md)]

## Create the site-to-site connection

To complete the deployment of a S2S VPN, you must create a connection between your on-premises network appliance (represented by the local network gateway resource) and the Azure virtual network gateway. To do this, follow these steps.

# [Portal](#tab/azure-portal)

1. Navigate to the virtual network gateway you created. In the table of contents for the virtual network gateway, select **Settings > Connections**, and then select **+ Add**.

1. On the **Basics** tab, fill in the values for **Project details** and **Instance details**.

   :::image type="content" source="media/storage-files-configure-s2s-vpn/create-connection-basics.png" alt-text="Screenshot showing how to create a site to site VPN connection using the Azure portal.":::

   - **Subscription**: The desired Azure subscription.
   - **Resource group**: The desired resource group.
   - **Connection type**: Because this a S2S connection, select **Site-to-site (IPsec)** from the drop-down list.
   - **Name**: The name of the connection. A virtual network gateway can host multiple connections, so choose a name that's helpful for your management and that will distinguish this particular connection.
   - **Region**: The region you selected for the virtual network gateway and the storage account.

1. On the **Settings** tab, supply the following information.

   :::image type="content" source="media/storage-files-configure-s2s-vpn/create-connection-settings.png" alt-text="Screenshot showing how to configure the settings for a site to site VPN connection using the Azure portal.":::

   - **Virtual network gateway**: Select the virtual network gateway you created.
   - **Local network gateway**: Select the local network gateway you created.
   - **Shared key (PSK)**: A mixture of letters and numbers used to establish encryption for the connection. The same shared key must be used in both the virtual network and local network gateways. If your gateway device doesn't provide one, you can make one up here and provide it to your device.
   - **IKE protocol**: Depending on your VPN device, select IKEv1 for policy-based VPN or IKEv2 for route-based VPN. To learn more about the two types of VPN gateways, see [About policy-based and route-based VPN gateways](../../vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps.md#about).
   - **Use Azure Private IP Address**: Checking this option allows you to use Azure private IPs to establish an IPsec VPN connection. Support for private IPs must be set on the VPN gateway for this option to work. It's only supported on AZ Gateway SKUs.
   - **Enable BGP**: Leave unchecked unless your organization specifically requires this setting.
   - **Enable Custom BGP Addresses**: Leave unchecked unless your organization specifically requires this setting.
   - **FastPath**: FastPath is designed to improve the datapath performance between your on-premises network and your virtual network. [Learn more](https://aka.ms/erfastpath).
   - **IPsec / IKE policy**: The IPsec / IKE policy that will be negotiated for the connection. Leave **Default** selected unless your organization requires a custom policy. [Learn more](../../vpn-gateway/vpn-gateway-about-compliance-crypto.md).
   - **Use policy based traffic selector**: Leave disabled unless you need to configure the Azure VPN gateway to connect to a policy-based VPN firewall on premises. If you enable this field, you must ensure your VPN device has the matching traffic selectors defined with all combinations of your on-premises network (local network gateway) prefixes to/from the Azure virtual network prefixes, instead of any-to-any. For example, if your on-premises network prefixes are 10.1.0.0/16 and 10.2.0.0/16, and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you would need to specify the following traffic selectors:
     - 10.1.0.0/16 <====> 192.168.0.0/16
     - 10.1.0.0/16 <====> 172.16.0.0/16
     - 10.2.0.0/16 <====> 192.168.0.0/16
     - 10.2.0.0/16 <====> 172.16.0.0/16
   - **DPD timeout in seconds**: Dead Peer Detection Timeout of the connection in seconds. The recommended and default value for this property is 45 seconds.
   - **Connection mode**: Connection mode is used to decide which gateway can initiate the connection. When this value is set to:
     - **Default**: Both Azure and the on-premises VPN gateway can initiate the connection.
     - **ResponderOnly**: Azure VPN gateway will never initiate the connection. The on-premises VPN gateway must initiate the connection.
     - **InitiatorOnly**: Azure VPN gateway will initiate the connection and reject any connection attempts from the on-premises VPN gateway.

1. Select **Review + create** to run validation. Once validation passes, select **Create** to create the connection. You can verify the connection has been made successfully through the virtual network gateway's **Connections** page.

# [Azure PowerShell](#tab/azure-powershell)

Run the following commands to create the site-to-site VPN connection between your virtual network gateway and your on-premises device. Be sure to replace the values with your own. The shared key must match the value you used for your VPN device configuration. The `-ConnectionType` for site-to-site VPN is **IPsec**.

For more options, see the documentation for the [New-AzVirtualNetworkGatewayConnection](/powershell/module/az.network/new-azvirtualnetworkgatewayconnection) cmdlet.

1. Set the variables.

   
   You can also choose to include other features like [Border Gateway Protocol (BGP)](../../vpn-gateway/vpn-gateway-bgp-overview.md) and [Active-Active](../../vpn-gateway/vpn-gateway-highlyavailable.md). See the documentation for the [New-AzVirtualNetworkGateway](/powershell/module/az.network/new-azvirtualnetworkgateway) cmdlet. If you do require BGP, the default ASN is 65515, although this value can be changed.

1. Creating a gateway can take 45 minutes or more, depending on the gateway SKU you specified. You can view the VPN gateway using the [Get-AzVirtualNetworkGateway](/powershell/module/az.network/Get-azVirtualNetworkGateway) cmdlet.

   
---

### Create a local network gateway for your on-premises gateway

A local network gateway is an Azure resource that represents your on-premises network appliance. It's deployed alongside your storage account, virtual network, and virtual network gateway, but doesn't need to be in the same resource group or subscription as the storage account. To create a local network gateway, follow these steps.

# [Portal](#tab/azure-portal)

1. In the search box at the top of the Azure portal, search for and select *local network gateways*.  The **Local network gateways** page should appear. At the top of the page, select **+ Create**.

1. On the **Basics** tab, fill in the values for **Project details** and **Instance details**.

   :::image type="content" source="media/storage-files-configure-s2s-vpn/create-local-network-gateway.png" alt-text="Screenshot showing how to create a local network gateway using the Azure portal.":::

   - **Subscription**: The desired Azure subscription. This doesn't need to match the subscription used for the virtual network gateway or the storage account.
   - **Resource group**: The desired resource group. This doesn't need to match the resource group used for the virtual network gateway or the storage account.
   - **Region**: The Azure region the local network gateway resource should be created in. This should match the region you selected for the virtual network gateway and the storage account.
   - **Name**: The name of the Azure resource for the local network gateway. This name may be any name you find useful for your management.
   - **Endpoint**: Leave **IP address** selected.
   - **IP address**: The public IP address of your local gateway on-premises.
   - **Address space**: The address range or ranges for the network this local network gateway represents. For example: 192.168.0.0/16. If you add multiple address space ranges, make sure that the ranges you specify don't overlap with ranges of other networks that you want to connect to. If you plan to use this local network gateway in a BGP-enabled connection, then the minimum prefix you need to declare is the host address of your BGP Peer IP address on your VPN device.

1. If your organization requires BGP, select the **Advanced** tab to configure BGP settings. To learn more, see [About BGP with Azure VPN Gateway](../../vpn-gateway/vpn-gateway-bgp-overview.md).

1. Select **Review + create** to run validation. Once validation passes, select **Create** to create the local network gateway.

# [Azure PowerShell](#tab/azure-powershell)

Run the following command to create a new local network gateway. Replace `<resource-group>` with your own value.

The `-AddressPrefix` parameter specifies the address range or ranges for the network this local network gateway represents. If you add multiple address space ranges, make sure that the ranges you specify don't overlap with ranges of other networks that you want to connect to.


---

## Configure on-premises network appliance

The specific steps to configure your on-premises network appliance depend on the network appliance your organization has selected.

When configuring your network appliance, you'll need the following items:

* **A shared key.** This is the same shared key that you specify when creating your site-to-site VPN connection. In our examples, we use a basic shared key such as 'abc123'. We recommend that you generate a more complex key to use that complies with your organization's security requirements.
* **The public IP address of your virtual network gateway.** To find the public IP address of your virtual network gateway using PowerShell, run the following command. In this example, `mypublicip` is the name of the public IP address resource that you created in an earlier step.