Azure VPN: VPN configuration example (Azure site-to-site VPN connection)

This page provides more specific values for configuring a VPN connection between Skytap and an Azure VPN. It contains sample VPN configuration parameters to enter on the Skytap VPN page, as well as the configuration values to enter in your Azure account.

For general information about the configuration process for each side of the VPN connection, first see:


Sample VPN configuration

In the Azure portal:

  1. Follow the instructions at Create a Site-to-Site connection in the Azure portal.

    • During the Create the VPN gateway step, select VPN type: Route-based.
    • During the Create the local network gateway step, use the following values:

      • IP address: Enter the static public IP address that is (or will be) associated with your Skytap VPN. This is either automatically assigned when you click Create VPN in Skytap, or you can manually select from the available static public IP addresses in your Skytap account.
      • Address space: Enter the subnet range for the IP addresses you want to access in your Skytap account. This value must match the Skytap subnet range defined in your Skytap VPN configuration.
    • In the Configure your VPN device step, note the public IP address of your virtual network gateway.
  2. Download a VPN device configuration script. For example, select one of the Juniper device files.

Skytap VPN configuration

Parameters to enter on your Skytap VPN page:

Parameter Name

Value to enter


Name for your Skytap VPN

Example: azure-east-us-vpn

Remote Peer IP

Enter the public IP address of the VPN gateway in your Azure account.


N/A. This is automatically populated when you select a public IP address for the Skytap peer IP field (see below).

Example: US-East-2

Skytap peer IP

An available public IP address in your Skytap account. Select a public IP address in the same region as the VMs you want to connect to.


This value is entered in the IP address field of the local network gateway in your Azure account.

Skytap subnet

This is the range of VM IP addresses in Skytap that sends and receives traffic through this VPN. This can’t overlap with the included remote subnets defined below.

This must match the value in the Address space field of the local network gateway in your Azure account.

You can specify the default route ( for either the remote subnet or the local subnet. You can’t use for both local and remote subnets.

Apply NAT for Connected Networks




Phase 1 Encryption Algorithm

aes 256

Phase 1 Hash Algorithm


Phase 1 pre-shared Key


This must match the pre-shared key in the Azure VPN connection.

Phase 1 SA lifetime


Phase 1 DH group

modp2048 (14)

Phase 2 encryption algorithm

aes 256

Phase 2 authentication algorithm


Phase 2 perfect forward secrecy (PFS)


Phase 2 SA lifetime


SA policy level


Specify maximum segment size


Maximum segment size


Dead peer detection


Included remote subnets

Enter the IP addresses and subnets on your Azure virtual network that will send and receive traffic through this VPN.


You can specify the default route ( for either the remote subnet or the local subnet. You can’t use for both local and remote subnets.

Excluded remote subnets

Subset of IP addresses and subnets on the Azure virtual network that should be excluded from using the VPN tunnel. This is used only to define exclusions for VPN traffic from larger included remote subnets (defined above).



If the VPN appears to not be working, try the following:

  • Verify that you have a strong pre-shared key and that it’s correctly entered in both Skytap and Azure.
  • Verify that the VPN settings in both Skytap and Azure match the recommended settings above.
  • If you changed any settings in Skytap or Azure, the Azure VPN gateway won’t use the changed settings until you reset it. For instructions, see Reset a VPN Gateway.
  • In some cases, the Skytap VPN test will show failures for a correctly configured VPN. Try connecting directly from a Skytap VM to an Azure VM.

    Make sure both of the VMs are connected to networks attached to the VPN.