Skip to main content
This document describes how to configure Site2Cloud IPsec tunnels between an Aviatrix Gateway and an Azure Virtual Network Gateway (VNG).

Configuration Workflow

Before you begin, ensure you have the latest Controller software.
  1. In Aviatrix CoPilot, go to Cloud Fabric > Gateways > Specialty Gateways tab. From + Gateway dropdown menu, select Other, then create a gateway.
  2. At the Azure portal, go to the Virtual network gateways page. Fill in the following information to create a new Virtual Network Gateway:
NameDescription
NameEnter a name for the Azure VPN gateway (for example, Azure-VPN-GW).
Gateway typeVPN
VPN typePolicy-based
SKUBasic
LocationSelect a desired location.
Virtual networkSelect a desired VNet.
Azure is deprecating the Basic Load Balancer in September 2025. You can migrate to the Standard SKU Load Balancer.
  1. Once the virtual network gateway is provisioned, record its Public IP address.
  2. In Aviatrix CoPilot, create a Static Policy-Based (Unmapped) external connection.
  3. Once the Site2Cloud connection is created, locate the same connection on the External Connections (S2C) page.
  4. Click the vertical ellipsis 25 icon and select Download Configuration.
  5. The Download Configuration dialog displays. Select the following values for each specific field:
    • Vendor: Generic
    • Platform: Generic
    • Software: Vendor Independent
  6. Click Download.
  7. Collect the following information from the downloaded configuration template:
Pre-Shared Key from #1Internet Key Exchange Configuration
Aviatrix Gateway Public IP from #3Tunnel Interface Configuration
Cloud Network(s) from the Subnets section of #3Tunnel Interface Configuration
  1. At the Azure portal, go to the Local network gateways page. Enter the following information to create a local network gateway:
NameDescription
NameEnter a local gateway name (e.g. AVX-GW)
IP addressEnter the Aviatrix Gateway’s public IP collected at Step 6
Address spaceEnter the “Cloud Network” CIDR collected at Step 6
Configure BGP settingsUnmark this checkbox
  1. At Azure portal, go to Virtual network gateways page and select the gateway created at Step 2.
  2. Select Connections from Settings. Enter the following information to create a connection:
NameDescription
NameEnter a VPN connection name (e.g. Azure-AVX-S2C)
Connection typeSelect Site-to-site (IPsec)
Virtual network gatewaySelect the VPN gateway created at Step 2
Local network gatewaySelect the local gateway created at Step 7
Shared key (PSK)Enter the pre-shared key collected at Step 6

Troubleshooting

To check a tunnel state, go to the Networking > Connectivity > External Connections (S2C) tab. There should be a green dot next to the name of the external connection. To troubleshoot a tunnel state, go to Diagnostics > Diagnostic Tools > Connectivity Diagnostics.