If you want to connect your on-prem network to Azure without breaking the bank, this guide is for you. In this tutorial and accompanying video, we’ll walk through how to build a site-to-site VPN between Azure and your local network using the Azure Basic VPN Gateway and a Ubiquiti Cloud Gateway Max.
The Azure Basic VPN Gateway is the most cost-effective option for dev and test environments. This blog post is based on a full video walkthrough that explains every step—from initial planning to final connection testing. While we’re using Ubiquiti gear in the demo, the setup applies to most IPSec-based VPN devices.
The Basic VPN Gateway SKU is an inexpensive option, but it is limited in terms of performance and configuration options. Also, it can’t be deployed via the Azure portal—it must be deployed with PowerShell or the Azure CLI.
Gateway SKUs by Tunnel, Connection, and Throughput
The following steps outline how to utilize a script that automates subnet creation, IP address provisioning, and gateway setup. Afterward, we’ll configure the Azure side of the IPSec tunnel and complete the setup by connecting and testing the VPN with the Ubiquiti Cloud Gateway. Refer to your vendor’s documentation for specific instructions on configuring the on-premises VPN Gateway.
A link to the PowerShell script is located below.
Step 1: Deploy the Basic VPN Gateway
The first step in deploying the Basic VPN Gateway is to gather the prerequisite information, including:
- The existing virtual network name
- The existing virtual network resource group name
- An IP range for the gateway subnet
- The name for the new Azure Basic VPN Gateway
The IP range must be a minimum of /29 for the Basic VPN Gateway SKU (/27 for all other VPN Gateways) and not overlap with existing subnets in the virtual network. A larger IP address block is recommended to accommodate future configuration changes.
Once the necessary information is collected, run the PowerShell script available in the link below to deploy the gateway subnet, standard public IP, and Basic VPN gateway. The script will create a new subnet named “GatewaySubnet”. The name “GatewaySubnet” is required and cannot be changed. Also, ensure that you are logged in with an account that has authorization to create resources in the specified resource group.
The PowerShell script uses the Azure Standard IP SKU by default. Some subscriptions do not support deploying a Basic VPN SKU with an Azure Standard IP. Use the “-standardIP $false” option to deploy with a basic IP address instead. It may be necessary to remove the newly created VPN gateways, IP address, and gateway subnet before rerunning the script.
Step 2: Create the Local Network Gateway
In Azure, the Local Network Gateway represents the opposite end of a VPN Connection. It defines what the Azure gateway connects to. It also establishes the IP addresses available in that network. The following information is required to create a local network gateway:
- IP Address or FQDN of the local gateway.
- Address spaces available on the local network.
- Name for the new Local Network Gateway
To create a local network gateway, search for “Hybrid Connectivity” in the Azure portal. Then, open VPN gateway > Local Network Gateways.
Supply the required information to create the new Local Network Gateway. If the local gateway has a dynamic IP address, such as in a home lab, use a Dynamic DNS hostname to minimize downtime caused by IP address changes.
Step 3: Configure the VPN Connection
A VPN Connection defines the settings of the tunnel, including the Azure gateway, local gateway, and encryption settings. Create a new VPN connection from Hybrid Connectivity > VPN Connections.
Under Basics, set the connection type to Site-to-Site (IPsec) and provide a name and region.
Go to Settings. Select the previously created Azure Virtual Network Gateway and local network gateway. Leave the Authentication Method set to Shared Key, and add a key value. This value authenticates the tunnel and is required when configuring the local gateway. Leave the rest as default and create the VPN Connection. Advanced settings cannot be customized when using a Basic VPN Gateway.
Step 4: Configure the On-Prem VPN Device
Once the VPN Connection is created, open the connection (you may need to remove filters in Hybrid Connectivity > VPN Connections to see the new VPN Connection) and select “Download configuration” from the top of the Overview page. Follow the wizard to select your device vendor, family, and firmware version. If you don’t see your on-premises device listed, select the “Generic Samples” option.
The file offers configuration options for your device or information to configure the connection if your device isn’t listed.
Step 5: Verify the VPN Connection
Once configured, traffic between your networks should flow securely. You can test connectivity from your on-prem device and check VPN status in the Azure portal. It may take a few minutes to fully establish. Azure may briefly display the connection as ‘Unknown’ or ‘Not Connected.’ Refresh or click into the VPN connection to confirm it’s active.
And that’s it! You now have a working site-to-site VPN tunnel between your Azure VNet and on-premises network using the Basic VPN Gateway. This setup is ideal for dev or lab environments where cost is a factor, and can serve as a model for more advanced configurations. The Basic VPN Gateway SKU is not recommended for production workloads, however.
For the full video walkthrough, including PowerShell deployment and hands-on configuration, be sure to check out the original video on YouTube.
A Beginner’s Guide to the AZ-900
https://www.udemy.com/course/beginners-guide-az-900/?referralCode=C74C266B74E837F86969
Zero to Hero with Azure Virtual Desktop
https://www.udemy.com/course/zero-to-hero-with-windows-virtual-desktop/?referralCode=B2FE49E6FCEE7A7EA8D4
Hybrid Identity with Windows AD and Azure AD
https://www.udemy.com/course/hybrid-identity-and-azure-active-directory/?referralCode=7F62C4C6FD05C73ACCC3
Windows 365 Enterprise and Intune Management
https://www.udemy.com/course/windows-365-enterprise-and-intune-management/?referralCode=4A1ED105341D0AA20D2E
New-azBasicVPNGateway.ps1 Script
https://github.com/tsrob50/CiraltosTools/tree/main/Networking
Basic Public IP SKU and Standard IP Information
https://learn.microsoft.com/en-us/azure/vpn-gateway/basic-public-ip-migrate-about?WT.mc_id=AZ-MVP-5004159#can-i-create-a-basic-sku-vpn-gateway-with-a-basic-sku-public-ip-address-after-march-31-2025
Basic VPN Gateway Current Support
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq?WT.mc_id=AZ-MVP-5004159#is-the-vpn-gateway-basic-sku-also-retiring
Mapping old SKUs to new SKUs
https://learn.microsoft.com/en-us/azure/vpn-gateway/gateway-sku-consolidation?WT.mc_id=AZ-MVP-5004159#mapping-old-skus-to-new-skus
