LinkedInGitHubYouTube

Configure a Site-to-Site VPN for Azure Files

Here’s a concise, GitBook-optimized summary of the article.

1

Overview

You can mount Azure file shares from your on‑premises network over a Site-to-Site (S2S) VPN so traffic does not traverse the open internet. Use Azure VPN Gateway (deployed in the same region as your virtual network) to create the S2S VPN. This guide shows the end‑to‑end steps to configure the S2S VPN and validate mounting Azure Files from on‑premises.

2

Applies to

Storage accounts with Azure Files (SMB and NFS support depending on SKU/tiers). See the original article’s compatibility table for exact management model, billing model, media tier, redundancy, and SMB/NFS support.

3

Prerequisites

  • An Azure file share inside a storage account.

  • An on‑premises VPN device or server compatible with Azure VPN Gateway (RRAS on Windows Server can be used).

  • Familiarity with Azure Files networking options is recommended.

4

Main steps (high level)

  1. Add a virtual network (VNet) to the storage account

    • Configure storage account Networking to “Enabled from selected virtual networks and IP addresses”.

    • Add existing or create a new VNet (must be in same region as storage account).

    • Ensure a GatewaySubnet exists on the VNet.

    • Enable the Microsoft.Storage service endpoint on the subnet and add a storage network rule for the subnet.

  2. Deploy a virtual network gateway (VPN Gateway)

    • Create a Public IP for the gateway.

    • Deploy a Virtual Network Gateway in the same region and VNet; choose an appropriate SKU (avoid Basic if you need IKEv2/route‑based).

    • Deployment can take ~45 minutes.

  3. Create a local network gateway (represents your on‑premises network)

    • Provide your on‑premises public IP and address spaces.

    • Optionally configure BGP if required.

  4. Configure the on‑premises VPN appliance

    • Use the gateway’s public IP and a shared key (PSK) that you define.

    • Use vendor‑specific configuration templates or documentation for exact IPsec/IKE settings and crypto parameters.

  5. Create the site‑to‑site connection

    • Create a VPN connection between the Azure Virtual Network Gateway and the Local Network Gateway.

    • Set the shared key (must match on both ends), choose IKEv1 for policy‑based or IKEv2 for route‑based, and adjust other options (DPD timeout, connection mode, IPsec/IKE policy) as needed.

    • Verify the connection status becomes “Connected”.

  6. Mount and validate Azure file share

    • Mount the Azure file share from on‑premises over the VPN using OS‑specific instructions (Windows, macOS, Linux SMB/NFS).

5

Key configuration details and recommendations

  • Gateway and virtual network must be in the same region.

  • Gateway SKU determines supported features, tunnels and performance. Prefer Generation2 SKUs for new deployments.

  • Create a GatewaySubnet named exactly "GatewaySubnet".

  • Enable Microsoft.Storage service endpoint on the subnet (this can take up to 15 minutes).

  • Use a strong shared key (PSK) for the VPN connection.

  • Only enable BGP/custom options if your design requires them.

6

Validation and troubleshooting

  • Verify VPN gateway public IP from Azure resources.

  • Check connection resource in Azure Portal or via CLI/PowerShell; the status should show Connected.

  • If using policy‑based devices, ensure traffic selectors match and include all combinations of on‑prem and Azure subnet prefixes.

7

Useful links (from the article)

  • Azure VPN Gateway overview and device compatibility

  • IPsec/IKE parameters and custom policies

  • Mounting instructions: Windows, macOS, Linux (SMB/NFS)

  • Azure Files networking overview

If you want, I can:

  • Produce a condensed one‑page checklist for implementation, or

  • Convert the full step commands (Portal / PowerShell / CLI) into separate tabs for Azure PowerShell and Azure CLI.

PreviousMonitoring data reference for Azure FilesNextOn-premises NAS migration to Azure Files

Was this helpful?