Creating a Site-to-Site VPN connection is not a very straightforward process, as you need to get your hands dirty on both sides (Azure and on-premises). However, I'll do my best to simplify the process. Since it needs some configuration on both sides, you may wonder what exactly needs to be done on both sides. Actually, it will need a VPN device in your on-premises to act as a gateway for your environment through which the traffic will go to an Azure gateway, and then to Azure virtual networks.

So, before getting our hands dirty with configuring the Site-to-Site VPN connection, you need to consider the following points before getting started:

• Make sure that your VPN device is supported to work with the Azure virtual network gateway without any problems. See the following link: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#known.
• Check how to do the configuration to your gateway at the following link: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-3rdparty-device-config-overview.
• If you are not using any supported VPN devices, you can use Routing and Remote Access Service (RRAS) as your local VPN, which will be used in our scenario.
• Plan the address spaces and subnets for the virtual networks you will be using in Azure, in a manner that does not cause any IP address overlapping between Azure virtual networks and your on-premises.

Without further ado, let's get our hands dirty with configuring a Site-to-Site VPN connection:

1. First off, make sure you have an available VM or a physical server that can be used to act as a local VPN by installing RRAS on it.
2. Make sure the VM/physical server has two NICs, one of them will be used for internal communication with an IP address assigned to it, and the other one will be used for communication with the Azure virtual network gateway with a public IP address assigned to it.
   • The NIC that will be used for internal communication must not have a gateway IP address assigned to it, to ensure that the traffic is routed via the NIC with the public IP address.
   • Uncheck all the properties of the NIC with a public IP address except TCP/IPv4, as it will be used to statically enter the IP address.
   • Disable IPv6 for both NICs by unchecking it in the NIC properties.
   • Disable NetBIOS over TCP. You can do so by navigating to TCP/IPv4 properties Advanced | WINS and disable NetBIOS over TCP/IP.
3. Now, you can install RRAS, but make sure to select the DirectAccess and VPN (RAS) role service during the installation.
4. Navigate back to the Azure portal and create a virtual network with the address spaces and subnets according to what you have planned, and don't forget about the gateway subnet that will be used for the virtual network gateway.
5. Then, create a virtual network gateway and assign the virtual network you created earlier to it.
6. Then, search for local network gateway, which will be used to connect your local network with Azure networks, as shown in the following screenshot:

7. Once its blade is opened, all the created local network gateways will be displayed, as shown in the following screenshot:

8. Click on Add, and a new blade will pop up where you have to specify the following:
   • Name: The name of the local network gateway
   • IP address: The public IP address of the RRAS server (local VPN)
   • Address space: Add the address space of your local network
   • Subscription: Specify the subscription that will be charged for this service
   • Resource group: Specify the resource group in which the local network gateway will exist
   • Location: The location of the local network gateway:

9. Click on Create, and wait until the local network gateway is created.
10. Navigate to the created virtual network gateway then click on Connections, as shown in the following screenshot:

11. Click on Add, and a new blade will pop up where you have to specify the following:
    • Name: The name of the connection
    • Virtual network gateway: Specify the virtual network gateway that you have created for that purpose
    • Shared key (PSK): Specify a shared key, which will be used to initiate the connections from on-premises:

12. Click on OK, and the connection will be added.
13. Once the connection is added, navigate back to the RRAS server and open the Routing and Remote Access console, as shown in the following screenshot:

14. Right-click on Network Interfaces and click on New Demand-dial Interface..., as shown in the following screenshot:

15. A new wizard will appear with a welcome screen, so click on Next, as shown in the following screenshot:

16. On the next screen, you have to specify a name for the interface, as shown in the following screenshot:

17. On the next screen, you have to specify the Connection Type, which would be VPN in our scenario, as shown in the following screenshot:

18. On the next screen, you have to select the VPN Type, which would be IKEv2 in our scenario, as shown in the following screenshot:

19. On the next screen, you have to enter the public IP address of the virtual network gateway. You can get it from the overview of the virtual network gateway from the Azure portal.

20. On the next screen, you can select transports and security options for this connection, which will be left at the default, as shown in the following screenshot:

21. On the next screen, you have to create a static route to all the address spaces of the virtual network by adding them, as shown in the following screenshot:

22. On the next screen, you can specify the dial-out credentials but it's okay if you want to enter the User name only, as shown in the following screenshot:

23. Finally, all you need to do is click on Finish, as shown in the following screenshot:

24. Once the interface is created, right-click on it and select Properties, as shown in the following screenshot:

25. Navigate to the Security tab. Under Authentication, Use preshared key for authentication will be selected, and the shared key that was entered earlier when creating the connection between the local network gateway and the virtual network gateway will be entered, as shown in the following screenshot:

26. Click OK, right-click on the network interface, and select Connect to initiate the connection between your environment and Azure, as shown in the following screenshot:

27. Now, you can connect to any VM located on the virtual network you have built in Azure by its private IP address.