This diagram explains how a Site-to-Site IPsec VPN securely connects an on-premises network to an Azure Virtual Network (VNet). In the first stage, called IKEv2 negotiation, both VPN gateways exchange information, authenticate each other, and agree on encryption, integrity, and key exchange parameters. Using the Diffie-Hellman process, they generate shared secret keys without sending those keys across the Internet. Once authentication is successful, an IKE Security Association (IKE SA) is established to securely manage the VPN connection. Next, an IPsec Child Security Association (Child SA) is created, which forms the encrypted tunnel used to carry application traffic. When a server in the on-premises network sends data to an Azure VM, the original packet is encrypted using IPsec ESP, encapsulated with the public IP addresses of both VPN gateways, and transmitted securely over the Internet. Upon reaching Azure, the VPN Gateway validates, decrypts, and restores the original packet before forwarding it to the destination VM. This process allows applications such as HTTPS, SQL, SMB, RDP, and APIs to communicate securely between private networks while keeping data protected from unauthorized access. The VPN tunnel is continuously monitored using Dead Peer Detection (DPD) to ensure both endpoints remain reachable, and encryption keys are automatically renewed before they expire to maintain security and uninterrupted connectivity.
