Overview
This article describes the scope of services and support available when requesting assistance to implement a site-to-site VPN with your Managed Cloud PaaS 2.0 deployment.
Azure Services
Sitecore will deploy the Azure Services required to implement a site-to-site VPN while provisioning your Hub Environment.
Note: The Primary Hub will be deployed simultaneously as your first Sitecore Environment. The Primary Hub is common to both your Production and non-production Environments (spokes). An additional Disaster Recovery (DR) Hub will be provided within the secondary Azure region for customers who have purchased DR services in combination with PaaS 2.0.
It is recommended to review the following KB articles for further details relating to the Azure Services included in your Hub Environment.
- Sitecore Managed Cloud Standard - PaaS 2.0. Topologies and tiers for Sitecore XP 10.3.1 and higher
- Sitecore Managed Cloud Premium - PaaS 2.0. Topologies and tiers for Sitecore XP 10.3.1 and higher
High-Level VPN Implementation Process
Creating a site-to-site VPN connection in Azure involves several steps within the Azure Infrastructure hosted by Sitecore and on your on-premises network. Sitecore will not assume responsibility for any on-premises components or services. Implementation of the site-to-site VPN will require input from the Customer IT team.
The steps provided within this knowledge base article are intended to guide the VPN pairing process. The steps needed to establish the VPN connection may vary depending on your VPN and on-premises Network properties and configuration.
Site-to-Site VPN RACI
The charts on the following pages use the coding system outlined below:
- R = Responsible: Those who do the work to achieve the task.
- A = Accountable: The one ultimately answerable for the correct and thorough completion of the deliverable or task and the one who delegates the work to those responsible.
- C = Consulted: Those whose opinions are sought (i.e. subject matter experts) and with whom there is two-way communication.
- I = Informed: Those kept up-to-date on progress, often only on completing the task or deliverable.
High-Level S2S VPN Implementation Steps
| RACI Description | Customer/Partner | Sitecore |
| Create Virtual Network * | C, I | R, A |
| Create VPN Gateway ** | C, I | R, A |
| Create Local Network Gateway *** | C, I | R, A |
| Configure your VPN Device | R, A | C, I |
Note: Sitecore will not assume responsibility for any on-premises components or services. Implementation of the Site-to-Site VPN will require input from the Customer IT team.
* All Virtual Networks will be created by Sitecore during the initial Sitecore Environment provisioning process (spoke).
** The VPN Gateway will be created by Sitecore during the initial Hub Environment provisioning process (Hub). - Sitecore currently supports route-based VPN Gateways only.
*** The Local Network Gateway will be provisioned by Sitecore at the request of the customer to establish a Site-to-Site connection.
PaaS 2.0 Networking and VPN Implementation RACI
| Sitecore Hub Environment – Provisioning | Customer/Partner | Sitecore |
|
Deploy Sitecore Hub Environment
|
C, I | R, A |
| Sitecore Hub Environment – Networking | ||
| Deploy Azure Virtual Network in Hub Environment | C, I | R, A |
| Create and Configure Hub Subnet Group | C, I | R, A |
| Deploy Azure Network Security Group (NSG) in Hub Environment | C, I | R, A |
| Deploy Azure VPN Gateway | C, I | R, A |
| Assign Public IP Address(s) | C, I | R, A |
| Deploy Azure Local Network Gateway | C, I | R, A |
| Configure Azure Local Network Gateway (Site-to-Site Connection) | R, A | R, A |
| Sitecore Spoke Environment – Networking | ||
|
Deploy Sitecore Spoke Environment
|
C, I | R, A |
| Sitecore Spoke Environment – Networking | ||
| Deploy Azure Virtual Network for Sitecore Spoke Environment | C, I | R, A |
| Create and Configure Spoke Subnet Group | C, I | R, A |
| Deploy Azure Network Security Group (NSG) in Spoke Environment(s) | C, I | R, A |
| VNet Peering | ||
| Configure VNet Peering between the Hub and Spoke Environment(s) | C, I | R, A |
| VPN Configuration – Sitecore | ||
| Create a Shared Key | R, A | C, I |
| Assign Public IP of VNet Gateway | C, I | R, A |
| All on-premises VPN and Network Configuration | R, A | C, I |
| All on-premises VPN and Network Monitoring and Maintenance | R, A | C, I |
Azure Infrastructure
- Sitecore will deploy your Primary Hub Environment.
- The Sitecore Primary Hub provides the following core Azure Services
- Virtual Networks
- Subnets
- Public IP Address
- VPN Gateway
- Local Network Gateway
- Establish VPN Connection
- The Sitecore Primary Hub includes VNet Peering to your Production and non-production Environments (Spokes) – See below for further details.
On-Premises Infrastructure
- A customer is responsible for all on-premises Infrastructure.
- VPN Device Configuration
- Configure your on-premises VPN device using settings matching those defined in Azure.
- Import shared keys and set IPSEC policies.
- Route Configuration
- Configure routes to direct traffic for Azure resources to the VPN tunnel.
- Test Connectivity
- Ensure the VPN Tunnel is up.
- Test to ensure resources on both sides of the VPN tunnel can communicate.
VPN Tunnel Validation
- Azure Portal:
- Check the status of the VPN connection in the Azure Portal.
- Logs and Monitoring:
- Review logs and metrics on Azure and the on-premises VPN device to ensure a stable connection.
- Data Transfer:
- Test data transfer between the Azure VNet and your on-premises network.
Note: The steps described within this article should be repeated within the disaster recovery environment (subject to additional purchase and customer agreement)
Sitecore – Hub and Spoke Virtual Network Peering
Each Spoke has its own Virtual Network, Each Virtual Network contains multiple Subnets, and each Subnet has an attached Network Security Group to control authorized access and prevent any unauthorized access to Azure Services. Sitecore Managed Cloud implements VNet Peering from each Spoke to the Hub Network to allow the Spoke to communicate with the shared services such as the Hub’s VPN Gateway.
Review KB1003100 for further details related to the PaaS 2.0 Network Architecture and Subnet allocations within Managed Cloud.
Microsoft Documentation
Refer to the following links provided by Microsoft for a definitive guide to implementing a site-to-site Virtual Private Network (VPN) on the Microsoft Azure platform:
https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal#CreateConnection