VPN Connection to Azure

The Oracle Cloud Infrastructure (OCI) Site-to-Site VPN service offers a secure IPSec connection between your on-premises network and a virtual cloud network (VCN). You can also use Site-to-Site VPN to connect OCI resources to other cloud service providers.

This topic provides a best practices configuration for an IPSec VPN tunnel between OCI and Microsoft Azure using the OCI Site-to-Site VPN service and the Azure IPSec VPN service.

Note

This document assumes you have already provisioned a Virtual Cloud Network (VCN) and Dynamic Routing Gateway (DRG) as well as configured all VCN Route Tables and Security Lists required for this scenario and all equivalents in Azure.

Considerations specific to Microsoft Azure

IKE Version: An IPSec VPN connection between OCI and Microsoft Azure must use IKE version 2 for interoperability.

Routing Type: This scenario uses Border Gateway Protocol (BGP) to exchange routes between Azure and OCI. BGP is preferred for Site-to-Site VPN whenever possible. Optionally, static routing can also be used between Azure and OCI.

Perfect Forward Secrecy: With perfect forward secrecy (PFS) new Diffie-Hellman keys are generated in phase 2, and phase 2 rekeys instead of using the same key generated during phase 1. Both VPN peers must match the chosen PFS group setting for phase 2. By default, Azure (groups 1, 2, 14, and 24 for IKEv2 only) and OCI (group 5) have a PFS mismatch. The OCI side PFS group can be modified to match your CPE.

Verify OCI Site-to-Site VPN Version

You can verify the Site-to-Site VPN version used by the IPSec connection under the IPSec Connection Information tab on your IPSec connection page.

Supported IPSec Parameters

For a vendor-neutral list of supported IPSec parameters for all OCI regions, see Supported IPSec Parameters.

Configuration Process

Was this article helpful?