Creating a VPN connection between LGfL and Azure.
Schools/Multi-academy Trusts may wish to start moving away from locally hosted services and use the cloud to handle some of their core items, removing the need for hardware replacements, or even just to move to a centrally hosted provision and a single trust level domain controller/print management system. Typically you'd need hardware to establish a VPN and routing to make sure your traffic heads down your own local VPN, however LGfL offers a core managed VPN service which will not require any on prem device nor any specific layer 3 routing at a school level - there is no additional cost to the LGfL side of this service, there are costs within Azure for VPN services and VM/provisions however.
Pre-requisites:
- Case raised on LGfL support site to request a /24 for an Azure VPN, the case needs to be referencing all sites you want to link, but you will need to choose a primary site that the VPN range will be sit on for allocation purposes.
-
This is required as you must have a unique address in Azure which does not clash within LGfL - you cannot use the default Azure allocation.
- A list of your schools subnets as you will need to define them later within Azure, its also required as we need to amend firewall rules to allow you to talk to Azure.
Getting started:
This is a full step by step guide valid as of mid-2025.
Within your Azure platform, in your resource group you will need to create a Virtual Network by searching for "virtual network".
Press Create.
Select your resource group and name the virtual network, would suggest being clear as there are many steps and the names will get confusing! VNet1 is what Azure recommend.
Press the IP Addresses tab and delete the standard address space and press add a subnet.
Enter the Azure VPN IP range provided by LGfL support and press create.
The review and create page will confirm the entry.
This Virtual network should now be listed within your Virtual networks page. Click VNet1 (or whatever you called this in the previous step)
Azure requires you to create 2 subnets within this virtual network, one for use against virtual machines/resources and one for a network gateway, we can split the /24 by clicking Subnets, then "+ Subnet".
For the first part of the subnet, so the usable range in Azure, simply change the dropdown to /25 (128 addresses)
Save that, then click "+ Subnet" again and change the Subnet purpose to Virtual Network Gateway and the size to /27 (32 addresses)
This should now give you 2 subnets, we can move to the next step, use the search box to find virtual network gateway - NB you may need to use the Marketplace option if the services one does not show initially.
It should direct you to this configuration page automatically, if not, press "Create" on the Virtual Network Gateway page.
Items on this page highlighted on red all need to be checked and changed. The only school specific item is the Virtual Network you choose, this is the one you previously created.
Naming this, again its worth being clear as you can tell, we have to reference things constantly. This is going to be the public address and gateway into Azure.
Active-Active is not supported and BGP should be left as disabled.
Press review and create.
This process can take some time to finalise and deploy - Azure suggest up to 45 minutes, you can leave this page but you cannot finalise the config without this being complete.
Whilst that deploys, you can go to search and type local network to load the Local network gateways item.
Once in here you can press "+ Create"
That will load this page, where you will need to enter site specific items.
Name again, this is suggested to be a clear one, LocalGateway works.
Endpoint IP address should be provided in the support case as it differs depending on your schools VRF
Address space is your schools LGfL applied address ranges, if you use NAT you cannot use the internal ranges you need, you must specify the IPs listed on your schools deployment page.
This screenshot assumes School A has 10.0.0.0/24 and School B has 10.20.50.0/24 - yours will differ and this must be correct for your sites.
Once saved, you will get a deployment confirmation, then you can search for virtual network gateway again.
Within this page, choose VPN gateways on the left and click the gateway you made earlier, in this instance, VPNGateway.
Within there, you can click Connections on the left, then "+ Add"
This is where you will create VPN connection and encryption profile.
You will need to change the connection type to Site-to-site (IPSec)
Name again should be obvious should you need to reference it later.
You will need to press "Settings" to configure the specific IPsec config, this is where you will need to wait and make sure the Virtual Network Gateway from earlier is provisioned, otherwise it'll be greyed out.
Everything surrounded in a red text box is something that will need changing.
- You will need to select the Virtual network gateway, the Local network gateway.
- Authentication method is PSK, you can generate something - this should be a complex mix of symbols, numbers and letters - hover the 'i' to confirm the valid symbols.
- IKEv2 is required.
- Leave Private IP and BGP unticked.
- Choose Custom IPsec/IKE policy.
- The settings in the screenshot are what we suggest are used to guarantee connectivity.
- Set the IPsec lifetime SA to 28800.
- Keep the policy based selector as disabled.
Once review and create is pressed, you should get this page confirming deployment. Expand deployment details and press the link to the resource.
Check the connection is correct on the top right, then press the download configuration button.
It will ask for the template type, please choose the options exactly as below.
Provide that configuration text file in the support ticket and engineers will create the LGfL side configuration for you.
Once this is completed, if you go back to the VPN Connections page, you will see "Connected" when this is established.
