As a self confessed Ubiquiti fanboy that wants to learn the Microsoft Azure platform (just well, because), it made sense to attempt to create a Site-to-Site (AKA Site-to-Cloud) VPN connection between my Ubiquiti UniFi USG and my Azure Cloud. The following tutorial shows the steps that worked for me.
First off, versions and assumptions, at the time of writing I was using:
Ubiquiti UniFi USG Firmware Version: 4.4.18.5052168
Ubiquiti UniFi Controller Version: 5.6.29
Stage 1: Azure Preparation
Create Virtual Network Gateway
In order to connect our USG to our Azure space, we need a destination within Azure in the form of a Virtual Network. Assuming this is already done, we now need to create a Virtual Network Gateway for our VPN connectionr, to create one, perform the following steps:
Click on the burger menu in the top left
In the search box of the New pane that appears, type Virtual Network Gateway, then press enter
At the top of the list should be an option for Virtual Network Gateway, click it and in the new pane that appears, click Create (bottom of the screen):
On the Create Virtual Network Gateway form, all of the options should stay as default but except for the following:
Name
SKU: you need to select the VPN type, you can find information about the different options here (for UK) or here (for USA), I opted for Basic.
Virtual Network: select the one you want to connect to.
Public IP Address: you may need to create a new one, this is a defined service from Azure to provide a public IP address for your Cloud estate.
Subscription: how you want to pay for the services.
Location: Physical hosting location for your services around the VPN connection.
Create Local Network Gateway
In the search box of the New pane that appears, type Local Network Gateway, then press enter
Click Create in the page that appears
The IP Address is the public IP address of your UniFi USG unit
The Address Space is a usable range of IPs on your local network (the network serviced by he UniFi USG), I use this CIDR calculator to easily define a small range of numbers in the upper range of my local submit, for example: 192.168.12.180/30 gives me four addresses.
Create Connection
In the search box of the New pane that appears, type Connection, then press enter
Click on Connection in the results:
Click Create at the bottom of the Connection pane
In the form that appears, user the following options (choosing your own subscription, resource group and Location):
Stage 2: Ubiquiti UniFi Setup
Create Virtual Network Gateway
Login to your UniFi controller and click the settings icon
Click Networks
Click Create New Network
Give the Network a useful name
For the Purpose property, select Site-to-Site VPN
Select Manual IPsec has the VPN Type
Under Remote Subnets, click Add Subnet and enter the same local subnet you defined earlier in the Create Local Network Gateway section (example: 192.168.12.180/30)
In Peer IP enter the public IP address from Azure
In Local WAN IP enter the IP address on the public interface of your UniFi USG
In Pre-Shared Key enter the key we defined earlier in the Create Connection section
Under the IPsec Profile select Azure dynamic routing
Click to expand Advanced Options

IMPORTANT NOTE: there is a bug at the moment in the UniFi Controller software, whereby PFS & Dynamics Routing are always selected.
Uncheck both PFS and Dynamic Routing
Click Save
Verifying the Connection Status
Viewing the Connection Status on Azure
Once everything is setup, the VPN connection should initiate automatically, to verify, you can view the connection status in the Microsoft Azure portal. To do this:
Go to your Dashboard
Click the Connection we made earlier
Make sure you are on the Overview tab
Wait a short while and you should see something like the following:
Viewing the Connection Status on Ubiquiti UniFi USG
Unfortunately at the time of writing their appears to be a bug with the Ubiquiti Controllers reporting of Site-to-Site VPN connections because despite having the VPN connection to Azure established, the Ubiquiti Controller Dashboard shows no Active Tunnels and zero packets in either direction.
I can confirm the my standard client-to-site connection shows up on the Dashboard so the issue is specific to site-to-site VPNs.
If you do want to verify on the USG that the VPN tunnel is up, you can do so via the command line:
SSH in to the USG device directly (not in to the controller)
Type the following command:
show vpn ipsec sa
You should get a result similar to the following:
peer-72.78.37.14-tunnel-0: #1, ESTABLISHED, IKEv2, 0d1dh838jd29d39:39483jdhudsu3fd
local ‘45.17.23.34’ @ 45.17.23.34
remote ‘72.78.37.14’ @ 72.78.37.14
Many thanks for that Bob, as I’m looking to be doing this in the coming weeks!
Out of interest, when did you write this?
Hi Mark,
Thanks for the comment, I did this January 2018 and wrote it up as I did it – I don’t think too much has changed since then!
Currently, I am getting this on the connection when I run the troubleshooter in Azure:
Resource
toRHCC
Summary
The connection cannot establish due to security policy (IPsec/IKE) policy mismatch
Detail
If the IPSec/IKE policy is not properly set, the VPN connection cannot establish
Last run
7/24/2019, 1:44:47 PM
More than willing to pay you for your time to get this off my plate. Thanks! Tried filling out your contact form but it would not work.
Really useful article thank you!
We would like to make use of an Azure network gateway in the US and have our traffic from our branch office in the UK appear from there. Can we route all traffic from the Uni-fi network via the Azure gateway and appear in the US?
Would you be up for revisiting this to match the current version of the USG? I ask because there are additional settings that aren’t addressed here on both the Azure side and USG side. For instance, I followed these directions but my connection in Azure is saying:
“The connection cannot be established because the other VPN device is unreachable. If the on-premises VPN device is unreachable or not responding to the Azure VPN gateway IKE handshake, the VPN connection cannot establish.”
If the Public IP for USG is what is displayed in the “Router” field on the USG interface, then I should be correct, unless it wants my ISP furnished IP address? Besides this, the only other thing I can think of is under the Azure Connection configuration itself, where there is a field regarding IPSec/IKE Policy, where currently “Default” is selected, but there is a “Custom” option in which I can specify IKE Phase 1 (IPSec Encryption ‘ex. AES-256’, Integrity/PRF ‘ex. SHA-1’, DH Group ‘ex. DHGroup2’) and IKE Phase 2 IPSec (IPSec Encryption ‘ex. AES-256’, IPSec Integrity ‘ex. SHA-1’, and PFS Group ‘Note that this is a mandatory field and that we disable this in the USG’).
Hopefully you can help me fill in the blanks on this for the products in their current state. Thanks!
Hey Randal,
I’m afraid I’m no longer use Azure, having instead decided – personally anyway – that AWS offers a better fit for my needs.
Thanks for getting back to me. I figured out my issue. I needed to update to my public Ip rather than the “router public ip”, then update my local area gateway subnets.
Thanks for posting back Randal, that may well help others too! Glad you got it sorted 🙂
Did you ever resolve this I am hitting the same issue.
I have tried to configure the UDM half a dozen times now and it just doesn’t seem to connect having used Azure VPN for a few years I am 100% sure that’s correct and the only other thing I can think of is to manually try and configure the connection.