How to create Site to Site VPN in Azure Stack (with Fortigate)

I’m a huge fan of Azure Stack and love to use it for many scenarios in my work/homelab. Often, I need to connect Azure Stack to other hardware/software within my lab. That is when I rely on Site to Site VPN solutions. 

One thing I’m not huge fan of in Azure stack is integrated VPN solution. I usually use third party solutions like Fortigate.

In this scenario I will show how to connect Azure Stack to Intel NUC in my local network. I have configured Fortigate VM in Azure Stack, and in my physical network there is one Fortigate 60D and behind it is Intel NUC with installed Windows Server 2016.

I would not recommend this scenario for production environment that relies on internet connection. In production environment, security should be a bit beefier.

Lab setup

So, here is my LAB setup.

Azure Stack (Main Office)

Azure Stack has public IP that is going to Fortigate VM. Behind Fortigate VM is a small network of Windows Server 2016 VMs on subnet. 

VM I want to have connection to is on IP address

Physical network (Branch Office)

I have Fortigate 60D as a main router with public IP Behind it is a Intel NUC which has Windows Server 2016 installed on it and it on IP address ( subnet)

I want Azure Stack VM on IP address to communicate with Intel NUC behind Fortigate 60D on IP as if they are on the same network.

Azure Stack Setup

Ok, first we will setup Fortigate VM on Azure Stack. This lab assumes you already have everything configured in your network and you just want to setup Site to Site VPN.

From VPN menu select IPsec Wizard

I will give name AStackMain for this site since it will simulate Main Office.

Template Type is Site to Site

NAT configuration – This site is behind NAT (This also works with No NAT between sites option if you have all default within your local network)

Remote device type – FortiGate (I will be connecting to Fortigate 60D)


Remote device – IP address

Remote IP address – public IP address of remote Fortigate device – for me it is

Outgoing interface – port1 (since it is outside facing port in my Fortigate setup)

Authentication method – Pre-shared key (for this occasion enough, but in real world, certificates would be included). Type in a strong phrase and remember it, we will need it again in setup on Branch Office.


Last screen is about local network on main site and branch site.

Local interface – port2 (you should select your LAN facing interface)

Local subnets – (that is LAN subnet on my Azure Stack)

Remote subnets – (that is LAN subnet of Intel NUC behind Fortigate 60D)


OK – all is set on Fortigate VM in Azure Stack

Here is how created tunnekl on Azure Stack (Main Site) looks like

Intel NUC (Branch Office)

Next part of configuration will be done on Fortigate 60D which will act as Branch Office for this scenario.

Location is again VPN | IPsec Wizard

Name: AStackBranch

Template type: Site to Site

Remote Device Type: Fortigate

NAT Configuration: The Remote site is behind NAT (This also works with No NAT between sites option if you have all default within your local network)


Incoming interface is wan1 in my case, since that is my public port on Fortigate 60d

Authentication Method Pre-shared Key

Pre-shared Key – type in same thing you already typed at Main Office Pre-shared Key.


Local interface – select your LAN interface on Fortigate

Local subnet –

Remote subnet –


VPN is set

Here is what it looks like on Fortigate 60D

In my case, status is immediately up since I set ping on the both sides of tunnel.

You can bring up/down this tunnel from both Main or Branch side by going to:

Monitor | IPsec Monitor

There are Bring Up and Bring Down buttons at the top, with which you can start or stop your site to site vpn.


I setup ping from both sides – to and vice versa.

Here is what it looks like after tunnel is up pinging pinging

I also tested with file share and RDP and all the services are working.

This whole scenario can also work without selecting any NAT options on NAT configuration, but you should be also fine with my setup, it should work.

You should have properly set Fortigate as router and firewall for this to work.