First published on TECHNET on Sep 05, 2018
This blog is part of a series for the Top 10 Networking Features in Windows Server 2019!
-- Click HERE to see the other blogs in this series.

Look for the Try it out sections then give us some feedback in the comments!
Don't forget to tune in next week for the next feature in our Top 10 list!
More and more on-premises workloads require connectivity to Azure resources.  Connecting these on-premises workloads to their Azure resources traditionally requires an Express Route, Site-to-Site VPN, or Point-to-Site VPN connection.  Each of these options require multiple steps and expertise in both networking and certificate management, and in some cases, infrastructure setup and maintenance.

Now, Windows Admin Center enables a one-click experience to configure a point-to-site VPN connection between an on-premises Windows Server and an Azure Virtual Network.  This automates the configuration for the Azure Virtual Network gateway as well as the on-premises VPN client.

Windows Admin Center and the Azure Network Adapter makes connecting your on-premises servers to Azure a breeze!

Windows Admin Center

This feature relies on the Windows Admin Center which is an evolution of Windows Server in-box management tools; it’s a single pane of glass that consolidates all aspects of local and remote server management. It comes at no additional cost beyond Windows and is ready to use in production.

Once Windows Admin Center is configured, you are ready to start.

Azure Network Adapter

The Azure Network Adapter is a new part of the Network extension inside Windows Admin Center which allows you to easily setup a Point-to-Site VPN connection to Azure.

Note: Point-to-Site connections do not require a VPN device or a public-facing IP address.
For more information about Point-to-Site VPN, see About Point-to-Site VPN .

Now let’s walk through the experience of adding an Azure Network Adapter to your on-premises Windows Server.  You will be able to find the button +Add Azure Network Adapter on the Network extension in Windows Admin Center.

Once you click +Add Azure Network Adapter the Add Azure Network Adapter wizard will appear on the right pane.

When you select any existing Azure Virtual Network, you will find all the values are already automatically filled-in and the Create button is ready for you to click. You can modify the default options selected by the wizard, or just click the Create button to accept the defaults and trigger the Point-to-site VPN connection to Azure.

That’s it! After a few minutes you will see the newly created point-to-site VPN connection available in the inventory page. Here is a short animation to show you the steps!

Note: The creation could take much longer (~25 minutes) if the Azure Virtual Network
gateway needs to be created.

Use and Validate Azure Network Adapter

Once your Point-to-site VPN is “Connected” your server now has a connection to the Azure Virtual Network.  The server will be able to communicate to any Azure resources in the Virtual Network.

Here’s a simple example of a ICMP Ping validation between one on-premises server and an Azure VM connected through the Azure Network Adapter.

Ready to give it a shot!? Try out Azure Network Adapter in the Windows Admin Center Version 1809 !
Note: Windows Admin Center Version 1809 will be released in September.

Previously creating hybrid cloud connectivity required expertise in networking, certificate management, and even infrastructure setup and maintenance.  Now with the Azure Network Adapter in Windows Admin Center (version 1809), hybrid connectivity can be configured with the click of a button!  The Azure Network Adapter automates the configuration of the Azure Virtual Network gateway and VPN client installation for you!

Thanks for reading,

Schumann Ge
Frequent Visitor

Dear nnamuhcs,
Thanks for the awesome post, this I am really excited for this technology. I followed all step but unfortunately I can't connect to my VPN gateway, I will paste the error below but my guess is that it is a firewall issue in my datacenter. So my question is if you which inbound and outbound firewall rules I should have in place and on which ports.
Thanks in advance and kind regards, Jorrit

Error message: Message VPN Connection Failed, Connecting to WACVPN-22148... Verifying username and password... Remote Access error 809 - The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem. For more help on this error: Type 'hh netcfg.chm' In help, click Troubleshooting, then Error Messages, then 809



Thanks for your try-out and reply.

There is no specific inbound or outbound firewall rules required. 

From the error message there could be two potential issues here - 

  1.  The created Azure Virtual Network Gateway "WACVPN-22148" is not a "Gen 3" Gateway, you can contact the support to confirm the gateway is "Gen 2" or "Gen 3". Or you can simply download the P2S VPN Client of this gateway from the Azure portal, then manually install it on the server. If you can successfully made the P2S VPN connection, then this Gateway is "Gen 3" otherwise it's "Gen 2". And the Azure support can upgrade it to "Gen 3".
  2.  Most likely, the issue could be caused by the IKEV2 micro-segmentation bug in Windows. Currently the bug has not been fixed in Windows Server 2016 (or we call it RS1) yet. The bug has been fixed in RS3+ and Windows Server 2019. The issue should be fixed soon in Windows Server 2016. 

Hope it helps. Thanks very much!

Frequent Visitor


Thanks for your reply. 


I've checked with my network guys and in my case it unfortunately was being blocked by the firewall. I was using Windows server 2019 and newly created VPN gateways. 


Just waiting for my network guys now to move move the servers behind other firewalls :)


Thanks again and kind regards,