BookmarkSubscribeRSS Feed

How to Connect SAS Viya in Azure to On-Prem with VPN Gateways - Part 1

Started ‎05-15-2023 by
Modified ‎08-21-2023 by
Views 1,237

@StephenFoerster mentioned in Connecting Viya in Azure to On-Prem with Azure VPN, ExpressRoute (Intro): “Microsoft recommends two different mechanisms for connecting SAS Viya in Azure to on-premises resources […] Both methods require Azure Virtual Network (VNET) gateways to facilitate communication. Site to Site VPN connections also require VPN devices configured on premises.”


Read this post to learn how you can connect a SAS Viya on Azure deployment to an on-premises network by using site-to-site VPN gateways. When the connection is in place, you can access from SAS Viya resources in your on-premises data centre, a database, for example.


Context and Objective

You have SAS Viya deployed on Azure. All resources are deployed in a virtual network. You also have an on-premises data centre with one database. The database is fenced by its own virtual network.


The objective is to access this database from SAS Viya on Azure, through the VPN tunnel.


One way to achieve the objective is to connect the on-premises datacentre to the Azure virtual network (VNET) through a site-to-site VPN gateway connection.


VPN: A virtual private network (VPN) is a type of private interconnected network. VPNs use an encrypted tunnel within another network. They're typically deployed to connect two or more trusted private networks to one another over an untrusted network, typically the public Internet. Traffic is encrypted while traveling over the untrusted network to prevent eavesdropping or other attacks.


Azure VPN gateway: A VPN gateway is a type of Virtual Network Gateway (VNG). VPN gateways are deployed in Azure virtual networks and can connect on-premises datacentres to Azure virtual networks through a site-to-site connection.


Simulated Data Centre

In this post we are going to simulate the on-premises data centre. The on-premises datacentre will be represented by a database in an Azure virtual network, called HQ-Network.


Why we chose to simulate the data centre? There are many types of on-premises VPN devices, and it is not possible to describe their configuration in a single post.


What you need to remember is the logic and the configuration steps. You just need to replace the steps for the simulated network with steps tailored to your on-premises VPN device.


Architecture Diagram

By the end of the post series, we want to realize the following architecture diagram:



Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.



  • $PREFIX-vnet is the SAS Viya virtual network:
    • $PREFIX-aks-subnet is the sub-network of the SAS Viya Azure Kubernetes Service (AKS) cluster and its resources.
    • $PREFIX-misc-subnet is the sub-network of the several virtual machines, including $PREFIX-jump-VM.
    • A separate gateway subnet must be created for the Azure Virtual Network Gateway (VNG).
  • HQ-Network is the on-premises network that you want to access from Azure:
    • It has an Applications subnet. In this subnet, a database server and a private endpoint are hosted. We created a private endpoint, to force the database traffic, network-to-network, through the VPN tunnel. We want to avoid SAS Viya connections directly to the database over the Public Internet.
    • A separate gateway subnet must be created for the on-premises VNG.
  • $PREFIX-vnet will be connected to HQ-Network via a Virtual Network Gateway (VNG) / Local Network Gateway (LNG) pair.
  • HQ-Network will be connected to $PREFIX-vnet via a second VNG / LNG pair.
  • The connections are establishing the VPN tunnel.

To reiterate the objective, we want to connect to the on-premises database from SAS Viya, through the VPN tunnel.



SAS Viya deployed on Azure, in the $PREFIX-vnet mentioned in the diagram.


Azure Side Resources


You can use the Azure CLI to create the resources:






Add a Gateway Subnet

Add a gateway subnet to $PREFIX-vnet. Every VNG needs a gateway subnet. $PREFIX-vnet has an address space of (65,536 IPs), therefore you must choose at least a /27 address space (32 IPs):


az network vnet subnet create \
    --resource-group $RG \
    --vnet-name $PREFIX-vnet \
    --address-prefixes \
    --name GatewaySubnet






Create a Local Network Gateway

A local network gateway (LNG) is a specific object that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to. You then specify the IP address of the on-premises VPN device to which you'll connect.


You must specify the IP address prefixes that can be routed through the VPN gateway to the VPN device.


Create the LNG-HQ-Network local network gateway. The local address prefixes describe your on-premises vnet or subnets. For example, corresponds to the Applications subnet in the HQ-Network vnet.


az network local-gateway create \
    --resource-group $RG \
    --gateway-ip-address \
    --name LNG-HQ-Network \


This local gateway represents the on-premises network that you’re connecting to. The IP address specified as the remote gateway, the simulated on-premises network, needs to be updated later because it has not yet been created.


The address prefixes are very important! They define the local resources you can reach through the gateway from Azure.





Simulated On-premises Resources


Create the HQ-Network Virtual Network and the Applications Subnet

Create the HQ-Network virtual network and the Applications subnet in a separate resource group.


az group create --name $RGHQ --location eastus
az network vnet create \
    --resource-group $RGHQ \
    --name HQ-Network \
    --address-prefixes \
    --subnet-name Applications \


Add a Gateway Subnet to HQ-Network

Add GatewaySubnet to HQ-Network.


az network vnet subnet create \
    --resource-group $RGHQ \
    --address-prefixes \
    --name GatewaySubnet \
--vnet-name HQ-Network


Create a Local Network Gateway

Create the LNG-$PREFIX-VNet local network gateway.


az network local-gateway create \
    --resource-group $RGHQ \
    --gateway-ip-address \
    --name LNG-$PREFIX-vnet \


The gateway’s --local-address-prefixes points to the Azure network and subnets you're connecting to. As you can see, the address space points to $PREFIX-misc-subnet and $PREFIX-aks-subnet address ranges: and






You'll update later the IP address specified as the remote gateway, which is in Azure.





Verify the Topology


Verify the Virtual Networks

Verify that the virtual networks have been successfully created.


az network vnet list \
    --resource-group $RG \
--output table
az network vnet list \
    --resource-group $RGHQ \
    --output table






Verify the Local Network Gateways

Verify the local network gateways have been successfully created.


az network local-gateway list \
    --resource-group $RG \
--output table
az network local-gateway list \
    --resource-group $RGHQ \
--output table







For a site-to-site VPN gateway connection:

  • In each virtual network (VNET) you want to connect, you need a Gateway Subnet where the Virtual Network Gateway will be hosted
  • There must not be addresses that overlap in the VNETs you want to connect
  • The address prefixes in each Local Network Gateway are very important! They define the local resources you can reach through the gateway from Azure.

In Part 2


Read the next postHow to Connect SAS Viya in Azure to On-Prem with VPN Gateways - Part 2, where you will learn how to:

  • Create the Azure side and the on-premises Virtual Network Gateways.
  • Connect the two Virtual Network Gateways.

Useful Resources

Thank you for your time reading this post. If you liked the post, give it a thumbs up! Please comment and tell us what you think about access to on-premises datacentres using VPN gateways.  If you wish to get more information, please write me an email.


Find more articles from SAS Global Enablement and Learning here.


Version history
Last update:
‎08-21-2023 08:27 PM
Updated by:



Registration is open! SAS is returning to Vegas for an AI and analytics experience like no other! Whether you're an executive, manager, end user or SAS partner, SAS Innovate is designed for everyone on your team. Register for just $495 by 12/31/2023.

If you are interested in speaking, there is still time to submit a session idea. More details are posted on the website. 

Register now!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started