MicrosoftDocs
diff --git a/‎articles/virtual-wan/media/vpn-over-expressroute/config-menu.png
-17.7 KB b/‎articles/virtual-wan/media/vpn-over-expressroute/config-menu.png
-17.7 KB
diff --git a/‎articles/virtual-wan/media/vpn-over-expressroute/hub-selection.png
-88.9 KB b/‎articles/virtual-wan/media/vpn-over-expressroute/hub-selection.png
-88.9 KB
diff --git a/‎articles/virtual-wan/media/vpn-over-expressroute/vpn-link-configuration.png
-58.2 KB b/‎articles/virtual-wan/media/vpn-over-expressroute/vpn-link-configuration.png
-58.2 KB
diff --git a/‎articles/virtual-wan/media/vpn-over-expressroute/vpn-select.png
-48.3 KB b/‎articles/virtual-wan/media/vpn-over-expressroute/vpn-select.png
-48.3 KB
diff --git a/‎articles/virtual-wan/vpn-over-expressroute.md
Lines changed: 22 additions & 31 deletions b/‎articles/virtual-wan/vpn-over-expressroute.md
Lines changed: 22 additions & 31 deletions
@@ -6,7 +6,7 @@ author: cherylmc
 
 ms.service: virtual-wan
 ms.topic: how-to
-ms.date: 09/22/2020
+ms.date: 08/24/2023
 ms.author: cherylmc 
 ---
 # ExpressRoute encryption: IPsec over ExpressRoute for Virtual WAN
@@ -17,7 +17,7 @@ This article shows you how to use Azure Virtual WAN to establish an IPsec/IKE VP
 
 The following diagram shows an example of VPN connectivity over ExpressRoute private peering:
 
-:::image type="content" source="./media/vpn-over-expressroute/vwan-vpn-over-er.png" alt-text="VPN over ExpressRoute":::
+:::image type="content" source="./media/vpn-over-expressroute/vwan-vpn-over-er.png" alt-text="Diagram of VPN over ExpressRoute.":::
 
 The diagram shows a network within the on-premises network connected to the Azure hub VPN gateway over ExpressRoute private peering. The connectivity establishment is straightforward:
 
@@ -57,8 +57,8 @@ In both of these examples, Azure will send traffic to 10.0.1.0/24 over the VPN c
 
 The following Azure resources and the corresponding on-premises configurations must be in place before you proceed:
 
-- An Azure virtual WAN
-- A virtual WAN hub with an [ExpressRoute gateway](virtual-wan-expressroute-portal.md) and a [VPN gateway](virtual-wan-site-to-site-portal.md)
+- An Azure virtual WAN.
+- A virtual WAN hub with an [ExpressRoute gateway](virtual-wan-expressroute-portal.md) and a [VPN gateway](virtual-wan-site-to-site-portal.md).
 
 For the steps to create an Azure virtual WAN and a hub with an ExpressRoute association, see [Create an ExpressRoute association using Azure Virtual WAN](virtual-wan-expressroute-portal.md). For the steps to create a VPN gateway in the virtual WAN, see [Create a site-to-site connection using Azure Virtual WAN](virtual-wan-site-to-site-portal.md).
 
@@ -70,49 +70,40 @@ The site resource is the same as the non-ExpressRoute VPN sites for a virtual WA
 > The IP address for the on-premises VPN device *must* be part of the address prefixes advertised to the virtual WAN hub via Azure ExpressRoute private peering.
 >
 
-1. Go to the Azure portal in your browser. 
-1. Select the hub that you created. On the virtual WAN hub page, under **Connectivity**, select **VPN sites**.
-1. On the **VPN sites** page, select **+Create site**.
-1. On the **Create site** page, fill in the following fields:
-   * **Subscription**: Verify the subscription.
-   * **Resource Group**: Select or create the resource group that you want to use.
-   * **Region**: Enter the Azure region for the VPN site resource.
-   * **Name**: Enter the name by which you want to refer to your on-premises site.
-   * **Device vendor**: Enter the vendor of the on-premises VPN device.
+1. Go to **YourVirtualWAN > VPN sites** and create a site for your on-premises network. For basic steps, see [Create a site](virtual-wan-site-to-site-portal.md). Keep in mind the following settings values:
+
    * **Border Gateway Protocol**: Select "Enable" if your on-premises network uses BGP.
    * **Private address space**: Enter the IP address space that's located on your on-premises site. Traffic destined for this address space is routed to the on-premises network via the VPN gateway.
-   * **Hubs**: Select one or more hubs to connect this VPN site. The selected hubs must have VPN gateways already created.
-1. Select **Next: Links >** for the VPN link settings:
-   * **Link Name**: The name by which you want to refer to this connection.
+
+1. Select **Links** to add information about the physical links. Keep in mind the following settings information:
+
    * **Provider Name**: The name of the internet service provider for this site. For an ExpressRoute on-premises network, it's the name of the ExpressRoute service provider.
    * **Speed**: The speed of the internet service link or ExpressRoute circuit.
    * **IP address**: The public IP address of the VPN device that resides on your on-premises site. Or, for ExpressRoute on-premises, it's the private IP address of the VPN device via ExpressRoute.
 
-   If BGP is enabled, it will apply to all connections created for this site in Azure. Configuring BGP on a virtual WAN is equivalent to configuring BGP on an Azure VPN gateway. 
-   
-   Your on-premises BGP peer address *must not* be the same as the IP address of your VPN to the device or the virtual network address space of the VPN site. Use a different IP address on the VPN device for your BGP peer IP. It can be an address assigned to the loopback interface on the device. However, it *can't* be an APIPA (169.254.*x*.*x*) address. Specify this address in the corresponding VPN site that represents the location. For BGP prerequisites, see [About BGP with Azure VPN Gateway](../vpn-gateway/vpn-gateway-bgp-overview.md).
+   * If BGP is enabled, it applies to all connections created for this site in Azure. Configuring BGP on a virtual WAN is equivalent to configuring BGP on an Azure VPN gateway.
+
+   * Your on-premises BGP peer address *must not* be the same as the IP address of your VPN to the device or the virtual network address space of the VPN site. Use a different IP address on the VPN device for your BGP peer IP. It can be an address assigned to the loopback interface on the device. However, it *can't* be an APIPA (169.254.*x*.*x*) address. Specify this address in the corresponding VPN site that represents the location. For BGP prerequisites, see [About BGP with Azure VPN Gateway](../vpn-gateway/vpn-gateway-bgp-overview.md).
 
-1. Select **Next: Review + create >** to check the setting values and create the VPN site. If you selected **Hubs** to connect, the connection will be established between the on-premises network and the hub VPN gateway.
+1. Select **Next: Review + create >** to check the setting values and create the VPN site, then **Create** the site.
+1. Next, connect the site to the hub using these basic [Steps](virtual-wan-site-to-site-portal.md#connectsites) as a guideline. It can take up to 30 minutes to update the gateway.
 
 ## <a name="hub"></a>3. Update the VPN connection setting to use ExpressRoute
 
 After you create the VPN site and connect to the hub, use the following steps to configure the connection to use ExpressRoute private peering:
 
-1. Go back to the virtual WAN resource page, and select the hub resource. Or navigate from the VPN site to the connected hub.
+1. Go to the virtual hub. You can either do this by going to the Virtual WAN and selecting the hub to open the hub page, or you can go to the connected virtual hub from the VPN site.
 
-   :::image type="content" source="./media/vpn-over-expressroute/hub-selection.png" alt-text="Select a hub":::
 1. Under **Connectivity**, select **VPN (Site-to-Site)**.
 
-   :::image type="content" source="./media/vpn-over-expressroute/vpn-select.png" alt-text="Select VPN (Site-to-Site)":::
-1. Select the ellipsis (**...**) on the VPN site over ExpressRoute, and select **Edit VPN connection to this hub**.
+1. Select the ellipsis (**...**) or right click the VPN site over ExpressRoute, and select **Edit VPN connection to this hub**.
 
-   :::image type="content" source="./media/vpn-over-expressroute/config-menu.png" alt-text="Enter configuration menu":::
-1. For **Use Azure Private IP Address**, select **Yes**. The setting configures the hub VPN gateway to use private IP addresses within the hub address range on the gateway for this connection, instead of the public IP addresses. This will ensure that the traffic from the on-premises network traverses the ExpressRoute private peering paths rather than using the public internet for this VPN connection. The following screenshot shows the setting:
+1. On the **Basics** page, leave the defaults.
 
-   :::image type="content" source="./media/vpn-over-expressroute/vpn-link-configuration.png" alt-text="Setting for using a private IP address for the VPN connection" border="false":::
-1. Select **Save**.
+1. On the **Link connection 1** page, configure the following settings:
 
-After you save your changes, the hub VPN gateway will use the private IP addresses on the VPN gateway to establish the IPsec/IKE connections with the on-premises VPN device over ExpressRoute.
+   - For **Use Azure Private IP Address**, select **Yes**. The setting configures the hub VPN gateway to use private IP addresses within the hub address range on the gateway for this connection, instead of the public IP addresses. This ensures that the traffic from the on-premises network traverses the ExpressRoute private peering paths rather than using the public internet for this VPN connection.
+1. Click **Create** to update the settings. After the settings have been created, the hub VPN gateway will use the private IP addresses on the VPN gateway to establish the IPsec/IKE connections with the on-premises VPN device over ExpressRoute.
 
 ## <a name="associate"></a>4. Get the private IP addresses for the hub VPN gateway
 
@@ -145,7 +136,7 @@ The device configuration file contains the settings to use when you're configuri
            "Instance0":"10.51.230.4"
            "Instance1":"10.51.230.5"
            ```
-    * Configuration details for the VPN gateway connection, such as BGP and pre-shared key. The pre-shared key is automatically generated for you. You can always edit the connection on the **Overview** page for a custom pre-shared key.
+    * Configuration details for the VPN gateway connection, such as BGP and preshared key. The preshared key is automatically generated for you. You can always edit the connection on the **Overview** page for a custom preshared key.
 
 ### Example device configuration file
 
@@ -214,7 +205,7 @@ The device configuration file contains the settings to use when you're configuri
 
 If you need instructions to configure your device, you can use the instructions on the [VPN device configuration scripts page](~/articles/vpn-gateway/vpn-gateway-about-vpn-devices.md#configscripts) with the following caveats:
 
-* The instructions on the VPN device page are not written for a virtual WAN. But you can use the virtual WAN values from the configuration file to manually configure your VPN device. 
+* The instructions on the VPN device page aren't written for a virtual WAN. But you can use the virtual WAN values from the configuration file to manually configure your VPN device.
 * The downloadable device configuration scripts that are for the VPN gateway don't work for the virtual WAN, because the configuration is different.
 * A new virtual WAN can support both IKEv1 and IKEv2.
 * A virtual WAN can use only route-based VPN devices and device instructions.