Step-By-Step: Multi-Site Azure VPN in the Resource Manager Model

Hello Folks,

A while back I wrote about setting up VPN solutions between your own datacenter and Azure and between azure sites.

But these were written with the classic Cloud Service model. Azure has evolved since to the Azure Resource Manager Model. This new model allows you to deploy, organize and control/manage resources (such as websites, virtual machines and databases…) as a single logical unit.

A couple weeks ago I got a call from a colleague working with a customer that were having issues with their own VPN between the own locations and their Azure virtual networks. That is when I realized that my step-by-step articles needed to be updated to take ARM in consideration.

So in this post we will look at the steps needed to setup a Multi-site VPN between 4 virtual networks in 2 different regions (in this case US East and US West). I’ll add the local datacenter (in this case my home office) manually in the next post.

image

Before we start. There are a few things we need to keep in mind before we jump in to configuring our solution.

  • VNet-to-VNet VPN requires Azure gateways with Route-Based (previously called Dynamic) VPN types. Policy-based gateway do not support multi-site.
  • Virtual network connectivity can be used simultaneously with multi-site VPNs, with a maximum of 10 VPN tunnels for a virtual network VPN gateway connecting to other virtual networks or on-premises sites.
  • The address spaces of the virtual networks and on-premises local network sites must not overlap. Overlapping address spaces will cause the creation of virtual networks to fail.
  • All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the same VPN gateway uptime SLA in Azure.
  • VNet-to-VNet traffic travels across the Azure backbone.

to get more info on that subject please review Configure a VNet-to-VNet connection for virtual networks in the same subscription by using Azure Resource Manager and PowerShell

Ok. let’s start.

Step 1: Plan your IP Address Space

As we mentioned you need to take particular attention to setting the IP address of your environment. Each virtual network can work really well on it’s own. But when you try to connect them and there is overlap somewhere the connection will fail.

In my case I selected the following IP spaces

US East

· resource group 1

o Vnet1

- Address space - 172.25.0.0/20

· subnet1 - 172.25.0.0/24

· GatewaySubnet – 172.25.15.0/24

· resource group 2

o Vnet2

- Address space - 172.25.16.0/20

· Subnet1 – 172.25.16.0/24

· GatewaySubnet - 172.25.31.0/24

 

US West

· resource group 1

o Vnet1

- Address space - 172.25.32.0/20

· subnet1 - 172.25.32.0/24

· GatewaySubnet – 172.25.47.0/24

· resource group 2

o Vnet2

- Address space - 172.25.48.0/20

· Subnet1 – 172.25.48.0/24

· GatewaySubnet - 172.25.63.0/24

No address space overlaps,, it gives me the opportunity to add 14 more subnets should the need arises.

Step 2 - Connect to your subscription and create the Resource Groups

I used PowerShell to create my environment so let’s look at each part of the script in details.  Since this is for the Resource Manager Model if you have not done so before, you need to update your PowerShell from https://azure.microsoft.com/en-us/downloads and you should install the ARM modules by using the following commands

  1. #To install the Resource Manager module directly from the Gallery, open Windows PowerShell as administrator and type the following:
  2. Install-Module AzureRM
  3. Install-AzureRM
  4.  
  5. #Once you have installed the modules, you'll need to import them in order to use them
  6. Import-AzureRM

Once that is done. (and it may take a while), proceed to connect to your subscription.  We use Login-AzureRmAccount command to authenticate. The Resource Manager modules requires Login-AzureRmAccount. A Publish Settings file is not sufficient.

  1. #Open your PowerShell console and connect to your account. Use the following sample to help you connect
  2. Login-AzureRmAccount
  3.  
  4. #Check the subscriptions for the account.
  5. Get-AzureRmSubscription
  6.  
  7. #Specify the subscription that you want to use.
  8. Select-AzureRmSubscription -Subscriptionid "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

Step 3 - Create a virtual network, Request a public IP address

This next step is the bulk of the work In this step I created:

  • The Resource Group
  • The virtual Network with the proper subnets (“Subnet1” where my VM will be located and “Gateway Subnet” which is required to create the gateway.) Please keep in mind that the name of the gateway subnet MUST BE “Gateway Subnet”.
  • The VPN gateway

the variables I used are for the following:

  • $RG1= the name of the Resource Group I want to create.
  • $loc1= The region where I want my resource group and the vNet created.
  • $vnetname1= The name of the vNet I will create
  • $AddPrefix= The Address Space of the vNet
  • $subnet1= The Address Range of subnet1
  • $gatewayname1= The name of the gateway that will be created in this resource group
  • $GTWsubnetPrefix= The Address Range of the ‘Gateway Subnet’
  • $gwipconfig= The name of the object for the Public IP address that will be reserved for the gateway in this resource group.
  1. #create vnets and a public IP address to be allocated to the gateway you will create for your VNet in resource group rg-client-east1
  2. $RG1='rg-client-east1'
  3. $loc1='East US'
  4. $vnetname1='VNet-client-east1'
  5. $AddPrefix='172.25.0.0/20'
  6. $subnet1='172.25.0.0/24'
  7. $gatewayname1='gw-client-east1'
  8. $GTWsubnetPrefix='172.25.15.0/24'
  9. $gwipconfig='ip-gw-client-east1-config'
  10.  
  11. New-AzureRmResourceGroup -Name $RG1 -Location $loc1 -Force
  12. $subnet = New-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix $GTWsubnetPrefix
  13. $subnet1 = New-AzureRmVirtualNetworkSubnetConfig -Name 'Subnet1' -AddressPrefix $subnet1
  14. New-AzureRmVirtualNetwork -Name $vnetname1 -ResourceGroupName $RG1 -Location $loc1 -AddressPrefix $AddPrefix -Subnet $subnet, $subnet1
  15. $gwpip= New-AzureRmPublicIpAddress -Name $gatewayname1 -ResourceGroupName $RG1 -Location $loc1 -AllocationMethod Dynamic
  16. $vnet = Get-AzureRmVirtualNetwork -Name $vnetname1 -ResourceGroupName $RG1
  17. $gtwsubnetconfig = Get-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet
  18. $gwipconfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name $gwipconfig -SubnetId $gtwsubnetconfig.Id -PublicIpAddressId $gwpip.Id
  19. New-AzureRmVirtualNetworkGateway -Name $gatewayname1 -ResourceGroupName $RG1 -Location $loc1 -IpConfigurations $gwipconfig -GatewayType Vpn -VpnType RouteBased

Repeat this step for each resource group and virtual network you want to create.  Next we will setup the connection configurations to allows each Gateway to know how and where to connect.

In my case I create 4 Resource Groups, in 2 regions (2 in each)

  • rg-client-east1
  • rg-client-east2
  • rg-client-west1
  • rg-client-west2

Each RM has a vNet (each vnet has one subnet for VMs and a gateway subnet)

  • VNet-client-east1
  • VNet-client-east2
  • VNet-client-west1
  • VNet-client-west2

and 4 gateways

  • gw-client-east1
  • gw-client-east2
  • gw-client-west1
  • gw-client-west2

Step 5 - Connect the gateways

In this step, you'll create the VPN gateway connections between the virtual network gateways. in the script we specified a Shared Key used by the gateways to enable the connection. Please use your own values for the shared key we would not want all VPNs to end up with the very unsecure a1b2c3d4e5 key.

The important thing is that the shared key must match for both end of the connection. And you will need 2 connections for each pair of gateways you are connecting.  so in the script below you will notice that each pair has 2 New-AzureRmVirtualNetworkGatewayConnectioncommands.

image

Remember, when creating connections, be aware that it will take some time to complete.

  1. #create the VPN gateway connections between all the virtual network - Full mesh
  2. $vnetgw1 = Get-AzureRmVirtualNetworkGateway -Name $gatewayname1 -ResourceGroupName $RG1
  3. $vnetgw2 = Get-AzureRmVirtualNetworkGateway -Name $gatewayname2 -ResourceGroupName $RG2
  4. $vnetgw3 = Get-AzureRmVirtualNetworkGateway -Name $gatewayname3 -ResourceGroupName $RG3
  5. $vnetgw4 = Get-AzureRmVirtualNetworkGateway -Name $gatewayname4 -ResourceGroupName $RG4
  6.  
  7. New-AzureRmVirtualNetworkGatewayConnection -Name conn-client-1 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnetgw1 -VirtualNetworkGateway2 $vnetgw2 -Location $loc1 -ConnectionType Vnet2Vnet -SharedKey 'a1b2c3d4e5'
  8. New-AzureRmVirtualNetworkGatewayConnection -Name conn-client-2 -ResourceGroupName $RG2 -VirtualNetworkGateway1 $vnetgw2 -VirtualNetworkGateway2 $vnetgw1 -Location $loc2 -ConnectionType Vnet2Vnet -SharedKey 'a1b2c3d4e5'
  9.  
  10. New-AzureRmVirtualNetworkGatewayConnection -Name conn-client-3 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnetgw1 -VirtualNetworkGateway2 $vnetgw3 -Location $loc1 -ConnectionType Vnet2Vnet -SharedKey 'a1b2c3d4e5'
  11. New-AzureRmVirtualNetworkGatewayConnection -Name conn-client-4 -ResourceGroupName $RG3 -VirtualNetworkGateway1 $vnetgw3 -VirtualNetworkGateway2 $vnetgw1 -Location $loc3 -ConnectionType Vnet2Vnet -SharedKey 'a1b2c3d4e5'
  12.  
  13. New-AzureRmVirtualNetworkGatewayConnection -Name conn-client-5 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnetgw1 -VirtualNetworkGateway2 $vnetgw4 -Location $loc1 -ConnectionType Vnet2Vnet -SharedKey 'a1b2c3d4e5'
  14. New-AzureRmVirtualNetworkGatewayConnection -Name conn-client-6 -ResourceGroupName $RG4 -VirtualNetworkGateway1 $vnetgw4 -VirtualNetworkGateway2 $vnetgw1 -Location $loc4 -ConnectionType Vnet2Vnet -SharedKey 'a1b2c3d4e5'
  15.  
  16. New-AzureRmVirtualNetworkGatewayConnection -Name conn-client-7 -ResourceGroupName $RG2 -VirtualNetworkGateway1 $vnetgw2 -VirtualNetworkGateway2 $vnetgw3 -Location $loc2 -ConnectionType Vnet2Vnet -SharedKey 'a1b2c3d4e5'
  17. New-AzureRmVirtualNetworkGatewayConnection -Name conn-client-8 -ResourceGroupName $RG3 -VirtualNetworkGateway1 $vnetgw3 -VirtualNetworkGateway2 $vnetgw2 -Location $loc3 -ConnectionType Vnet2Vnet -SharedKey 'a1b2c3d4e5'
  18.  
  19. New-AzureRmVirtualNetworkGatewayConnection -Name conn-client-9 -ResourceGroupName $RG2 -VirtualNetworkGateway1 $vnetgw2 -VirtualNetworkGateway2 $vnetgw4 -Location $loc2 -ConnectionType Vnet2Vnet -SharedKey 'a1b2c3d4e5'
  20. New-AzureRmVirtualNetworkGatewayConnection -Name conn-client-10 -ResourceGroupName $RG4 -VirtualNetworkGateway1 $vnetgw4 -VirtualNetworkGateway2 $vnetgw2 -Location $loc4 -ConnectionType Vnet2Vnet -SharedKey 'a1b2c3d4e5'
  21.  
  22. New-AzureRmVirtualNetworkGatewayConnection -Name conn-client-11 -ResourceGroupName $RG3 -VirtualNetworkGateway1 $vnetgw3 -VirtualNetworkGateway2 $vnetgw4 -Location $loc3 -ConnectionType Vnet2Vnet -SharedKey 'a1b2c3d4e5'
  23. New-AzureRmVirtualNetworkGatewayConnection -Name conn-client-12 -ResourceGroupName $RG4 -VirtualNetworkGateway1 $vnetgw4 -VirtualNetworkGateway2 $vnetgw3 -Location $loc4 -ConnectionType Vnet2Vnet -SharedKey 'a1b2c3d4e5'

After giving the connections enough time to connect I ended up with a fully meshed VPN network between 4 separate virtual networks 6 connection per site for a fully meshed network with 4 gateways.

image

I hope this helps.

Cheers!

Signature

Pierre Roman
@pierreroman