A while back I wrote about setting up VPN solutions between your own datacenter and Azure and between azure sites.
- Step-By-Step: Create a Site-to-Site VPN between your network and Azure
- Step-by-Step: Multi-Site Azure VPN
But these were written with the classic Cloud Service model. Azure has evolved since to the Azure Resource Manager Model. This new model allows you to deploy, organize and control/manage resources (such as websites, virtual machines and databases…) as a single logical unit.
A couple weeks ago I got a call from a colleague working with a customer that were having issues with their own VPN between the own locations and their Azure virtual networks. That is when I realized that my step-by-step articles needed to be updated to take ARM in consideration.
So in this post we will look at the steps needed to setup a Multi-site VPN between 4 virtual networks in 2 different regions (in this case US East and US West). I’ll add the local datacenter (in this case my home office) manually in the next post.
Before we start. There are a few things we need to keep in mind before we jump in to configuring our solution.
- VNet-to-VNet VPN requires Azure gateways with Route-Based (previously called Dynamic) VPN types. Policy-based gateway do not support multi-site.
- Virtual network connectivity can be used simultaneously with multi-site VPNs, with a maximum of 10 VPN tunnels for a virtual network VPN gateway connecting to other virtual networks or on-premises sites.
- The address spaces of the virtual networks and on-premises local network sites must not overlap. Overlapping address spaces will cause the creation of virtual networks to fail.
- All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the same VPN gateway uptime SLA in Azure.
- VNet-to-VNet traffic travels across the Azure backbone.
to get more info on that subject please review Configure a VNet-to-VNet connection for virtual networks in the same subscription by using Azure Resource Manager and PowerShell
Ok. let’s start.
Step 1: Plan your IP Address Space
As we mentioned you need to take particular attention to setting the IP address of your environment. Each virtual network can work really well on it’s own. But when you try to connect them and there is overlap somewhere the connection will fail.
In my case I selected the following IP spaces
· resource group 1
- Address space - 172.25.0.0/20
· subnet1 - 172.25.0.0/24
· GatewaySubnet – 172.25.15.0/24
· resource group 2
- Address space - 172.25.16.0/20
· Subnet1 – 172.25.16.0/24
· GatewaySubnet - 172.25.31.0/24
· resource group 1
- Address space - 172.25.32.0/20
· subnet1 - 172.25.32.0/24
· GatewaySubnet – 172.25.47.0/24
· resource group 2
- Address space - 172.25.48.0/20
· Subnet1 – 172.25.48.0/24
· GatewaySubnet - 172.25.63.0/24
No address space overlaps,, it gives me the opportunity to add 14 more subnets should the need arises.
Step 2 - Connect to your subscription and create the Resource Groups
I used PowerShell to create my environment so let’s look at each part of the script in details. Since this is for the Resource Manager Model if you have not done so before, you need to update your PowerShell from http://azure.microsoft.com/en-us/downloads and you should install the ARM modules by using the following commands
Once that is done. (and it may take a while), proceed to connect to your subscription. We use Login-AzureRmAccount command to authenticate. The Resource Manager modules requires Login-AzureRmAccount. A Publish Settings file is not sufficient.
Step 3 - Create a virtual network, Request a public IP address
This next step is the bulk of the work In this step I created:
- The Resource Group
- The virtual Network with the proper subnets (“Subnet1” where my VM will be located and “Gateway Subnet” which is required to create the gateway.) Please keep in mind that the name of the gateway subnet MUST BE “Gateway Subnet”.
- The VPN gateway
the variables I used are for the following:
- $RG1= the name of the Resource Group I want to create.
- $loc1= The region where I want my resource group and the vNet created.
- $vnetname1= The name of the vNet I will create
- $AddPrefix= The Address Space of the vNet
- $subnet1= The Address Range of subnet1
- $gatewayname1= The name of the gateway that will be created in this resource group
- $GTWsubnetPrefix= The Address Range of the ‘Gateway Subnet’
- $gwipconfig= The name of the object for the Public IP address that will be reserved for the gateway in this resource group.
Repeat this step for each resource group and virtual network you want to create. Next we will setup the connection configurations to allows each Gateway to know how and where to connect.
In my case I create 4 Resource Groups, in 2 regions (2 in each)
Each RM has a vNet (each vnet has one subnet for VMs and a gateway subnet)
and 4 gateways
Step 5 - Connect the gateways
In this step, you'll create the VPN gateway connections between the virtual network gateways. in the script we specified a Shared Key used by the gateways to enable the connection. Please use your own values for the shared key we would not want all VPNs to end up with the very unsecure a1b2c3d4e5 key.
The important thing is that the shared key must match for both end of the connection. And you will need 2 connections for each pair of gateways you are connecting. so in the script below you will notice that each pair has 2 New-AzureRmVirtualNetworkGatewayConnectioncommands.
Remember, when creating connections, be aware that it will take some time to complete.
After giving the connections enough time to connect I ended up with a fully meshed VPN network between 4 separate virtual networks 6 connection per site for a fully meshed network with 4 gateways.
I hope this helps.