How to Build a Site-to-Site VPN in Azure

With the continued growth of SDWAN and the expense of ExpressRoute, many organizations prefer to build site-to-site VPN connections between their on-prem locations and their Azure instances. Like many things in the cloud, this can be confusing and overly complex compared to what a network engineer is used to. On top of that, the cloud engineer and the network engineer aren’t always one and the same.

I’ll go over each of these in more detail, but this summarizes the sequential steps needed to stand up your site-to-site VPN components in Azure. This assumes a connection to a Cisco router/firewall. If you have a cloud-friendly device like a Meraki on your perimeter, it may be available to buy in the Azure Store (Meraki MX’s are).

  1. Create an Azure VNET
  2. Add Gateway subnet to Azure VNET
  3. Create an Azure Local Network Gateway to your on-prem router(s) for your on-prem address space(s)
  4. Request an Azure public IP address
  5. Create an Azure Virtual Network Gateway IP Config
  6. Create an Azure Virtual Network Gateway
  7. Create an Azure Virtual Network Gateway Connection

Voila! Easy as pie… if that pie recipe were in a foreign language and required calculus. The following steps are based off the new Resource Manager version of the portal and shell. If you’re using the old portal, stop it.

Set Your Variables

I like to set variables in my shell sessions if I’m going to be doing a lot of work. This also makes scripting easier if you plan on scripting this out and either calling static vairables or having parameters/prompts for them. For this exercise, the only variables you need are the name of your Resource Group, the Azure datacenter you are working in (ie US East), and the eventual name of your VNET.

Set your variables

$rgName = “{Your Resource Group}”
$locName = “{Your Azure datacenter}”
$vnetName = “{Your desired VNET name}”

Create an Azure VNET and Add Gateway Subnet

To do this, you need to connect to your subscription via PowerShell. Once there, you need to create a Resource Group for these networking components if one already isn’t there. I recommend creating a “servers” subnet along with the VNET and Gateway Subnet.

Create VNET and Subnets

$subnet1 = New-AzureRmVirtualNetworkSubnetConfig -Name ‘GatewaySubnet’ -AddressPrefix
$subnet2 = New-AzureRmVirtualNetworkSubnetConfig -Name ‘Servers’ -AddressPrefix

New-AzureRmVirtualNetwork -Name $vnetName -ResourceGroupName $rgName -Location $locName -AddressPrefix -Subnet $subnet1, $subnet2

Create Local Network Gateway

This is the step that will ensure routing for your on-prem address space(s) to your on-prem network.

Create Local Network Gateway

New-AzureRmLocalNetworkGateway -Name “MyLocalNetworkGateway” -ResourceGroupName $rgName -Location $locName -GatewayIpAddress ‘{your internet facing router’s IP}’ -AddressPrefix ‘{Your on-prem address space}’

Get Your Public IP and Create Your Virtual Network Gateway

This part is where it gets a little more complicated, but it is simple enough when you see the steps. I’ll comment above each step to make sure you know what you’re doing. Creating the gateway itself can take up to 20 minutes to complete. If your shell session seems hung, just give it time.

Important Note: The VPN type is based on connecting to Cisco hardware. Depending on your hardware, it may be a routebased VPN type. A quick Google, should tell you what VPN type is required.

Create Virtual Network Gateway

## request public IP for gateway

$gwpip= New-AzureRmPublicIpAddress -Name MyPubIP -ResourceGroupName $rgName -Location $locName -AllocationMethod Dynamic

## create the gateway IP addressing configuration

$vnet = Get-AzureRmVirtualNetwork -Name $vnetName -ResourceGroupName $rgName
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name ‘GatewaySubnet’ -VirtualNetwork $vnet
$gwipconfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name MyGatewayIPConfig -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id

## create the gateway – This is the step that can take 20 minutes

New-AzureRmVirtualNetworkGateway -Name MyVirtualGateway -ResourceGroupName $rgName -Location $locName -IpConfigurations $gwipconfig -GatewayType Vpn -VpnType PolicyBased

Create Your Gateway Connection

This is the final step on the Azure side. The sharedkey in this step is the shared secret that you will need to configure your on-prem router with as well.

Create Virtual Network Connection

$gateway1 = Get-AzureRmVirtualNetworkGateway -Name “MyVirtualGateway” -ResourceGroupName $rgName
$local = Get-AzureRmLocalNetworkGateway -Name “MyLocalNetworkGateway” -ResourceGroupName $rgName

New-AzureRmVirtualNetworkGatewayConnection -Name MyVirtualNetworkGatewayConnection -ResourceGroupName $rgName -Location $locName -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local -ConnectionType IPsec -RoutingWeight 10 -SharedKey ‘thisshouldbeasecretnobodyknows’

That’s it. Your VPN connection is setup on the Azure side. Your network admin will now have to set it up on your on-prem side like any other site-to-site VPN. Use the external IP you got during these steps as a connection point with the shared key. To get the details of your external IP, find it in the resource group you’ve created or use the below code.

Get Your External IP Info

Get-AzureRmPublicIpAddress -Name MyPubIP -ResourceGroupName $rgName

I hope this helps you out. It seems a little convoluted at first, but I like the granular control you have over everything.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s