Tag Archives: VPN

Creating a VPN gateway in Azure ARM using PowerShell

Spent a few days at a customer site building stuff. Needed some gateways in ARM (Azure Resource Manager) mode. The code below will create a gateway and all artifacts it depends upon.
Use at your own risk ūüôā
# Start here
Login-AzureRmAccount
# Variables
$location01 = “West Europe”
$networkname01 = “AzNet”
$rgname01 = “AzNetRG”
# Azure Network Address Space (/27 for VM use. /29 for gateway use)
# Your Azure network MUST have a subnet named “GatewaySubnet”
# Create your network in the portal, make sure to add all address spaces and subnets before running script. Do NOT forget to¬†add “GatewaySubnet”.
$localSubnets01 = @(“10.1.0.0/27”, “10.1.2.0/29”)
# Remote Network Address Space
$remotenetwork01 = @(“192.168.1.0/24”)
# Remote Network Gateway IP
$RemoteGwIP01 = “8.8.8.8”
# Remote Connection Gateway Name
$RemoteConnectionGwName = “RemGW”
# Remote Connection Name
$RemoteConnectionName = “RemConn”
$VNET01 = Get-AzureRMVirtualNetwork -Name $networkname01 -ResourceGroupName $rgname01
$gwSubnet01 = Get-AzureRMVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $VNET01
# Create a new public IP address.
$gwIP01 = New-AzurermPublicIpAddress -Name ($networkname01 + “-gwip”) -ResourceGroupName $rgname01 -Location $location01 -AllocationMethod Dynamic
# Create VPN gateway configuration.
$gwConfig01 = New-AzurermVirtualNetworkGatewayIpConfig -Name ($RemoteConnectionName + “-gwconfig”) -SubnetId (Get-AzurermVirtualNetworkSubnetConfig -VirtualNetwork $VNET01 -Name GatewaySubnet).Id -PublicIpAddressId $gwIP01.Id
# Create gateway. This will take up to 40 minutes, so be patient.
$gw01 = New-AzurermVirtualNetworkGateway -Name ($networkname01 + “-gw”) -ResourceGroupName $rgname01 -Location $location01 -IpConfigurations $gwConfig01 -GatewayType VPN -VpnType RouteBased -Tag $tags
$localGw01 = New-AzurermLocalNetworkGateway -Name $RemoteConnectionGwName -ResourceGroupName $rgname01 -Location $location01 -GatewayIpAddress $RemoteGwIP01 -AddressPrefix $remotenetwork01
$AzureGW = Get-AzureRmVirtualNetworkGateway -Name ($networkname01 + “-gw”)¬† -ResourceGroupName $rgname01
$RemoteGW = Get-AzurermLocalNetworkGateway -Name $RemoteConnectionGwName -ResourceGroupName $rgname01
New-AzurermVirtualNetworkGatewayConnection -Name $RemoteConnectionName -ResourceGroupName $rgname01 -Location $location01 -VirtualNetworkGateway1 $AzureGW -LocalNetworkGateway2 $RemoteGW -ConnectionType IPsec -RoutingWeight 10 -SharedKey $sharedKey01
# End here

Using different pre-shared keys for Azure virtual network tunnels

I get loads of questions on Azure networking, some of them are good and others are just a lack of the will to RTFM. But this one actually had me trying it out cause I wasn’t sure of the possibility.

The question was: Can you have different pre-shared keys on the tunnels in Azure?

Looking around I found lots of examples of multiple tunnels, but all with the same PSK (Pre-Shared Key).

No better way than trying then, is there?

The setup is three different virtual networks:

A-net, B-net and C-net.

01-virtual-networks

There is four different local networks. A local network is a definition of the address range and gateway address that you use to connect a vnet to.

We’ve got:

A-BC-local (connecting A to B with multihop-routing to C)
A-net-local (connecting B to A)
C-AB-local (connecting C to B with multihop-routing to A)
C-net-local (connecting B to C)

So it’s A – B – C if you didn’t figure that out ūüôā
02-local-networks

A connected to A-BC-local.

03-anet

B connected to both A and C.

04-bnet

C connected to B.

05-cnet

When they’re all configured they won’t connect since the newly created gateways have automatically set PSK’s. You’ll need to use PowerShell to set the PSK for each tunnel.

 

Set-Azurevnetgatewaykey -vnet A-net -localnetworksitename A-BC-local -sharedkey 456
Set-AzureVnetGatewayKey -vnet B-net -localnetworksitename A-net-local -sharedkey 456
Set-Azurevnetgatewaykey -vnet B-net -localnetworksitename C-net-local -sharedkey 123
Set-azurenvetgatewaykey -vnet C-net -localnetworksitename C-AB-local -sharedkey 123

This will set the tunnel from a-b to 456 on both a-gw and b-gw. B to C will have 123.

Then connect the networks using

Set-AzureVnetGateway -vnet A-net -localnetworksitename A-BC-local -connect
Set-AzureVnetGateway -vnet C-net -localnetworksitename C-AB-local -connect

Conclusion: You can set your own PSK for each tunnel, no matter if it’s to on-premises or between networks in Azure.

Connecting an Azure RemoteApp virtual network to a virtual network

So you finally got your trial approved for RemoteApp and thought you’d connect your RemoteApp virtual network to the rest of your infrastructure in Azure? Well, I stepped in that pile too. But solved it in the usual way, with PowerShell and the new multi-vnet Configuration ability.

You need at least one existing virtual network, and you need to configure a virtual network in the RemoteApp part of the portal.

Click RemoteApp -> Virtual Networks -> Create

Enter a name for your network and select region.

01

Enter the address space you want for your RemoteApp server(s) and the address space for your local networks. With local networks I mean either your on-premises network or the other networks you have defined in Azure. In my case I’ll be connecting my RemoteApp network to my other networks in Azure.

02

Enter the DNS-servers you want your RemoteApp server to receive from DHCP. This is so your applications can resolve your local hostnames, for SQL connectivity or any other type of traffic. You also need to specify the address of the VPN device. I’ve entered the address to my gateway in Azure. If you’re connecting multiple virtual networks you MUST select “Dynamic” for VPN gateway type. Static routing only works between two networks in Azure.

03

Network created, now waiting for VPN Configuration.

04

Now we’ll click on “Manage key” and copy the address for the gateway. You might as well copy the key to a notepad file while you’re at it.

05

Add your RemoteApp network as a local network in the “Networks” part of the portal. Specify the gateway address you just copied.

08

When it’s saved, export the network configuration from the portal. Open the XML-file and edit the corresponding Virtual network, adding a connecction to your newly created “local” network. Mine is named RemoteAppVnet as you can see below.

09

Import your configuration to Azure. Networks -> New -> Network Services -> Import configuration

import

Once your information is imported you’ll see your new network as “Not connected” in the overview in the virtual network.

Open PowerShell (with the Azure cmdlets) and run the following two commands. Substituting the vnetname and local network name and key for your values of course.

07

Once those are run your networks should be connected and all green!

06

How to configure multiple virtual network connections in Azure

When using infrastructure as a service in Microsoft Azure you could earlier only have one virtual network, which would be like it’s own little isolated island. A while back Microsoft enabled for its customers to connect multiple virtual networks together, both in the same datacenter, same region, cross region and cross subscription. This enables a whole lot of new scenarios, for example building your own global datacenter on top of Azure infrastructure.

So how do you go about doing it? Well, you need to start with planning. I know it’s boring but if you don’t you could end up having to tear everything down just to rebuild it, doesn’t sound too much fun either.

What you need before starting:

An ip-plan
A VPN device with a public IPv4 address (not necessary, but will let you enable a hybrid cloud scenario)
PowerShell cmdlets for Azure installed and configured

My ip-plan looks like this:

Local network name Subnet
HomeNet 10.0.0.0/24
AzureNet-Local 10.0.1.0/24
USNet-Local 10.0.2.0/24
JNNet-Local 10.0.3.0/24

Of the networks above HomeNet is my physical network location. The other three networks exists only in Azure. What you must make sure when you plan is that no range overlap anywhere, no matter if it’s in Azure or at any physical locations.

 

Once you’ve planned that I have a separate table for my topology so I know which networks to connect. When starting off you won’t know your gateway ip, so don’t worry.

Virtual Network Subnet Gateway Local network
AzureNet 10.0.1.0/24 137.117.227.xxx HomeNet 10.0.0.0/24
USNet 10.0.2.0/24 168.61.160.xxx JNNet 10.0.3.0/24
JNNet 10.0.3.0/24 23.97.77.xxx USNet 10.0.2.0/24

 

Getting started

Starting off I already have one network called AzureNet (10.0.1.0/24) which is connected to my physical network Homenet (10.0.0.0/24). You can follow this guide even if you don’t have that, just repeat the process.

vlcsnap-2014-06-13-09h38m57s199

 

 

Let’s create a new virtual network first

In the portal, click New -> Network Services -> Virtual Network -> Custom Create

Name your network and select a location. South Central is in Brazil so I’ve named my network BRnet.

 

newnet01

 

 

Select (or enter) your DNS servers ip and name for local name resolution.

newnet02

 

 

Enter your address space. Make sure there’s no overlapping subnets anywhere. Very important!

newnet03

 

 

Repeat this process for all the virtual networks you need.

When all your virtual networks are created it’ll look like this. Note the different locations in my setup, placing my networks in Japan, USA and Amsterdam.

vlcsnap-2014-06-13-09h38m43s56

 

 

Local networks

When the virtual networks are done we’ll create local networks of the virtual networks. This is because to be able to connect the networks they need to be defined as “local” in Azure.

 

vlcsnap-2014-06-13-09h40m17s223

 

 

Name your network, and specify 1.2.3.4 as VPN device address.

vlcsnap-2014-06-13-09h40m28s87

 

 

Specify the address space that you’ve planned beforehand.

vlcsnap-2014-06-13-09h40m51s54

 

 

Repeat this for each virtual network, re-defining it as local.

When you’re done it’ll look like this

vlcsnap-2014-06-13-09h41m17s60

 

 

Switch back to your virtual networks in the portal and go into the configure tab. Check the “connect to the local network”-box and select the corresponding “local network” that you planned before. Click save at the bottom. Repeat this process for each virtual network connecting it to the designated “local” network.

vlcsnap-2014-06-13-09h42m01s246

 

 

Next step is to create the dynamic gateway. You get the message “The gateway was not created” in the portal. At the bottom click “Create gateway” and select “Dynamic”. Do this for all your virtual networks. It’ll take 10-25 minutes to finish for each gateway. Coffee time!

vlcsnap-2014-06-13-09h42m39s112

 

 

When they’re all done, note the gateway ip address in your table for all your networks/gateways.

vlcsnap-2014-06-13-09h39m08s45

 

 

Edit your local networks and add the gateway ip address for each network.Click on the network, click Edit and enter your gateway ip.

vlcsnap-2014-06-13-09h44m40s40

 

 

When all virtual networks and their corresponding local networks are created it’s XML-time. Get some more coffee!

Click the Export-button and save the file.

Open it in Notepad / Notepad++ (if you haven’t tried it you must)

In the XML you’ll find the section <LocalNetworkSites> which contains all the networks defined as local.

<LocalNetworkSites>
<LocalNetworkSite name="AzureNet-Local">
<AddressSpace>
<AddressPrefix>10.0.1.0/24</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>137.117.227.238</VPNGatewayAddress>
</LocalNetworkSite>
<LocalNetworkSite name="HomeNet">
<AddressSpace>
<AddressPrefix>10.0.0.0/24</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>178.78.193.167</VPNGatewayAddress>
</LocalNetworkSite>
<LocalNetworkSite name="JNNet-Local">
<AddressSpace>
<AddressPrefix>10.0.3.0/24</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>23.97.65.15</VPNGatewayAddress>
</LocalNetworkSite>
<LocalNetworkSite name="USNet-Local">
<AddressSpace>
<AddressPrefix>10.0.2.0/24</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>168.61.160.90</VPNGatewayAddress>
</LocalNetworkSite>
</LocalNetworkSites>

If you look further down in the XML you’ll find the section <VirtualNetworkSites>. This contains subsections for each virtual network site <VirtualNetworkSite>, and in that section in turn you’ll see where to define the connections to each network.

 

<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="HomeNet">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
<LocalNetworkSiteRef name="JNNet-Local">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
<LocalNetworkSiteRef name="USNet-Local">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>

So for each virtual network you’ll need to copy and paste each local network as above.

If you look at my complete XML I’ve marked those sections in red.

<NetworkConfiguration xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/ServiceHosting/2011/07/NetworkConfiguration">
<VirtualNetworkConfiguration>
<Dns>
<DnsServers>
<DnsServer name="cmdc01" IPAddress="192.168.1.4" />
<DnsServer name="cmdemodc01" IPAddress="192.168.1.10" />
<DnsServer name="DC01" IPAddress="10.0.0.10" />
<DnsServer name="DC02" IPAddress="10.0.1.4" />
</DnsServers>
</Dns>
<LocalNetworkSites>
<LocalNetworkSite name="AzureNet-Local">
<AddressSpace>
<AddressPrefix>10.0.1.0/24</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>137.117.227.238</VPNGatewayAddress>
</LocalNetworkSite>
<LocalNetworkSite name="HomeNet">
<AddressSpace>
<AddressPrefix>10.0.0.0/24</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>178.78.193.167</VPNGatewayAddress>
</LocalNetworkSite>
<LocalNetworkSite name="JNNet-Local">
<AddressSpace>
<AddressPrefix>10.0.3.0/24</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>23.97.65.15</VPNGatewayAddress>
</LocalNetworkSite>
<LocalNetworkSite name="USNet-Local">
<AddressSpace>
<AddressPrefix>10.0.2.0/24</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>168.61.160.90</VPNGatewayAddress>
</LocalNetworkSite>
</LocalNetworkSites>
<VirtualNetworkSites>
<VirtualNetworkSite name="AzureNet" AffinityGroup="AzureNet">
<AddressSpace>
<AddressPrefix>10.0.1.0/24</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="Subnet-1">
<AddressPrefix>10.0.1.0/27</AddressPrefix>
</Subnet>
<Subnet name="Contoso-Subnet">
<AddressPrefix>10.0.1.200/27</AddressPrefix>
</Subnet>
<Subnet name="GatewaySubnet">
<AddressPrefix>10.0.1.32/29</AddressPrefix>
</Subnet>
</Subnets>
<DnsServersRef>
<DnsServerRef name="DC01" />
<DnsServerRef name="DC02" />
</DnsServersRef>
<Gateway>
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="HomeNet">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
<LocalNetworkSiteRef name="JNNet-Local">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
<LocalNetworkSiteRef name="USNet-Local">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
</VirtualNetworkSite>
<VirtualNetworkSite name="CMDemo" AffinityGroup="CMDemo-AFG">
<AddressSpace>
<AddressPrefix>192.168.1.0/24</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="Infra">
<AddressPrefix>192.168.1.0/26</AddressPrefix>
</Subnet>
<Subnet name="Mgmt">
<AddressPrefix>192.168.1.64/26</AddressPrefix>
</Subnet>
<Subnet name="Clients">
<AddressPrefix>192.168.1.128/27</AddressPrefix>
</Subnet>
</Subnets>
<DnsServersRef>
<DnsServerRef name="cmdc01" />
</DnsServersRef>
</VirtualNetworkSite>
<VirtualNetworkSite name="JnNet" AffinityGroup="JnNet-AFG">
<AddressSpace>
<AddressPrefix>10.0.3.0/24</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="Subnet-1">
<AddressPrefix>10.0.3.0/28</AddressPrefix>
</Subnet>
<Subnet name="Subnet-2">
<AddressPrefix>10.0.3.24/29</AddressPrefix>
</Subnet>
<Subnet name="Subnet-3">
<AddressPrefix>10.0.3.32/27</AddressPrefix>
</Subnet>
<Subnet name="GatewaySubnet">
<AddressPrefix>10.0.3.16/29</AddressPrefix>
</Subnet>
</Subnets>
<DnsServersRef>
<DnsServerRef name="DC01" />
</DnsServersRef>
<Gateway>
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="USNet-Local">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
<LocalNetworkSiteRef name="AzureNet-Local">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
</VirtualNetworkSite>
<VirtualNetworkSite name="UsNet" AffinityGroup="CentralUS-AG">
<AddressSpace>
<AddressPrefix>10.0.2.0/24</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="Subnet-1">
<AddressPrefix>10.0.2.0/28</AddressPrefix>
</Subnet>
<Subnet name="Subnet-2">
<AddressPrefix>10.0.2.24/29</AddressPrefix>
</Subnet>
<Subnet name="GatewaySubnet">
<AddressPrefix>10.0.2.16/29</AddressPrefix>
</Subnet>
</Subnets>
<DnsServersRef>
<DnsServerRef name="DC02" />
</DnsServersRef>
<Gateway>
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="JNNet-Local">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
<LocalNetworkSiteRef name="AzureNet-Local">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
</VirtualNetworkSite>
</VirtualNetworkSites>
</VirtualNetworkConfiguration>
</NetworkConfiguration>

Note that for each network there is a corresponding section of <ConnectionsToLocalNetwork>.

When you’re done save the file and then it’s time to import it!

import

 

 

Wait for your networks to configure. Then it’s PowerShell-time!

Fire up PowerShell with the Azure cmdlets.

Run the cmdlet “Set-AzureVNetGatewayKey -VNetName AzureNet -LocalNetworkSiteName JNNet-Local -SharedKey a1b2c3d4” for each virtual network setting the key for each local network.

So I’d run:

Set-AzureVNetGatewayKey -VNetName AzureNet -LocalNetworkSiteName JNNet-Local -SharedKey a1b2c3d4
Set-AzureVNetGatewayKey -VNetName AzureNet -LocalNetworkSiteName USNet-Local -SharedKey a1b2c3d4
Set-AzureVNetGatewayKey -VNetName AzureNet -LocalNetworkSiteName HomeNet -SharedKey a1b2c3d4
Set-AzureVNetGatewayKey -VNetName JNNet -LocalNetworkSiteName USNet-Local -SharedKey a1b2c3d4
Set-AzureVNetGatewayKey -VNetName JNNet -LocalNetworkSiteName AzureNet-Local -SharedKey a1b2c3d4

And so on, switching the virtual network and the local network according to your topology.

When you’re done with that it’s time to connect your networks:

Set-AzureVNetGateway -VNetName AzureNet -LocalNetworkSiteName JNNet -Connect

And as before, substitute the vnetnames and local network names.

Once done it’ll (hopefully) look like this:

vlcsnap-2014-06-13-09h46m22s38

 

 

How did you do? Let me know in the comments!