I get loads of questions on Azure networking, some of them are good and others are just a lack of the will to RTFM. But this one actually had me trying it out cause I wasn’t sure of the possibility.
The question was: Can you have different pre-shared keys on the tunnels in Azure?
Looking around I found lots of examples of multiple tunnels, but all with the same PSK (Pre-Shared Key).
No better way than trying then, is there?
The setup is three different virtual networks:
A-net, B-net and C-net.
There is four different local networks. A local network is a definition of the address range and gateway address that you use to connect a vnet to.
A-BC-local (connecting A to B with multihop-routing to C)
A-net-local (connecting B to A)
C-AB-local (connecting C to B with multihop-routing to A)
C-net-local (connecting B to C)
A connected to A-BC-local.
B connected to both A and C.
C connected to B.
When they’re all configured they won’t connect since the newly created gateways have automatically set PSK’s. You’ll need to use PowerShell to set the PSK for each tunnel.
Set-Azurevnetgatewaykey -vnet A-net -localnetworksitename A-BC-local -sharedkey 456
Set-AzureVnetGatewayKey -vnet B-net -localnetworksitename A-net-local -sharedkey 456
Set-Azurevnetgatewaykey -vnet B-net -localnetworksitename C-net-local -sharedkey 123
Set-azurenvetgatewaykey -vnet C-net -localnetworksitename C-AB-local -sharedkey 123
This will set the tunnel from a-b to 456 on both a-gw and b-gw. B to C will have 123.
Then connect the networks using
Set-AzureVnetGateway -vnet A-net -localnetworksitename A-BC-local -connect
Set-AzureVnetGateway -vnet C-net -localnetworksitename C-AB-local -connect
Conclusion: You can set your own PSK for each tunnel, no matter if it’s to on-premises or between networks in Azure.