Creating Site to Site VPN in Azure Resource Manager

December 15, 2015 0 By Morten Lerudjordet

This will be a short post, just wanted to have all Powershell code needed to create a connection between a network outside Azure and your ARM resources in one place.

I tried to set this up with my local TMG server, though this did not work as it did with ASM. Check this page for supported configurations.

Even if it does not work for my setup, the code is nice to have in one place.

To create the bits needed:

$Cred = Get-AutomationPSCredential -Name 'AzureAutomation'

# Shared secret
$VPNSecret = 'xxxxxxxxxxxxxxxxxxxx'
# ARM
$RMaccount = Login-AzureRmAccount -Credential $Cred

# Resource Group
New-AzureRMResourceGroup -Name 'LerunDomainGroup' -Location 'West Europe'

# ARM Network
$GW = New-AzureRMVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix '10.51.0.0/24'
$Edge = New-AzureRMVirtualNetworkSubnetConfig -Name 'EdgeNett' -AddressPrefix '10.51.1.0/24'
$SrvNett = New-AzureRMVirtualNetworkSubnetConfig -Name 'ServerNett' -AddressPrefix '10.51.2.0/24'
New-AzureRMVirtualNetwork -Name 'LerunDomainNetwork' -ResourceGroupName 'LerunDomainGroup' -Location 'West Europe' -AddressPrefix '10.51.0.0/22' -Subnet $GW,$Edge,$SrvNett -DnsServer '192.168.10.2'

# Local Site
New-AzureRMLocalNetworkGateway -Name LerunDomainLocalGW -ResourceGroupName LerunDomainGroup -Location 'West Europe' -GatewayIpAddress '212.251.251.170' -AddressPrefix '192.168.10.0/24'

# Public IP for the gateway
$GWpip = New-AzureRMPublicIpAddress -Name LerunDomainGWpip -ResourceGroupName LerunDomainGroup -Location 'West Europe' -AllocationMethod Dynamic

# Gateway IP config
$nett = Get-AzureRMVirtualNetwork -Name LerunDomainNetwork -ResourceGroupName LerunDomainGroup
$subnet = Get-AzureRMVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $nett
$gwipconfig = New-AzureRMVirtualNetworkGatewayIpConfig -Name LerunDomainGWconfig -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id
# Create Gateway
New-AzureRMVirtualNetworkGateway -Name LerunDomainGW -ResourceGroupName LerunDomainGroup -Location 'West Europe' -IpConfigurations $gwipconfig -GatewayType Vpn -VpnType RouteBased
# Get public ip of gateway
Get-AzureRMPublicIpAddress -Name LerunDomainGWpip -ResourceGroupName LerunDomainGroup

# Get VPN GW's
$gateway = Get-AzureRMVirtualNetworkGateway -Name LerunDomainGW -ResourceGroupName LerunDomainGroup
$local = Get-AzureRMLocalNetworkGateway -Name LerunDomainLocalGW -ResourceGroupName LerunDomainGroup

# Set up VPN connection
# Check that GWpip has got a assigned puplic IP before running
New-AzureRMVirtualNetworkGatewayConnection -Name 'LerunDomainGWconnection' -ResourceGroupName LerunDomainGroup -Location 'West Europe' -VirtualNetworkGateway1 $gateway -LocalNetworkGateway2 $local -ConnectionType IPsec -RoutingWeight 10 -SharedKey $VPNSecret

$Cred = Get-AutomationPSCredential -Name 'AzureAutomation'

# Shared secret

$VPNSecret = 'xxxxxxxxxxxxxxxxxxxx'

# ARM

$RMaccount = Login-AzureRmAccount -Credential $Cred

# Resource Group

New-AzureRMResourceGroup -Name 'LerunDomainGroup' -Location 'West Europe'

# ARM Network

$GW = New-AzureRMVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix '10.51.0.0/24'

$Edge = New-AzureRMVirtualNetworkSubnetConfig -Name 'EdgeNett' -AddressPrefix '10.51.1.0/24'

$SrvNett = New-AzureRMVirtualNetworkSubnetConfig -Name 'ServerNett' -AddressPrefix '10.51.2.0/24'

New-AzureRMVirtualNetwork -Name 'LerunDomainNetwork' -ResourceGroupName 'LerunDomainGroup' -Location 'West Europe' -AddressPrefix '10.51.0.0/22' -Subnet $GW,$Edge,$SrvNett -DnsServer '192.168.10.2'

# Local Site

New-AzureRMLocalNetworkGateway -Name LerunDomainLocalGW -ResourceGroupName LerunDomainGroup -Location 'West Europe' -GatewayIpAddress '212.251.251.170' -AddressPrefix '192.168.10.0/24'

# Public IP for the gateway

$GWpip = New-AzureRMPublicIpAddress -Name LerunDomainGWpip -ResourceGroupName LerunDomainGroup -Location 'West Europe' -AllocationMethod Dynamic

# Gateway IP config

$nett = Get-AzureRMVirtualNetwork -Name LerunDomainNetwork -ResourceGroupName LerunDomainGroup

$subnet = Get-AzureRMVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $nett

$gwipconfig = New-AzureRMVirtualNetworkGatewayIpConfig -Name LerunDomainGWconfig -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id

# Create Gateway

New-AzureRMVirtualNetworkGateway -Name LerunDomainGW -ResourceGroupName LerunDomainGroup -Location 'West Europe' -IpConfigurations $gwipconfig -GatewayType Vpn -VpnType RouteBased

# Get public ip of gateway

Get-AzureRMPublicIpAddress -Name LerunDomainGWpip -ResourceGroupName LerunDomainGroup

# Get VPN GW's

$gateway = Get-AzureRMVirtualNetworkGateway -Name LerunDomainGW -ResourceGroupName LerunDomainGroup

$local = Get-AzureRMLocalNetworkGateway -Name LerunDomainLocalGW -ResourceGroupName LerunDomainGroup

# Set up VPN connection

# Check that GWpip has got a assigned puplic IP before running

New-AzureRMVirtualNetworkGatewayConnection -Name 'LerunDomainGWconnection' -ResourceGroupName LerunDomainGroup -Location 'West Europe' -VirtualNetworkGateway1 $gateway -LocalNetworkGateway2 $local -ConnectionType IPsec -RoutingWeight 10 -SharedKey $VPNSecret

To test the connection(more):

# Test connection
Get-AzureRmVirtualNetworkGatewayConnectionSharedKey -Name LerunDomainGWconnection -ResourceGroupName LerunDomainGroup
# Debug connection
Get-AzureRMVirtualNetworkGatewayConnection -Name 'LerunDomainGWconnection' -ResourceGroupName 'LerunDomainGroup' -Debug:$True
Get-AzureRmVirtualNetwork -Name 'LerunDomainNetwork' -ResourceGroupName 'LerunDomainGroup'

# Test connection

Get-AzureRmVirtualNetworkGatewayConnectionSharedKey -Name LerunDomainGWconnection -ResourceGroupName LerunDomainGroup

# Debug connection

Get-AzureRMVirtualNetworkGatewayConnection -Name 'LerunDomainGWconnection' -ResourceGroupName 'LerunDomainGroup' -Debug:$True

Get-AzureRmVirtualNetwork -Name 'LerunDomainNetwork' -ResourceGroupName 'LerunDomainGroup'

To remove what was created ( remember to remove all resources in the ARM network beforehand):

# Remove
Remove-AzureRmVirtualNetworkGatewayConnection -Name 'LerunDomainGWconnection' -ResourceGroupName LerunDomainGroup -Force
Remove-AzureRMVirtualNetworkGateway -Name LerunDomainGW -ResourceGroupName LerunDomainGroup -Force
Remove-AzureRmLocalNetworkGateway -Name LerunDomainLocalGW -ResourceGroupName LerunDomainGroup -Force
Remove-AzureRmPublicIpAddress -Name LerunDomainGWpip -ResourceGroupName LerunDomainGroup -Force
# Can only remove if every resource on the network is removed
$nett = Get-AzureRMVirtualNetwork -Name LerunDomainNetwork -ResourceGroupName LerunDomainGroup
Remove-AzureRmVirtualNetworkSubnetConfig -Name 'ServerNett' -VirtualNetwork $nett
Remove-AzureRmVirtualNetworkSubnetConfig -Name 'EdgeNett' -VirtualNetwork $nett
Remove-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $nett

Remove-AzureRMVirtualNetwork -Name 'LerunDomainNetwork' -ResourceGroupName 'LerunDomainGroup' -Force

# Remove

Remove-AzureRmVirtualNetworkGatewayConnection -Name 'LerunDomainGWconnection' -ResourceGroupName LerunDomainGroup -Force

Remove-AzureRMVirtualNetworkGateway -Name LerunDomainGW -ResourceGroupName LerunDomainGroup -Force

Remove-AzureRmLocalNetworkGateway -Name LerunDomainLocalGW -ResourceGroupName LerunDomainGroup -Force

Remove-AzureRmPublicIpAddress -Name LerunDomainGWpip -ResourceGroupName LerunDomainGroup -Force

# Can only remove if every resource on the network is removed

$nett = Get-AzureRMVirtualNetwork -Name LerunDomainNetwork -ResourceGroupName LerunDomainGroup

Remove-AzureRmVirtualNetworkSubnetConfig -Name 'ServerNett' -VirtualNetwork $nett

Remove-AzureRmVirtualNetworkSubnetConfig -Name 'EdgeNett' -VirtualNetwork $nett

Remove-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $nett

Remove-AzureRMVirtualNetwork -Name 'LerunDomainNetwork' -ResourceGroupName 'LerunDomainGroup' -Force

Note: With all the changes in resent Azure Powershell modules, there can be some inconsistencies. This was done on 1.0.1.

Happy tinkering!

CategoryARM Azure Network

Creating Site to Site VPN in Azure Resource Manager

Leave a Reply Cancel reply