In Azure there is this concept of connecting one virtual network, either in the same region or across regions, with another virtual network. This is referred to as VNet-to-VNet connection. This is quite similar to configuring a site-to-site VPN from an Azure VNet to your on-premises environment. In this post we will demo a VNet-to-VNet connection with Azure Resource Manger (ARM) using PowerShell. In a future post we will setup Azure Files and demo connecting shares across this VNet-to-VNet connection.
Azure VPN gateways, utilizing RouteBased (dynamic) VPN types, are used to connect two or more virtual networks together securely with IPSEC/IKE site-to-site VPN tunnels. One important factor to keep in mind is to ensure that address spaces for the virtual networks and on-premises local networks do not overlap. A maximum of 10 VPN tunnels for a virtual network VPN gateway is currently supported. However, all the VPN tunnels of the virtual network share the bandwidth of the Azure VPN gateway. Keep this is mind when designing your solution.
Take note that the commands below are using Azure PowerShell 0.9.8. If you wish to use the 1.0 Preview you can refer to a previous post I did here on Keeping Azure PowerShell Cmdlets Updated. In addition, you will need to edit the cmdlets using the pattern {verb}-AzureRM{noun}.
Below is a simple diagram of what we are going to build. One thing to keep in mind, the naming of resources will work in our demo but you will want to use a standard naming scheme in your production environments.
1. Connect to your Azure subscription.
1 |
Add-AzureAccount |
2. Select which subscription you would like to deploy to. I am using my “Azure Pass” subscription.
1 |
Select-AzureSubscription "Azure Pass" |
3. Switch to Azure Resource Manager mode.
1 |
Switch-AzureMode -Name AzureResourceManager |
4. Create a resource group called testrg1 in the “West US” region.
1 |
New-AzureResourceGroup -Name testrg1 -Location 'West US' |
5. Next we will create a virtual network called VNet1 with 2 subnets. The gateway subnet must be named GatewaySubnet and should be at least a /29. Check your requirements if using ExpressRoute as you may need a /27.
1 2 3 |
$subnet = New-AzureVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.1.0.0/28 $subnet1 = New-AzureVirtualNetworkSubnetConfig -Name 'Subnet1' -AddressPrefix '10.1.1.0/24' New-AzureVirtualNetwork -Name VNet1 -ResourceGroupName testrg1 -Location 'West US' -AddressPrefix 10.1.0.0/16 -Subnet $subnet, $subnet1 |
6. Now we need to request a Public IP for VNet1. You cannot specify this address.
1 |
$gwpip= New-AzurePublicIpAddress -Name gwpip1 -ResourceGroupName testrg1 -Location 'West US' -AllocationMethod Dynamic |
7. Create the gateway configuration for VNet1.
1 2 3 |
$vnet = Get-AzureVirtualNetwork -Name VNet1 -ResourceGroupName testrg1 $subnet = Get-AzureVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet $gwipconfig = New-AzureVirtualNetworkGatewayIpConfig -Name gwipconfig1 -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id |
8. Create the gateway for VNet1 called vnetgw1. Make sure that you use RouteBased VPN type as this is required for VNet-to-VNet. Be patient as this can take a while.
1 |
New-AzureVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg1 -Location 'West US' -IpConfigurations $gwipconfig -GatewayType Vpn -VpnType RouteBased |
9. Now we will create a new resource group called testrg2 in the East US region.
1 |
New-AzureResourceGroup -Name testrg2 -Location 'East US' |
10. Create a virtual network called VNet2 with 2 subnets. Check your requirements if using ExpressRoute as you may need a /27.
1 2 3 |
$subnet = New-AzureVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.2.0.0/28 $subnet1 = New-AzureVirtualNetworkSubnetConfig -Name 'Subnet1' -AddressPrefix '10.2.1.0/24' New-AzureVirtualNetwork -Name VNet2 -ResourceGroupName testrg2 -Location 'East US' -AddressPrefix 10.2.0.0/16 -Subnet $subnet, $subnet1 |
11. Now we need to request a Public IP for VNet2. You cannot specify this address.
1 |
$gwpip= New-AzurePublicIpAddress -Name gwpip2 -ResourceGroupName testrg2 -Location 'East US' -AllocationMethod Dynamic |
12. Create the gateway configuration for VNet2. Be patient as this can take a while.
1 2 3 |
$vnet = Get-AzureVirtualNetwork -Name VNet2 -ResourceGroupName testrg2 $subnet = Get-AzureVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet $gwipconfig = New-AzureVirtualNetworkGatewayIpConfig -Name gwipconfig2 -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id |
13. Create the gateway for VNet2 called vnetgw2.
1 |
New-AzureVirtualNetworkGateway -Name vnetgw2 -ResourceGroupName testrg2 -Location 'East US' -IpConfigurations $gwipconfig -GatewayType Vpn -VpnType RouteBased |
14. Now we need to connect the gateways for VNet1 to VNet2. Replace the shared key with your own. However, they must be the same for both configurations.
1 2 3 |
$vnetgw1 = Get-AzureVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg1 $vnetgw2 = Get-AzureVirtualNetworkGateway -Name vnetgw2 -ResourceGroupName testrg2 New-AzureVirtualNetworkGatewayConnection -Name conn1 -ResourceGroupName testrg1 -VirtualNetworkGateway1 $vnetgw1 -VirtualNetworkGateway2 $vnetgw2 -Location 'West US' -ConnectionType Vnet2Vnet -SharedKey '[email protected]' |
15. Next we need to connect the gateways for VNet2 to VNet1. Again make sure you use the same shared key.
1 2 3 |
$vnetgw1 = Get-AzureVirtualNetworkGateway -Name vnetgw2 -ResourceGroupName testrg2 $vnetgw2 = Get-AzureVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg1 New-AzureVirtualNetworkGatewayConnection -Name conn2 -ResourceGroupName testrg2 -VirtualNetworkGateway1 $vnetgw1 -VirtualNetworkGateway2 $vnetgw2 -Location 'East US' -ConnectionType Vnet2Vnet -SharedKey '[email protected]' |
16. Now that we have our VNets deployed and connected, we need to be able to test them to see if they are working. As of this post, the gateways are not exposed in the Preview Portal. You can run the commands below to verify. When asked to Confirm, select Yes to All. For each command, scroll and look for connectionStatus and verify that it shows Connected. You will also see the ingress/egress byte transfer counts.
1 |
Get-AzureVirtualNetworkGatewayConnection -Name conn1 -ResourceGroupName testrg1 -Debug |
1 |
Get-AzureVirtualNetworkGatewayConnection -Name conn2 -ResourceGroupName testrg2 -Debug |
Now that we have verified our connections, you can deploy additional resources like VMs to those regions. This can be done via Azure PowerShell, via ARM templates, or in the Preview Portal. We will not be covering that in this post but if you need some guidance you can click here.
For additional info check out the VNet FAQ and the VPN Gateway FAQ.
Hopefully this has been informative for you and you will find this useful. Stay tuned for a future post where we will expand on this and utilize a VNet-to-VNet connection with Azure Files.