Showing posts with label Virtual Private Network. Show all posts
Showing posts with label Virtual Private Network. Show all posts

Wednesday, April 15, 2015

Setup VNet-To-VNet VPN on Microsoft Azure - Part 2

In part 1, we set up VNet to VNet connection from West US to East US. In this part, I'm going to create 1 more VNet in North Europe and then set up the VPN from North Europe to West US. To set up multi-VNet connections, we cannot complete this action on Microsoft Azure Portal. We have to download and modify the current VNet configuration file and then upload the updated configuration file to Microsoft Azure.

Prerequisites
Goals
  • Create a new VNet named nelabvnet in North Europe region
  • Create a new local network with the same name nelabvnet
  • Create a dynamic routing gateway on nelabvnet
  • wuslabvnet connected to 2 VNets (euslabvnet and nelabvnet)
Lab
First, we need to download the current VNet configuration file and then add the new virtual and local network into configuration file.

1. Launch "Azure PowerShell" as administrator on a workstation.
2. Connect to your Azure subscription by performing "Add-AzureAccount".
3. Perform "Get-AzureVNetConfig -ExportToFile C:\VNetConfig.xml" to export the VNet configuration to C:\VNetConfig.xml.


4. Open "VNetConfig.xml" in "Windows PowerShell ISE" as administrator and then focus on Local Network Sites first.


There are 2 local network sites under our vnet configuration. We need to add a new local network for North Europe region.

5. Copy from <LocalNetworkSite> to </LocalNetworkSite> and then paste it under </LocalNetworkSite> of wuslabvnet.
6. Change the name, AddressPrefix and VPNGatewayAddress to nelabvnet, 10.3.0.0/16 and 172.16.0.3.


The latest local network configuration will be the following.


Then, we need to add a new virtual network and update "Connect to local network" in this virtual network configuration file.


7. Copy from <VirtualNetworkSite> to </VirtualNetworkSite> and then paste it under </LocalNetworkSite> of wuslabvnet.
8. Change the name, Location, AddressPerfix and LocalNetworkSiteRef to the following.

name = nelabvnet
location = North Europe
AddressPrefix = 10.3.0.0/16
AddressPrefix = 10.3.0.0/19
AddressPrefix = 10.3.32.0/29
LocalNetworkSiteRef = wuslabvnet


9. Then, we need to add 1 more LocalNetworkSiteRef named nelabvnet under wuslabvnet.


Eventually, we have the following virtual network configuration.



10. Save the VNet configuration.
11. Back to Azure PowerShell console, perform "Set-AzureVNetConfig -ConfigurationPath C:\VNetConfig.xml" to update VNet configuration on Microsoft Azure.


Click to wuslabvnet virtual network, the portal will display the 2 virtual network connection.

  
However, we haven't created a gateway on nelabvnet and set up shared key for both VNets.

Click "Configure".


The Local Network option of wuslabvnet was configured to multiple. We cannot configure this on Microsoft Azure Portal.

12. Back to Azure PowerShell console, perform "New-AzureVNetGateway -VNet nelabvnet -GatewayType DynamicRouting -Verbose" to create a new dynamic gateway with dynamic routing for nelabvnet.


 Remark: It takes 15 - 30 minutes to create a gateway.

13. Perform "$GIP = (Get-AzureVNetGateway -VNetName nelabvnet).VIPAddress" to get the gateway IP address of nelabvnet and then save it to $GIP variable.


14. Perform "$xml = [xml](Get-Content C:\VNetConfig.xml)" to get the xml content and save it to $xml variable.


15. Perform "($xml.NetworkConfiguration.VirtualNetworkConfiguration.LocalNetworkSites.LocalNetworkSite | where name -eq nelabvnet).VPNGatewayAddress" to get the gateway IP address of nelabvnet in the vnet configuration file.


We entered a temp gateway IP address for nelabvnet local network in the configuration file. Now, we need to update the configuration file and then upload to Microsoft Azure to update the virtual network settings.

16. Perform "($xml.NetworkConfiguration.VirtualNetworkConfiguration.LocalNetworkSites.LocalNetworkSite | where name -eq nelabvnet).VPNGatewayAddress = $GIP" to update the IP address.


17. Perform "$xml.save("C:\VNetConfig.xml") to save the updated content into the virtual network configuration file.


18. Perform "Set-AzureVNetConfig -ConfigurationPath C:\VNetConfig.xml" to update virtual network configuration on Microsoft Azure.
19. Perform "$Gwkey = (Get-AzureVNetGateway -VNetName wuslabvnet -LocalNetworkSiteName euslabvnet).value" to get the current shared key between wuslabvnet and euslabvnet. Then, save it to $Gwkey variable.


Remark: Get-AzureVNetGateway can get the shared key and show it as clear text.


20. Perform "Set-AzureVNetGatewayKey -VNetName nelabvnet -LocalNetworkSiteName wuslabvnet -SharedKey $Gwkey" to setup VPN tunnel on nelabvnet.
21. Perform "Set-AzureVNetGatewayKey -VNetName wuslabvnet -LocalNetworkSiteName nelabvnet -SharedKey $Gwkey" to setup VPN tunnel on wuslabvnet.



Eventually, wuslabvnet connected to euslabvnet and nelabvnet.



Please note that virtual machines under wuslabvnet can communicate with euslabvnet and nelabvnet. However, virtual machines under euslabvnet and nelabvnet cannot communicate with each other because we didn't add "Local Network Site Ref" into VNet configuration file and configured shared key. To communicate between euslabvnet and nelabvnet, we updated the VNet configuration file and then upload to Microsoft Azure. After that, configure shared key on both sites. Eventually, virtual machines under euslabvnet and nelabvnet can communicate with each other.

 Additional:
By default, the Azure Gateway SKU is Default.

It supports S2S VPN throughput to 80Mbps and 10 S2S VPN tunnels. It costs $0.036 US dollar per hour.

 Except Default gateway SKU. Microsoft Azure provided High Performance one. It supports S2S VPN throughput to 200Mbps and 30 S2S VPN tunnels. It costs $0.49 US dollar per hour. To update the gateway SKU, we can perform "Resize-AzureVnetGateway -VNetName <virtual network name> -GatewaySKU HighPerformance".


Eventually, the virtual network was changed to High Performance.

Reference:

Other parts in this series

This posting is provided “AS IS” with no warranties, and confers no rights!
Posted by at No comments:
Labels: , , , ,

Friday, April 10, 2015

Setup VNet-To-VNet VPN on Microsoft Azure - Part 1

To apply VNet to VNet communication on Microsoft Azure, we can configure Site-to-Site (S2S) VPN between VNets. The Site-to-Site VPN for VNets can be applied to following scenarios, requirements and considerations.

Cross region geo-redundancy and geo-presence
  • You can set up your own geo-replication or synchronization with secure connectivity without going over internet-facing endpoints.
  • With Azure Load Balancer and Microsoft or third party clustering technology, you can setup highly available workload with geo-redundancy across multiple Azure regions. One important example is to setup SQL Always On with Availability Groups spreading across multiple Azure regions.
Regional multi-tier applications with strong isolation boundary
  • Within the same region, you can setup multi-tier applications with multiple virtual networks connected together with strong isolation and secure inter-tier communication.
Cross subscription, inter-organization communication in Azure
  • If you have multiple Azure subscriptions, you can now connect workloads from different subscriptions together securely between virtual networks.
  • For enterprises or service providers, it is now possible to enable cross organization communication with secure VPN technology within Azure.

Requirements and considerations
  • VNet to VNet supports connecting Azure Virtual Networks. It does not support connecting virtual machines or cloud services NOT in a virtual network.
  • VNet to VNet requires Azure VPN gateways with dynamic routing VPNs - Azure static routing VPNs are not supported. Connecting multiple Azure virtual networks together does NOT require any on premises VPN gateways, unless cross premises connectivity is required.
  • Virtual network connectivity can be used simultaneously with multi-site VPNs, with a maximum of 10 VPN tunnels for a virtual network VPN gateway connecting to ether other virtual networks or on premises sites.
  • The address spaces of the virtual networks and on premises local network sites MUST NOT overlap. Overlapping address spaces will cause the creation of virtual networks or uploading netcfg configuration files to fail.
  • The virtual networks can be in the same or different subscriptions.
  • The virtual networks can be in the same or different Azure regions (locations).
  • Redundant tunnels between a pair of virtual networks are not supported.
  • A cloud service or a load balancing endpoint CANNOT span across virtual networks even though they are connected together.
  • All VPN tunnels of the virtual network, including P2S VPNs, share the available bandwidth on the Azure VPN gateway and the same VPN gateway uptime SLA in Azure.


 Remark: We can perform "Resize-AzureVNetGateway" to increase maximum of 10 VPN tunnels to 30 VPN tunnels.

In this part, I'm going to create 2 VNets in different regions and then configure Site-to-Site VPN for these networks.

Prerequisites
  • The configuration computer is installed Microsoft Azure PowerShell module
Goals
  • Create 2 VNets named euslabvnet and wuslabvnet in different regions
  • Create 2 local networks with the same names represent 2 virtual networks
  • Create 2 dynamic routing gateways on 2 VNets
  • Configure VPN shared key on 2 VPN gateways
Lab
Create virtual networks
First, we need to create 2 virtual networks on Microsoft Azure. One is located West US. Another is located East US. West US will be assigned 10.1.0.0/16 address space and East US will be assigned 10.2.0.0/16.  

1. Log in the Microsoft Azure Portal.
2. Select "Networks" tab.


3. Click "New > Virtual Network > Custom Create".


4. On "Virtual Network Details" window, next to "Name", enter "wuslabvnet".
5. Next to "Location", select "West US".


6. Click "Next".
7. For testing, we don't need to configure DNS server. Then, click "Next".


8. On "Virtual Network Address Spaces" window, the address space for wuslabvnet is 10.1.0.0/16.


9. Click "OK".
10. Repeat step 3 - 9 to create euslabvnet in "EAST US" location  and assign 10.2.0.0/16 address spaces for this VNet.


Create local networks
Then, we need to create 2 local networks to represent 2 virtual networks. Both local networks will be used the same name as the virtual networks. 

1. Select "Network" tab on "Microsoft Azure Portal".
2. Click "New > Virtual Network > Add Local Network".


3. On "Specify your local network details" window, next to "Name", enter "wuslabvnet".
4. Next to "VPN device IP address (optional)", enter "172.16.0.1".


We haven't created a VPN gateway on both VNets but we need to enter a temp IP address under "VPN Device IP address" for creating local networks. After creating a gateway, we need to change it back to the real IP address.

5. Click "Next".
6. On "Specify the address space" window, enter wuslabvnet IP address space, 10.1.0.0/16".


7. Click "OK.
8. Repeat step 2 - 7 to create a local network euslabvnet and assign 172.16.0.2 to be a temp gateway IP address. Then, enter 10.2.0.0/16 under address space.


Assign local networks to virtual networks
To create a VPN gateway for the VNets, we need to assign the destination local network to the virtual network.  For example. euslabvnet local network should be mapped to wuslabvnet

1. Select "wuslabvnet" virtual network.
2. Select "Configure".


3. Next to "site-to-site connectivity" section, check "Connect to local network".
4. Next to "Local Network", select "euslabvnet".


The "Local Network" should be pointed to other site Address Spaces. In this lab environment, we select euslabvnet.

5. Next to "virtual network address spaces" section, make sure the "gateway subnet" is created. If not, click "add gateway subnet".


To create Site-to-Site VPN on Azure, the gateway subnet is compulsory.

6. Click "Save".
7. Repeat step 1 - 6 to configure euslabvnet virtual network.


Create dynamic routing gateways on VNets
Dynamic routing gateway is a key component for VNets communication. We're going to create dynamic routing gateway on both VNets and then update the public IP address of both gateways to the local networks. 

1. Select "wuslabvnet" virtual network.
2. Select "Dashboard".


3. Click "Create Gateway > Dynamic Routing" button to create the gateway.


Then, Azure will take 15 - 30 minutes to create the gateway.


4. Repeat step 1 - 3 to create "Gateway" on "euslabvnet".


5. We need to update the VPN gateway addresses on Local network.


Connect VPN gateways on both VNets
To make connections between both VNets, we need to set up a shared key. 

1. Launch "Microsoft Azure PowerShell".
2. Connect to your Azure subscription by performing "Add-AzureAccount".
3. Perform "Set-AzureVNetGatewayKey -VNetName wuslabvnet -LocalNetworkSiteName euslabvnet -SharedKey <shared key for VPN tunnel>" to setup VPN tunnel on wuslabvnet.


4.  Perform "Set-AzureVNetGatewayKey -VNetName euslabvnet -LocalNetworkSiteName wuslabvnet -SharedKey <shared key for VPN tunnel>" to setup VPN tunnel on euslabvnet.


Now, both VNets can communicate with each other.



Test result
I created 2 virtual machines on Microsoft Azure. One is under euslabvnet. The other is under wuslabvnet.

I performed "tracert" on both virtual machines to make sure it can communicate with each other.



In next part, I'm going to add 1 more VNet and configure VPN to communicate with wuslabvnet.

Reference:
This posting is provided “AS IS” with no warranties, and confers no rights!
Posted by at 2 comments:
Labels: , , ,
Subscribe to: Comments (Atom)