If you want to implement hybrid environment between Azure and your on premise datacenter, you need to establish site-to-site VPN connection between these locations. Although you can use one of various virtual network appliances, such as Cisco ASA or Barracuda, in most of the cases the best option is to configure VPN Gateway in Azure. To configure functional VPN Gateway, you need to configure following services:
- Virtual Network with least one subnet
- Gateway Subnet in the Virtual Network
- Virtual Network Gateway – Represent VPN Gateway portion in your Azure infrastructure
- Local Network Gateway – Represent on premise VPN parameters
- Connection – Connect Virtual Network Gateway and Local Network Gateway
If you want to use Azure portal to create VPN Gateway you need to perform following steps:
In Azure portal, you need to click to Create a resource in left menu and select Virtual Network, like on image below.
Once you find Virtual Network resource in marketplace, you need to select resource for deployment.
When creating wizard is opened, you just need to fill required fields with appropriate parameters.
Once virtual network is created, you can create Gateway Subnet. In Azure portal, select previously created virtual network, click to Subnets and then click to Gateway Subnet.
On new page Add Subnet, define what subnet will be used as gateway subnet. Name of subnet cannot be changed and the best practice is to use the last possible subnet in virtual network address space.
After you have created gateway subnet, you can start with creating Virtual Network Gateway resource. In Azure portal, you need to click Create a resource in the left menu and select Virtual Network Gateway to create. After creating page is opened, you need to populate fields or select from drop-down menu.
- Virtual network gateway name
- Gateway type – VPN or ExpressRoute
- Route-based or Policy-Based VPN type
- VPN Gateway SKU – Basic or any other higher (basic is recommended only for test, but in some cases can be feasible for smaller production workloads)
- Virtual network which will be included in VPN
- Public IP address – New or existing
Note that Virtual Network Gateway creation process can take up to 45 minutes.
Next step is creating Local Network Gateway. Local Network Gateway need to contain information related to on premise infrastructure. In Azure portal, you need to click to Create a resource in left menu and select Local Network Gateway to create. Once creation page is opened, you need to define name, public IP address of your on premise datacenter that will be used for VPN tunnel and private IP address spaces in your on premise datacenter.
When Virtual Network Gateway is created, you can go to the last step of configuring VPN Gateway on Azure side. You need to create Connection and define connectivity between Virtual and Local Network Gateways. In Azure portal, select previously created Virtual Network Gateway, click to Connection and then click to Add.
Then, you need name, type of connection, virtual and local network gateways and defined pre-shared key that will be used for on premise configuration also.
The final step in process of creating site-to-site VPN tunnel is configuring your on premise device. Process can vary depending on device model and type, and more information and “how to” about supported devices, you can find on the following link.
If you want to configure VPN Gateway using PowerShell, you need to run following PowerShell script.
# Define variables $Location = 'North Europe' $RGName = "TechTrainer-Networking" $VirtualNetworkName = "TechTrainer-vNet" $vNetAddressPrefix = "10.150.0.0/16" $SubnetName = "DefaultSubnet" # Define subnet name per your organization needs $SubnetAddressPrefix = "10.150.1.0/24" $GatewaySubnetAddressPrefix = "10.150.255.0/24" # Gateway subnet should be last subnet in virtual network address space $VPNGatewayName = "TechTrainer-VPNGateway" $OnPremSiteName = "OnPremiseDatacenter" $OnPremDatacenterIPAddress = "Define Datacenter Public IP" # Define on premise public that will be used for VPN tunnel $OnPremPrivateAddressPrefix = "192.168.222.0/24" # Define on premise private IP address prefix $VPNConnectionName = "Azure2OnPremise" # Define connection name based on used VPN Gateway and Local Network Gateway $PSK = "cJCLqjawUk2bBBLa" # Pre-shared key for site-to-site VPN tunnel # Create a resource group for networking resources New-AzResourceGroup -Name $RGName -Location $Location # Create a virtual network and subnet $VirtualNetwork = New-AzVirtualNetwork -ResourceGroupName $RGName -Location $Location -Name $VirtualNetworkName -AddressPrefix $vNetAddressPrefix $SubnetConfig = Add-AzVirtualNetworkSubnetConfig -Name $SubnetName -AddressPrefix $SubnetAddressPrefix -VirtualNetwork $virtualNetwork $VirtualNetwork | Set-AzVirtualNetwork # Add a gateway subnet to existing virtual network $vNet = Get-AzVirtualNetwork -ResourceGroupName $RGName -Name $VirtualNetworkName Add-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix $GatewaySubnetAddressPrefix -VirtualNetwork $vNetwork $vNet | Set-AzVirtualNetwork # Create the VPN gateway $VPNGatewayPublicIP = New-AzPublicIpAddress -Name $VPNGatewayName -ResourceGroupName $RGName -Location $Location -AllocationMethod Dynamic $vNet = Get-AzVirtualNetwork -Name $VirtualNetworkName -ResourceGroupName $RGName $Subnet = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vNet $VPNGatewayIPConfig = New-AzVirtualNetworkGatewayIpConfig -Name 'VPNGatewayIPConfig' -SubnetId $Subnet.Id -PublicIpAddressId $VPNGatewayPublicIP.Id New-AzVirtualNetworkGateway -Name $VPNGatewayName -ResourceGroupName $RGName -Location $Location -IpConfigurations $VPNGatewayIPConfig -GatewayType Vpn -VpnType RouteBased -GatewaySku Basic # Create the local network gateway New-AzLocalNetworkGateway -Name $OnPremSiteName -ResourceGroupName $RGName -Location $Location -GatewayIpAddress $OnPremDatacenterIPAddress -AddressPrefix $OnPremPrivateAddressPrefix # Create the VPN connection $VPNGateway = Get-AzVirtualNetworkGateway -Name $VPNGatewayName -ResourceGroupName $RGName $LocalNetworkGateway = Get-AzLocalNetworkGateway -Name $OnPremSiteName -ResourceGroupName $RGName New-AzVirtualNetworkGatewayConnection -Name $VPNConnectionName -ResourceGroupName $RGName -Location $Location -VirtualNetworkGateway1 $VPNGateway -LocalNetworkGateway2 $LocalNetworkGateway -ConnectionType IPsec -RoutingWeight 10 -SharedKey $PSK