• Notes

  • VPN gateways
    • Authentication
    • High availability
  • ExpressRoute

• Tasks

  • Create local network gateway
  • Create a VPN Gateway
  • Create a VPN gateway and VNet peering
  • Use VPN Troubleshoot
  • Create S2S VPN

• Sources

• AZ-103: 4.7

Virtual network gateways can be categorized by the type of connection or configuration formed:

• VPN gateways
• ExpressRoute gateways

Any virtual network can have only a single gateway of each type.

VPN gateways send encrypted traffic between the virtual network and an on-premises location. VPN Gateways must be deployed into their own dedicated subnet (named "GatewaySubnet") with a minimum size of CIDR /29, although a CIDR /27 address block is recommended. VPN connections between an on-premises network and a VNet are only possible if the network ranges do not overlap.

VPN gateways can be classified by the topology of the connection:

• Site-to-Site (S2S) connections require an on-premises VPN device associated with a public IP address.
• Multi-Site connections require a RouteBased VPN type.
• Point-to-Site (P2S) allows individual computers to securely connect to a VNet without need for a VPN device, which is useful for telecommuting, and can use SSTP, OpenVPN, or IKEv2. There are several authentication considerations.
• VNet-to-VNet connections are also possible, but VNet peering may be preferable if the virtual networks meet certain requirements.

VPN gateways can also be classified on VPN type.

• Route-based VPNs (previously called "dynamic routing gateways") require routes to be defined in a routing table to direct packets into tunnel interfaces.
• Policy-based VPNs (previously called "static routing gateways" in the classic deployment model) can only be used on the Basic gateway SKU and offer only a single S2S tunnel.

There is a profusion of Gateway SKUs that determine the maximum connections, throughput, and availability of other features like BGP and zone-redundancy available for each topology.

A VPN gateway also requires a local network gateway (previously referred to as a Local Site), which is an Azure resource representing the on-premises VPN device or VPN concentrator.

Azure P2S VPN connections support several authentication methods:

• Azure AD authentication (Windows 10 only)
• RADIUS server
• VPN Gateway native certificate authentication

The VPN gateway acts as a pass-through forwarding authentication messages between the connecting device and the RADIUS server. The RADIUS server can be deployed on-premises or in the Azure VNet, and two such servers can be deployed for high availability.

• If deployed on-premises, a S2S VPN to the site is required, and ExpressRoute is not usable.
• AD domain authentication requires a RADIUS server that integrates with the AD server.

Every Azure VPN gateway consists of two instances in an active-standby configuration. During failover, a brief interruption of 10-15 seconds for planned maintenance or up to 60-90 seconds in the case of unplanned disruption, may occur.

But the gateway can be configured to be active-active, which will establish S2S VPN tunnels to both gateway instances with traffic being routed through both tunnels simultaneously. There will still be only a single connection resource, but the on-premises VPN device must be configured to establish both of these tunnels.

The most highly available arrangement would use multiple VPN devices with the VPN gateway in active-active configuration.

This diagram illustrates two local gateways with the VPN gateway in active-active configuration, creating 4 IPsec tunnels that evenly receive traffic from Azure.

There are four main architectures used with ExpressRoute

• Any-to-any connection is used to integrate on-premises WANs using IPVPN.
• Co-location with cloud exchange is used to order virtual cross-connections to the Azure cloud through the co-location provider's Ethernet exchange.
• Point-to-point Ethernet connection is used to configure on-premises data center connectivity to Azure through individual point-to-point links

$localnw = New-AzLocalNetworkGateway -Name LocalNetGW -ResourceGroupName ExamRefRG -Location "West Europe" -GatewayIpAddress "53.50.123.195" -AddressPrefix "10.5.0.0/16" 

Create VPN connection

$gateway = Get-AzVirtualNetworkGateway -Name VPNGW1 -ResourceGroupName ExamRefRG
$conn = New-AzVirtualNetworkGatewayConnection -Name OnPremConnection -ResourceGroupName ExamRefRG -Location 'West Europe' -VirtualNetworkGateway1 $gateway -LocalNetworkGateway2 $localnw -ConnectionType IPsec -SharedKey "abc123"

$rg = ExamRefRG

Create gateway subnet in VNet1 Gateway subnets are normal subnets with the name "GatewaySubnet"

$vnet1 = Get-AzVirtualNetwork -Name VNet1 -ResourceGroupName $rg
$vnet1.Subnets += New-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -AddressPrefix 10.1.1.0/27
$vnet1 = Set-AzVirtualNetwork -VirtualNetwork $vnet1

Create VPN gateway in VNet1

$gwpip = New-AzPublicIpAddress -Name VNet1-GW-IP -ResourceGroupName $rg -Location 'North Europe' -AllocationMethod Dynamic
$gwsubnet = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet1
$gwipconf = New-AzVirtualNetworkGatewayIpConfig -Name GwIPConf -Subnet $gwsubnet -PublicIpAddress $gwpip
$vnet1gw = New-AzVirtualNetworkGateway -Name VNet1-GW -ResourceGroupName $rg -Location 'North Europe' -IpConfigurations $gwipconf -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1

Create gateway subnets in VNet2 and VNet3

az network vnet subnet create --name GatewaySubnet --vnet-name VNet1 --resource-group ExamRefRG --address-prefixes 10.1.1.0/27
az network public-ip create --name VNet1-GW-IP --resource-group ExamRefRG --location NorthEurope
az network vnet-gateway create --name VNet1-GW --resource-group ExamRefRG --gateway-type vpn --sku VpnGw1 --vpn-type RouteBased --vnet VNet1 --public-ip-addresses VNet1-GW-IP --location NorthEurope

Create gateway subnets in VNet2 and VNet3

$vnet2 = Get-AzVirtualNetwork -Name VNet2 -ResourceGroupName ExamRefRG
$vnet2.Subnets += New-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -AddressPrefix 10.2.1.0/27
$vnet2 = Set-AzVirtualNetwork -VirtualNetwork $vnet2
$vnet3 = Get-AzVirtualNetwork -Name VNet3 -ResourceGroupName ExamRefRG
$vnet3.Subnets += New-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -AddressPrefix 10.3.1.0/27
$vnet3 = Set-AzVirtualNetwork -VirtualNetwork $vnet3

Create VPN gateway in VNet2

$gwpip2 = New-AzPublicIpAddress -Name VNet2-GW-IP -ResourceGroupName ExamRefRG -Location $vnet2.Location -AllocationMethod Dynamic
$gwsubnet2 = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet2
$gwipconf2 = New-AzVirtualNetworkGatewayIpConfig -Name GwIPConf2 -Subnet $gwsubnet2 -PublicIpAddress $gwpip2
$vnet2gw = New-AzVirtualNetworkGateway -Name VNet2-GW -ResourceGroupNAme ExamRefR -Location $vnet2.Location -IpConfigurations $gwipconf2 -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1

Create VPN gateway in VNet3

$gwpip3 = New-AzPublicIpAddress -Name VNet3-GW-IP -ResourceGroupName ExamRefR -Location $vnet3.Location -AllocationMethod Dynamic
$gwsubnet3 = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet3
$gwipconf3 = New-AzVirtualNetworkGatewayIpConfig -Name GwIPConf3 -Subnet $gwsubnet3 -PublicIpAddress $gwpip3
$vnet3gw = New-AzVirtualNetworkGateway -Name VNet3-GW -ResourceGroupNAme ExamRefRG -Location $vnet3.Location -IpConfigurations $gwipconf3 -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1

Create connections

New-AzVirtualNetworkGatewayConnection -Name VNet2-to-VNet3 -ResourceGroupName ExamRefRG -Location $vnet2.Location -VirtualNetworkGateway1 $vnet2gw -VirtualNetworkGateway2 $vnet3gw -ConnectionType VNet2VNet -SharedKey "secretkey123"
New-AzVirtualNetworkGatewayConnection -Name VNet3-to-VNet2 -ResourceGroupName ExamRefRG -Location $vnet3.Location -VirtualNetworkGateway1 $vnet3gw -VirtualNetworkGateway2 $vnet2gw -ConnectionType VNet2VNet -SharedKey "secretkey123"

Create gateway subnets in VNet2 and VNet3

az network vnet subnet create --name GatewaySubnet --vnet-name VNet2 --resource-group ExamRefRG --address-prefixes 10.2.1.0/27
az network vnet subnet create --name GatewaySubnet --vnet-name VNet3 --resource-group ExamRefRG --address-prefixes 10.3.1.0/27

Create public IP addresses for use by VPN gateways

az network public-ip create --name VNet2-GW-IP --resource-group ExamRefRG --location NorthEurope
az network public-ip create --name VNet3-GW-IP --resource-group ExamRefRG --location WestEurope

Create VPN gateways in VNet2 and VNet 3

az network vnet-gateway create --name VNet2-GW --resource-group ExamRefRG --gateway-type vpn --sku VpnGw1 --vpn-type RouteBased --vnet VNet2 --public-ip-addresses VNet2-GW-IP --location NorthEurope
az network vnet-gateway create --name VNet3-GW --resource-group ExamRefRG --gateway-type vpn --sku VpnGw1 --vpn-type RouteBased --vnet VNet3 --public-ip-addresses VNet3-GW-IP --location WestEurope

Create connections between VPN gateways

az network vpn-connection create --name VNet2-to-VNet3 --resource-group ExamRefRG --vnet-gateway1 VNet2-GW --vnet-gateway2 VNet3-GW --shared-key secretkey123 --location NorthEurope
az network vpn-connection create --name VNet3-to-VNet2 --resource-group ExamRefRG --vnet-gateway1 VNet3-GW --vnet-gateway2 VNet2-GW --shared-key secretkey123 --location WestEurope

Get the Network Watcher resource

$nw = Get-AzResource | Where ResourceType -eq Microsoft.Network/networkWatchers -and Location -eq WestEurope
$networkWatcher = Get-AzNetworkWatcher -Name $nw.Name -ResourceGroupName $nw.ResourceGroupName

Get the connection to troubleshoot

$connection = Get-AzVirtualNetworkGatewayConnection -Name Vnet1-to-Vnet2 -ResourceGroupName ExamRefRG

Start VPN Troubleshoot

Start-AzNetworkWatcherResourceTroubleshooting -NetworkWatcher $networkWatcher -TargetResourceId $connection.Id -StorageId $sa.Id -StoragePath "$($sa.PrimaryEndpoints.Blob)$($sc.name)"

Create a storage account and container for logs

az storage account create --name examrefstorage --location westeurope --resource-group ExamRefRG --sku Standard_LRS
az storage account keys list --resource-group ExamRefRG --account-name examrefstorage
az storage container create --account-name examrefstorage --account-key {storageAccountKey} --name logs

Start VPN Troubleshoot

az network watcher troubleshooting start --resource-group ExamRefRG --resource Vnet1-to-Vnet2 --resource-type vpnConnection --storage-account examrefstorage --storage-path https://examrefstorage.blob.core.windows.net/logs --output json

AZ-103: 395

$lgwip = 53.50.123.195
$key = "abc123"

$lgw = New-AzLocalNetworkGateway -ResourceGroupName $g -Name $n -Location $l -GatewayIpAddress $lgwip -AddressPrefix "10.5.0.0/16"
$vgw = Get-AzVirtualNetworkGateway -ResourceGroupNAme -Name
New-AzVirtualNetworkGatewayConnection -ResourceGroupName $g -Name $n -Location $l -VirtualNetworkGateway1 $vgw -LocalNetworkGateway2 $lgw -ConnectionType IPsec -SharedKey $key

az network local-gateway create --gateway-ip-address $lgwip --name LocalNetGW --resource-group ExamRefRG --local-address-prefixes 10.5.0.0/16
az network vpn-connection create --name OnPremConnection --resource-group ExamRefRG --vnet-gateway1 VPNGW1 --location WestEurope --shared-key $key --local-gateway2 LocalNetGW

• VPN Gateway design
• Connect Azure VPN gateways to multiple on-premises policy-based VPN devices
• About VPN Gateway configuration settings
• Highly available cross-premises and VNet-to-VNet connectivity
• ExpressRoute connectivity models
• Connect a computer to a virtual network using P2S and RADIUS authentication: PowerShell