{
"metadata": {
"kernelspec": {
"name": "powershell",
"display_name": "PowerShell"
},
"language_info": {
"name": "powershell",
"codemirror_mode": "shell",
"mimetype": "text/x-sh",
"file_extension": ".ps1"
}
},
"nbformat_minor": 2,
"nbformat": 4,
"cells": [
{
"cell_type": "markdown",
"source": [
"Create Point to Site Virtual Private Network (VPN)\n",
"==================================\n",
"As part of the migration process, if you do not already have an Azure VPN and Gateway setup, this notebook will help you get one created and verify you have the connectivity necessary to securely host your new Azure SQL Server Virtual Machines. \n",
"\n",
"If a S2S connection is needed instead of a P2S, then see [Create and manage S2S VPN connections using PowerShell](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-tutorial-vpnconnection-powershell) for more information. S2S may be out of scope for a data user and can be attempted by a network administrator.\n",
"\n",
""
],
"metadata": {
"azdata_cell_guid": "6af59d69-ade7-480a-b33e-52a86fe5bfd3"
}
},
{
"cell_type": "markdown",
"source": [
"There are a handful of steps you have to walk through to get your resource group and VPN configured.\r\n",
"\r\n",
"Steps of this procedure include:\r\n",
"1. Connect to Azure subscription\r\n",
"1. Provision resource group for VPN\r\n",
"2. Create VPN\r\n",
"3. Provision IP address for Gateway\r\n",
"4. Create Gateway\r\n",
"\r\n",
"NOTE: Fill all the below variables with names in order to proceed ahead. "
],
"metadata": {
"azdata_cell_guid": "2dfbdfb6-adbd-4b3c-8eeb-76237b8145cb"
}
},
{
"cell_type": "code",
"source": [
"$RG1 = \"\" # Resource group name(It should be of alphabets case insensitive)\r\n",
"$VNet1 = \"\" # VPN name of your choice(It should be of alphabets case insensitive)\r\n",
"$Location1 = \"\" # Specify the valid location such as 'West US 2','EASTUS' etc...\r\n",
"$FESubnet1 = \"\" # Frontend subnet name of your choice(It should be of alphabets case insensitive)\r\n",
"$VNet1Prefix = \"\" # VNet default I.P format would be like this '10.1.0.0/16'\r\n",
"$FEPrefix1 = \"\" # Frontend Gateway default IP format would be '10.1.0.0/24'\r\n",
"$GwPrefix1 = \"\" # Default value for Gateway subnet would be '10.1.255.0/27'\r\n",
"$Gw1 = \"\" # Gateway name of your choice (It should be of alphabets case insensitive)\r\n",
"$GwIP1 = \"\" # Gateway IP name of your choice(It should be of alphabets case insensitive)\r\n",
"$GwIPConf1 = \"\" # Gateway IP Config name of your choice(It would be alphanumeric case insensitive)"
],
"metadata": {
"azdata_cell_guid": "424c911f-fb75-44f9-902d-c06dedf9eaf6"
},
"outputs": [],
"execution_count": null
},
{
"cell_type": "markdown",
"source": [
"## Connect to Azure Account"
],
"metadata": {
"azdata_cell_guid": "39c51f44-acf4-4142-af82-b5daa4d3b53f"
}
},
{
"cell_type": "code",
"source": [
"Connect-AzAccount"
],
"metadata": {
"azdata_cell_guid": "32849f41-ef18-4f8c-b4c3-4863db3329df"
},
"outputs": [],
"execution_count": null
},
{
"cell_type": "markdown",
"source": [
"## Get Subscription \r\n",
"Below command will open a Dialouge Box with list of subscriptions.\r\n",
"Selecting one of those will set that subscription for rest of the commands."
],
"metadata": {
"azdata_cell_guid": "1c8c15f8-80af-463a-8113-a71b1a4725ea"
}
},
{
"cell_type": "code",
"source": [
"$subscription = Get-AzSubscription | Out-GridView -PassThru\r\n",
"Set-AzContext -SubscriptionName $subscription"
],
"metadata": {
"azdata_cell_guid": "cf04dfea-4a33-455b-83e8-753d75383f41",
"tags": []
},
"outputs": [],
"execution_count": null
},
{
"cell_type": "markdown",
"source": [
"## Create the resource group \r\n",
"Create a resource group with the _New-AzResourceGroup_ command. An Azure resource group is a logical container into which Azure resources are deployed and managed. A resource group must be created first."
],
"metadata": {
"azdata_cell_guid": "200961d3-879b-4325-8db4-e08854a36e4d"
}
},
{
"cell_type": "code",
"source": [
"# Create Azure resource group, if necessary\r\n",
"$RG1 = Get-AzResourceGroup -Name $RG1\r\n",
"\r\n",
"if (!$RG1)\r\n",
"{\r\n",
" # Need to create a new resource group\r\n",
" Write-Output \"Resource Group $RG1 does not exist. Creating...\"\r\n",
" $RG1 = New-AzResourceGroup -Name $RG1 -Location $Location1\r\n",
"}"
],
"metadata": {
"azdata_cell_guid": "dabfb7d5-aa62-48a6-bc81-a82814befec7"
},
"outputs": [],
"execution_count": null
},
{
"cell_type": "markdown",
"source": [
"## Create a VPN\r\n",
"Azure gateway provides cross-premises connectivity and P2S VPN server functionality for your VPN. Add a gateway to an existing VPN or create a new VPN and the gateway. Notice that the example specifies the name of the gateway subnet specifically. You must always specify the name of the gateway subnet as \"GatewaySubnet\" in order for it to function properly. This example creates a new VPN with two subnets: Frontend and GatewaySubnet using New-AzVirtualNetworkSubnetConfig and New-AzVirtualNetwork:"
],
"metadata": {
"azdata_cell_guid": "629badb8-5338-4418-bdac-6e91af6c732b"
}
},
{
"cell_type": "code",
"source": [
"$fesub1 = New-AzVirtualNetworkSubnetConfig -Name $FESubnet1 -AddressPrefix $FEPrefix1\r\n",
"$gwsub1 = New-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix $GwPrefix1\r\n",
"$vnet = New-AzVirtualNetwork `\r\n",
" -Name $VNet1 `\r\n",
" -ResourceGroupName $RG1 `\r\n",
" -Location $Location1 `\r\n",
" -AddressPrefix $VNet1Prefix `\r\n",
" -Subnet $fesub1,$gwsub1"
],
"metadata": {
"azdata_cell_guid": "86ad1860-0e92-47b3-b198-1eac6187efe2"
},
"outputs": [],
"execution_count": null
},
{
"cell_type": "markdown",
"source": [
"## Request a public IP address for the gateway\r\n",
"Azure VPN gateways communicate with your on-premises VPN devices over the Internet to performs IKE (Internet Key Exchange) negotiation and establish IPsec tunnels. Create and assign a public IP address to your gateway as shown in the example below with New-AzPublicIpAddress and New-AzVirtualNetworkGatewayIpConfig:\r\n",
"\r\n",
" #### Important :\r\n",
" Currently, you can only use a Dynamic public IP address for the gateway. Static IP address is not supported on Azure VPN gateways."
],
"metadata": {
"azdata_cell_guid": "e68e487a-9fe1-43e1-9201-ad6c2abcf81f"
}
},
{
"cell_type": "code",
"source": [
"$gwpip = New-AzPublicIpAddress -Name $GwIP1 -ResourceGroupName $RG1 `\r\n",
" -Location $Location1 -AllocationMethod Dynamic\r\n",
"$subnet = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' `\r\n",
" -VirtualNetwork $vnet\r\n",
"$gwipconf = New-AzVirtualNetworkGatewayIpConfig -Name $GwIPConf1 `\r\n",
" -Subnet $subnet -PublicIpAddress $gwpip"
],
"metadata": {
"azdata_cell_guid": "96800b54-48a8-463b-886c-3d0e96f29765"
},
"outputs": [],
"execution_count": null
},
{
"cell_type": "markdown",
"source": [
"## Create a gateway \r\n",
"\r\n",
"A gateway can take 45 minutes or more to create. Once the gateway creation has completed, you can create a connection between your VPN and another VNet. Or create a connection between your VPN and an on-premises location. Create a gateway using the New-AzVirtualNetworkGateway cmdlet."
],
"metadata": {
"azdata_cell_guid": "6b4924b6-35b4-49c1-a2c8-fc45349ff09d"
}
},
{
"cell_type": "code",
"source": [
"New-AzVirtualNetworkGateway -Name $Gw1 -ResourceGroupName $RG1 `\r\n",
" -Location $Location1 -IpConfigurations $gwipconf -GatewayType Vpn `\r\n",
" -VpnType RouteBased -GatewaySku VpnGw1"
],
"metadata": {
"azdata_cell_guid": "e046ac0a-39fc-48e8-a7f8-26adb3a188e1"
},
"outputs": [],
"execution_count": null
}
]
}