{ "metadata": { "kernelspec": { "name": "powershell", "display_name": "PowerShell" }, "language_info": { "name": "powershell", "codemirror_mode": "shell", "mimetype": "text/x-sh", "file_extension": ".ps1" } }, "nbformat_minor": 2, "nbformat": 4, "cells": [ { "cell_type": "markdown", "source": [ "## Create a Site-to-Site Virtual Private Network in Azure\n", "\n", "* * *\n", "\n", "This notebook uses [PowerShell Az.Network cmdlets](https://docs.microsoft.com/en-us/powershell/module/az.network/ \"https://docs.microsoft.com/en-us/powershell/module/az.network/\") to create a S2S VPN gateway connection from an on-premises network to an Azure Virtual Network (VPN).\n", "\n", "![](https://docs.microsoft.com/en-us/azure/vpn-gateway/media/vpn-gateway-tutorial-vpnconnection-powershell/site-to-site-diagram.png)\n", "\n", "Use these parameters to create the environment or to better understand the examples in this notebook.\n", "\n", "| Line # | Name | Example | Description |\n", "| --- | --- | --- | --- |\n", "| 1 | **Subscription** | \"\" | Name or ID (guid) of Azure Subscription to setup S2S VPN in. |\n", "| 2 | **ResourceGroup** | \"TestRG1\" | Name of new or existing resource group (RG). An Azure Resource Group is a collection of Azure resources that share the same permissions, policies, etc. In this case, the Resource Group for the virtual network is specified.  |\n", "| 3 | **VnetName** | \"VNet1\" | Alphanumeric value represents the name of the Azure resource to create. |\n", "| 4 | **Location** | \"East US\" | Value representing the region or location of the RG. See [Azure Geographies](https://azure.microsoft.com/en-us/global-infrastructure/geographies/ \"https://azure.microsoft.com/en-us/global-infrastructure/geographies/\") for more information. |\n", "| 5 | **AddressSpace** | \"10.1.0.0/16\" | Defines a range of IP prefixes in the remote subnet. |\n", "| 6 | **SubnetName** | \"Frontend\" | |\n", "| 7 | **Subnet** | \"10.1.0.0/24\" | |\n", "| 8 | **GatewaySubnet** | \"10.1.255.0/27\" | Specify the number of IP addresses that the subnet contains. The number of IP addresses needed depends on the VPN gateway configuration created. Some configurations require more IP addresses than others. It is recommended to create a gateway subnet that uses a /27 or /28. |\n", "| 9 | **LocalNetworkGatewayName** | \"Site1\" | |\n", "| 10 | **LNGPublicIP** | \"192.168.29.46\" | |\n", "| 11 | **LocalAddressPrefix** | \"10.101.0.0/24, 10.101.1.0/24\" | |\n", "| 12 | **GatewayName** | \"GatewaySubnet\" | |\n", "| 13 | **PublicIP** | \"VNet1GWPIP\" | |\n", "| 14 | **GatewayIPConfig** | \"gwipconfig1\" | |\n", "| 15 | **VPNType** | \"RouteBased\" | |\n", "| 16 | **GatewayType** | \"Vpn\" | |\n", "| 17 | **ConnectionName** | \"VNet1toSite1\" | |" ], "metadata": { "azdata_cell_guid": "130ad787-0d85-4edb-9cab-62824de6993f" } }, { "cell_type": "code", "source": [ "$Subscription = \"\"\r\n", "$ResourceGroup = \"\"\r\n", "$VnetName = \"\"\r\n", "$Location = \"\"\r\n", "$AddressSpace = \"\"\r\n", "$SubnetName = \"\"\r\n", "$Subnet = \"\"\r\n", "$GatewaySubnet = \"\"\r\n", "$LocalNetworkGatewayName = \"\"\r\n", "$LNGPublicIP = \"\"\r\n", "$LocalAddressPrefixes = \"\"\r\n", "$GatewayName = \"\"\r\n", "$PublicIP = \"\"\r\n", "$GatewayIPConfig = \"\"\r\n", "$VPNType = \"\"\r\n", "$GatewayType = \"\"\r\n", "$ConnectionName = \"\"" ], "metadata": { "azdata_cell_guid": "f883288a-fc6a-4b0f-9215-6b771dc72b8d" }, "outputs": [], "execution_count": null }, { "cell_type": "markdown", "source": [ "There are a handful of steps to setup a resource group and configure the VPN:\n", "\n", "1. Create or specify a resource group\n", "2. Create a virtual network\n", "3. Create a subnet configuration\n", "4. Set the subnet configuration for the virtual network\n", "5. Add a gateway subnet\n", "6. Set the subnet configuration for the virtual network\n", "7. Request a public IP address\n", "8. Create the gateway IP address configuration\n", "9. Create the VPN gateway\n", "10. Create the local network gateway\n", "11. Create the VPN connection" ], "metadata": { "azdata_cell_guid": "a84bd796-4838-480a-83c5-48305870d2f0" } }, { "cell_type": "markdown", "source": [ "## Create a resource group" ], "metadata": { "azdata_cell_guid": "009ae97a-8d89-45bb-9f0f-63ab3943f151" } }, { "cell_type": "code", "source": [ "New-AzResourceGroup -Name $ResourceGroup -Location $Location" ], "metadata": { "azdata_cell_guid": "0e792bfb-5775-437c-b084-47593e5ce314" }, "outputs": [], "execution_count": null }, { "cell_type": "markdown", "source": [ "## Create a virtual network\n", "\n", "This example creates a virtual network and a gateway subnet. If the virtual network is already present then gateway subnet is needed, see [To add a gateway subnet to a virtual network which is already created](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-create-site-to-site-rm-powershell#gatewaysubnet \"https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-create-site-to-site-rm-powershell#gatewaysubnet\"). When creating a virtual network, make sure that the address spaces don't overlap any of the address spaces that are in on-premises network." ], "metadata": { "azdata_cell_guid": "53145be6-8eb0-4857-9029-888b55a12e85" } }, { "cell_type": "code", "source": [ "$virtualNetwork = New-AzVirtualNetwork `\r\n", " -ResourceGroupName $ResourceGroup `\r\n", " -Location $Location `\r\n", " -Name $VnetName `\r\n", " -AddressPrefix $AddressSpace" ], "metadata": { "azdata_cell_guid": "f473191d-5bdd-4678-925d-bd26cf0fe53d" }, "outputs": [], "execution_count": null }, { "cell_type": "markdown", "source": [ "## Create a subnet configuration" ], "metadata": { "azdata_cell_guid": "eaa39a66-f89d-4669-bcce-6e205c3ef5a1" } }, { "cell_type": "code", "source": [ "$subnetConfig = Add-AzVirtualNetworkSubnetConfig `\r\n", " -Name $SubnetName `\r\n", " -AddressPrefix $Subnet `\r\n", " -VirtualNetwork $virtualNetwork" ], "metadata": { "azdata_cell_guid": "cfbee82d-5950-426a-8887-06cc023b8dfd" }, "outputs": [], "execution_count": null }, { "cell_type": "markdown", "source": [ "## Set the subnet configuration for the virtual network" ], "metadata": { "azdata_cell_guid": "d271f4fd-045e-4920-a384-9894c226e666" } }, { "cell_type": "code", "source": [ "$virtualNetwork | Set-AzVirtualNetwork" ], "metadata": { "azdata_cell_guid": "6bee9590-7149-4233-954e-25a897800aaa" }, "outputs": [], "execution_count": null }, { "cell_type": "markdown", "source": [ "## Add a gateway subnet\r\n", "The virtual network gateway uses specific subnet called the gateway subnet. The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. It contains the IP addresses that the virtual network gateway resources and services use. The subnet must be named 'GatewaySubnet' in order for Azure to deploy the gateway resources. You can't specify a different subnet to deploy the gateway resources to. If you don't have a subnet named 'GatewaySubnet', when you create your VPN gateway, it will fail." ], "metadata": { "azdata_cell_guid": "27e2625c-ebef-4355-8667-c817c52dbf3a" } }, { "cell_type": "code", "source": [ "$vnet = Get-AzVirtualNetwork -ResourceGroupName $ResourceGroup -Name $VnetName\r\n", "Add-AzVirtualNetworkSubnetConfig -Name $GatewayName -AddressPrefix $GatewaySubnet -VirtualNetwork $vnet" ], "metadata": { "azdata_cell_guid": "4f13a28f-e6be-424a-942f-a8562c104787" }, "outputs": [], "execution_count": null }, { "cell_type": "markdown", "source": [ "## Set the subnet configuration for the virtual network" ], "metadata": { "azdata_cell_guid": "25aed948-7fcd-440f-bb37-bb677cae5c79" } }, { "cell_type": "code", "source": [ "$vnet | Set-AzVirtualNetwork" ], "metadata": { "azdata_cell_guid": "2b0cbaff-5aea-4029-9603-5eb7c75688b3" }, "outputs": [], "execution_count": null }, { "cell_type": "markdown", "source": [ "## Request a public IP address\r\n", "A VPN gateway must have a Public IP address. It first requests the IP address resource, and then refer to it when creating virtual network gateway. The IP address is dynamically assigned to the resource when the VPN gateway is created.\r\n", "\r\n", "VPN Gateway currently only supports Dynamic Public IP address allocation. It cannot request a Static Public IP address assignment. However, this does not mean that the IP address will change after it has been assigned to created VPN gateway. The only time the Public IP address changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of created VPN gateway." ], "metadata": { "azdata_cell_guid": "c664e2c9-d9fc-4913-aaf8-8e3b3d40d7a8" } }, { "cell_type": "code", "source": [ "$gwpip= New-AzPublicIpAddress -Name $PublicIP -ResourceGroupName $ResourceGroup -Location $Location `\r\n", " -AllocationMethod Dynamic" ], "metadata": { "azdata_cell_guid": "1d8eef52-b085-4eb3-8130-0c16232d89b1" }, "outputs": [], "execution_count": null }, { "cell_type": "markdown", "source": [ "## Create the gateway IP address configuration\r\n", "The gateway configuration defines the subnet (the 'GatewaySubnet') and the public IP address to use. Use the following example to create gateway configuration:" ], "metadata": { "azdata_cell_guid": "a351a10f-54a6-4a78-be15-38c96d94bae0" } }, { "cell_type": "code", "source": [ "$vnet = Get-AzVirtualNetwork -Name $VnetName -ResourceGroupName $ResourceGroup\r\n", "$subnet = Get-AzVirtualNetworkSubnetConfig -Name $GatewayName -VirtualNetwork $vnet\r\n", "$gwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name $GatewayIPConfig -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id" ], "metadata": { "azdata_cell_guid": "b1f1662a-21a0-48b6-b5b6-5f9a15e1d662" }, "outputs": [], "execution_count": null }, { "cell_type": "markdown", "source": [ "## Create a gateway\r\n", "A gateway can take 45 minutes or more to create. Once the gateway creation has completed, you can create a connection between your VPN and another VNet. Or create a connection between your VPN and an on-premises location. Create a gateway using the _New-AzVirtualNetworkGateway_ cmdlet." ], "metadata": { "azdata_cell_guid": "b9adcd02-bb2a-4c57-b831-68f74f1d2fdc" } }, { "cell_type": "code", "source": [ "New-AzVirtualNetworkGateway -Name $GatewayName -ResourceGroupName $ResourceGroup `\r\n", " -Location $Location -IpConfigurations $gwipconfig -GatewayType $GatewayType `\r\n", " -VpnType $VPNType -GatewaySku VpnGw1" ], "metadata": { "azdata_cell_guid": "9235b9b3-7cbe-4a4d-bc5e-f82e3e34bd4b" }, "outputs": [], "execution_count": null }, { "cell_type": "markdown", "source": [ "## Create the local network gateway\r\n", "The local network gateway (LNG) typically refers to on-premises location. It is not the same as a virtual network gateway. Give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to the connection to be created. Also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. The address prefixes specified are the prefixes located on on-premises network. If on-premises network changes, it can easily update the prefixes." ], "metadata": { "azdata_cell_guid": "5452ac24-2bcf-475d-8284-8ea2cfce8ac3" } }, { "cell_type": "code", "source": [ "New-AzLocalNetworkGateway -Name $LocalNetworkGatewayName -ResourceGroupName $ResourceGroup `\r\n", " -Location $Location -GatewayIpAddress '192.168.29.46' -AddressPrefix @('10.101.0.0/24','10.101.1.0/24')" ], "metadata": { "azdata_cell_guid": "0e212918-89aa-474e-ad6d-73e8cefc3b25" }, "outputs": [], "execution_count": null }, { "cell_type": "markdown", "source": [ "## Create the VPN connection\r\n", "Create the Site-to-Site VPN connection between virtual network gateway and VPN device. Be sure to replace the values. The shared key must match the value used for VPN device configuration. Notice that the '-ConnectionType' for Site-to-Site is IPsec." ], "metadata": { "azdata_cell_guid": "08ffbbd7-deba-4472-950f-b92c83a0dbc2" } }, { "cell_type": "code", "source": [ "$gateway1 = Get-AzVirtualNetworkGateway -Name $GatewayName -ResourceGroupName $ResourceGroup\r\n", "$local = Get-AzLocalNetworkGateway -Name $LocalNetworkGatewayName -ResourceGroupName $ResourceGroup\r\n", "New-AzVirtualNetworkGatewayConnection -Name $ConnectionName -ResourceGroupName $ResourceGroup `\r\n", " -Location $Location -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local `\r\n", " -ConnectionType IPsec -RoutingWeight 10 -SharedKey 'abc123'" ], "metadata": { "azdata_cell_guid": "c7d2e8dc-97ee-4764-8a39-704dfd1cd815" }, "outputs": [], "execution_count": null }, { "cell_type": "markdown", "source": [ "## Verify the VPN connection\r\n", "Connection can be verified if it is succeeded by using the _Get-AzVirtualNetworkGatewayConnection_ cmdlet, with or without '-Debug'." ], "metadata": { "azdata_cell_guid": "2dd64b80-488d-4ada-9805-ef7fe59d4058" } }, { "cell_type": "code", "source": [ "Get-AzVirtualNetworkGatewayConnection -Name $ConnectionName -ResourceGroupName $ResourceGroup" ], "metadata": { "azdata_cell_guid": "03acce02-74fb-48eb-a38d-f2dde1a2e85e" }, "outputs": [], "execution_count": null } ] }