Step-by-Step: Configure VNet to VNet Connectivity in Azure

Step-by-Step: Configure VNet to VNet Connectivity in Azure

  • Comments 4
  • Likes

Hello Folks,

The last two azure camps we delivered lead to a lot of good discussions.  One in particular was regarding the Site to Site VPN capabilities found in Azure.  we have covered it on this blog before. Step-By-Step: Create a Site-to-Site VPN between your network and Azure

At TechEd North America 2014 Microsoft announced new capabilities for Azure networking.  One said capability is the ability to connect an Azure virtual network to another Azure virtual network almost in the same way you can connect a virtual network to your local network.  Both these situations use a virtual network gateway to provide a secure tunnel using IPsec/IKE.

The cool things  is that you can connect virtual networks in different subscriptions,  in different regions. You can even combine VNet to VNet communication with multi-site configurations. This new functionality allows you to create:

  • Cross region geo-redundancy and geo-presence
  • Regional multi-tier applications with strong isolation boundary
  • Cross subscription, inter-organization communication in Azure

In this post we’ll review how you can set up a site to site VPN between virtual Networks in 2 different Azure regions.

Create your virtual networks

First we need to create the virtual networks.

1- Logon to the Azure Portal, and  In the settings area,  I created 2 Affinity Groups. Canitpro-East and Canitpro-West. Each located in the East US and West US regions.

image

2- create a new virtual network. Click on the NETWORKS link in the left navigation pane and then click the +NEW button located on the bottom toolbar.

Select VIRTUAL NETWORK and CUSTOM CREATE.

2- In the Wizard that popup, give your network a meaningful name, select the Affinity Group and click the Right-Arrow to move on to the next screen.

3-  in the “DNS Servers and VPN Connectivity” page ,

  • Configure Site-To-Site VPN - Select the checkbox for Configure a site-to-site VPN.
  • Local Network– Create a new local network.
      • Name - The name you want to call your local network site.
      • VPN Device IP Address - This is public facing IPv4 address of your VPN device that you’ll use to connect to Azure. You don’t need to worry about the VPN device settings. You can put any IP address for VPN device in those spaces because you’ll be reconfiguring the file after exporting it
      • Address Space - including Starting IP and CIDR (Address Count). This is where you specify the address range(s) that you want sent through the virtual network gateway to your local on-premises location. If a destination IP address falls within the ranges that you specify here, it will be routed through the virtual network gateway.
      • Add address space - If you have multiple address ranges that you want sent through the virtual network gateway, this is where you specify each additional address range. You can add or remove ranges later on the Local Network page.

4- Configure your address space, subnets to complete the setup of the network.

The networks I created are as follows:

Network Name

IP Address Space Affinity Group Subnets

Vnet1

10.2.0.0/16 Canitpro-West (West US) Vnet1-Subnet-1 (10.2.0.0/19)
Vnet2 10.3.0.0/16 Canitpro-East (East US) Vnet2-Subnet-1 (10.3.0.0/19)

 

Network Name

Local Network to connect to.

Vnet1

Canitpro-East
Vnet2 Canitpro-West

You cannot configure all the required settings for VNet to VNet VPN in the Azure portal. An easy workaround to this is to create your virtual networks with the basic settings you require by using the Management Portal, and then export the settings to network configuration files.

Once Exported, we edit the IP addresses to match the tables above. the saved file to have the following xml file

<NetworkConfiguration xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/ServiceHosting/2011/07/NetworkConfiguration">
  <VirtualNetworkConfiguration>
    <Dns />
    <LocalNetworkSites>
      <LocalNetworkSite name="Canitpro-East">
        <AddressSpace>
          <AddressPrefix>10.3.0.0/16</AddressPrefix>
        </AddressSpace>
        <VPNGatewayAddress>131.1.1.1</VPNGatewayAddress>
      </LocalNetworkSite>
      <LocalNetworkSite name="Canitpro-West">
        <AddressSpace>
          <AddressPrefix>10.2.0.0/16</AddressPrefix>
        </AddressSpace>
        <VPNGatewayAddress>131.1.1.2</VPNGatewayAddress>
      </LocalNetworkSite>
    </LocalNetworkSites>
    <VirtualNetworkSites>
      <VirtualNetworkSite name="Vnet1" AffinityGroup="Canitpro-West">
        <AddressSpace>
          <AddressPrefix>10.2.0.0/16</AddressPrefix>
        </AddressSpace>
        <Subnets>
          <Subnet name="Vnet1-Subnet-1">
            <AddressPrefix>10.2.0.0/19</AddressPrefix>
          </Subnet>
          <Subnet name="GatewaySubnet">
            <AddressPrefix>10.2.32.0/29</AddressPrefix>
          </Subnet>
        </Subnets>
        <Gateway>
          <ConnectionsToLocalNetwork>
            <LocalNetworkSiteRef name="Canitpro-East">
              <Connection type="IPsec" />
            </LocalNetworkSiteRef>
          </ConnectionsToLocalNetwork>
        </Gateway>
      </VirtualNetworkSite>
      <VirtualNetworkSite name="Vnet2" AffinityGroup="Canitpro-East">
        <AddressSpace>
          <AddressPrefix>10.3.0.0/16</AddressPrefix>
        </AddressSpace>
        <Subnets>
          <Subnet name="Vnet2-Subnet-1">
            <AddressPrefix>10.3.0.0/19</AddressPrefix>
          </Subnet>
          <Subnet name="GatewaySubnet">
            <AddressPrefix>10.3.32.0/29</AddressPrefix>
          </Subnet>
        </Subnets>
        <Gateway>
          <ConnectionsToLocalNetwork>
            <LocalNetworkSiteRef name="Canitpro-West">
              <Connection type="IPsec" />
            </LocalNetworkSiteRef>
          </ConnectionsToLocalNetwork>
        </Gateway>
      </VirtualNetworkSite>
    </VirtualNetworkSites>
  </VirtualNetworkConfiguration>
</NetworkConfiguration>

in these files, The “VPNGatewayAddress” for the LocalNetworkSite is the VIP (Public IP) address of the corresponding Azure VPN gateway for the virtual network. The actual address will not be available until the Azure VPN gateway is created. Please fill in a placeholder IP address if the VPN gateway is not yet created.

Once you’ve configured your netcfg files, import them back to the Management Portal . In the navigation pane on the bottom left, click New.

Click Network Services-> Virtual Network-> Import Configuration.

On the Import the network configuration file page, browse to your network configuration file, and then click the nextarrow to complete the import.

Create the Dynamic Routing VPN gateways for each virtual network

Now that our networks and corresponding local networks are created.  Our next step is to create the Azure VPN gateway for each virtual network. This can be done through either the Management Portal. Only the Dynamic Routing gateway type is supported.

1- To create a dynamic routing gateway in the Management Portal, on the Networks page, click the name of your virtual network you want to create the gateway for. I will start with VNet1.

2- On the Dashboard page, At the bottom,  click Create Gateway. And select Dynamic Routing

3- Repeat for the other vnet.

It takes a few minutes to complete the creation of the gateways.

Connect the VPN gateways

We now have our virtual networks created, the local network defined, and the gateway created.  the final step is to connect them together.  But remember that we inserted a [lace holder earlier because we did not have the address of the Gateway yet.

1- copy the addresses from the Portal and update the placeholders in the XML we edited earlier.

image

<NetworkConfiguration xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/ServiceHosting/2011/07/NetworkConfiguration">
  <VirtualNetworkConfiguration>
    <Dns />
    <LocalNetworkSites>
      <LocalNetworkSite name="Canitpro-East">
        <AddressSpace>
          <AddressPrefix>10.3.0.0/16</AddressPrefix>
        </AddressSpace>
        <VPNGatewayAddress>137.135.66.19</VPNGatewayAddress>
      </LocalNetworkSite>
      <LocalNetworkSite name="Canitpro-West">
        <AddressSpace>
          <AddressPrefix>10.2.0.0/16</AddressPrefix>
        </AddressSpace>
        <VPNGatewayAddress>138.91.144.23</VPNGatewayAddress>
      </LocalNetworkSite>
    </LocalNetworkSites>
    <VirtualNetworkSites>
      <VirtualNetworkSite name="Vnet1" AffinityGroup="Canitpro-West">
        <AddressSpace>
          <AddressPrefix>10.2.0.0/16</AddressPrefix>
        </AddressSpace>
        <Subnets>
          <Subnet name="Vnet1-Subnet-1">
            <AddressPrefix>10.2.0.0/19</AddressPrefix>
          </Subnet>
          <Subnet name="GatewaySubnet">
            <AddressPrefix>10.2.32.0/29</AddressPrefix>
          </Subnet>
        </Subnets>
        <Gateway>
          <ConnectionsToLocalNetwork>
            <LocalNetworkSiteRef name="Canitpro-East">
              <Connection type="IPsec" />
            </LocalNetworkSiteRef>
          </ConnectionsToLocalNetwork>
        </Gateway>
      </VirtualNetworkSite>
      <VirtualNetworkSite name="Vnet2" AffinityGroup="Canitpro-East">
        <AddressSpace>
          <AddressPrefix>10.3.0.0/16</AddressPrefix>
        </AddressSpace>
        <Subnets>
          <Subnet name="Vnet2-Subnet-1">
            <AddressPrefix>10.3.0.0/19</AddressPrefix>
          </Subnet>
          <Subnet name="GatewaySubnet">
            <AddressPrefix>10.3.32.0/29</AddressPrefix>
          </Subnet>
        </Subnets>
        <Gateway>
          <ConnectionsToLocalNetwork>
            <LocalNetworkSiteRef name="Canitpro-West">
              <Connection type="IPsec" />
            </LocalNetworkSiteRef>
          </ConnectionsToLocalNetwork>
        </Gateway>
      </VirtualNetworkSite>
    </VirtualNetworkSites>
  </VirtualNetworkConfiguration>
</NetworkConfiguration>

2-  Import the file back to the Management Portal . In the navigation pane on the bottom left, click New.

Click Network Services-> Virtual Network-> Import Configuration.

On the Import the network configuration file page, browse to your network configuration file, and then click the next arrow to complete the import

image

3- before we can start using the PowerShell Azure module we need to install the latest version.  A new version that includes the needed cmdlets was released on May 29th.

image

4- Set the IPsec/IKE pre-shared keys to be the same. This can be done using a PowerShell cmdlet. We will set the key value to A1b2C3D4.  the command to do that in PowerShell is :

# Set the IPsec/IKE pre-shared keys to be the same
Set-AzureVNetGatewayKey -VNetName VNet1 -LocalNetworkSiteName Canitpro-East -SharedKey A1b2C3D4
Set-AzureVNetGatewayKey -VNetName VNet2 -LocalNetworkSiteName Canitpro-West -SharedKey A1b2C3D4

image

5- When all the previous steps are completed, VNet1 and VNet2 will be connected together after the IPsec/IKE establishes the S2S VPN tunnel

image

image

 

That is the way you can setup a VPN between Virtual networks in Azure. I will write about adding more sites (both local and in the cloud) in upcoming posts.  So, keep coming back.  and as usual, let me know if you have specific scenarios you want me to investigate.

Cheers!

clip_image011

Pierre Roman | Technology Evangelist
Twitter | Facebook | LinkedIn

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Awesome! This seems like a fairly recent topic/implementation on MS' part. The screenshots at the end was a nice touch in terms of visualizing how its supposed to look like once all glued together. The note about updating PowerShell was very useful as well. I was following their documentation and I was stuck at SharedKey step, which required that I upgrade my PS install. Once I did, blamo! In terms of other scenarios to investigate: what about moving a current VM from one affinity to another affinity, or from one azure network to another? I had initially created a machine in a static route environment. Id like to move it to a network in my new affinities/VPNs, without losing the data on it.

  • Hello Pierre, nice article. Do you happen to know if the dynamic routing requirement is for all endpoints (ie, my on premise VPN as well) or just for the Azure VPN to VPN connection?

  • Hey Raymond,

    Only the Dynamic Routing VPN can support multi-site and VNet-to-VNet connectivity? you can find more info here http://msdn.microsoft.com/en-us/library/azure/dn133803.aspx#BM_MultiSiteandVNet

    I hope this helps

    Pierre

  • Hey Ray,

    I'm looking into that .... this will be the subject of another post....

    Pierre