Azure ARM Virtual Networks and VPN tunnels / gateways

This post is part 1 of a small series and stems from this post https://marckean.com/2016/05/17/azure-resource-groups-networks/

The following is some PowerShell I put together that ends up setting up a full Virtual Network along with a Local network gateway, Public IP address and Virtual Network Gateway in the same Resource Group. This will set all this up into a separate Azure Resource Group on its own, which I recommend to keep the network part of your Azure environment separate, then you can easily deploy other resources in other Resource Groups, e.g. Virtual Machines which all can be attached to this Virtual Network, even though it’s in another Resource Group. Also to the fact that with RBAC, you can delegate access to the network team or someone with this know how to manage the Azure network resources.

For information and templates to help setup the other side of the VPN tunnel i.e. VPN device scripts, see https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/

Below you will need to change the variables to suit yourself. When running the script, it will take a long time in the section where it creates the Virtual Network Gateway, about 20-40 mins. Also takes this long when deleting the Virtual Network Gateway, so make sure you have this correct before deploying it, otherwise you’ll end up wasting heaps of time.

BTW, I am using the Azure PowerShell module v1.4.0 I got from here: https://github.com/Azure/azure-powershell/releases (a full download instead of the web installer).

### Log into Azure ARM
Login-AzureRmAccount
 
### Choose subscription 'new' Azure
$subscription = (Get-AzureRmSubscription | Out-GridView -Title "Select the Azure subscription that you want to use ..." -PassThru).SubscriptionName
Select-AzureRmSubscription -SubscriptionName $subscription
 
Import-Module "C:\Program Files (x86)\Microsoft SDKs\Azure\PowerShell\ResourceManager\AzureResourceManager\AzureRM.Network\AzureRM.Network.psd1"
 
##########################################################################
############################# vNet ##############################
##########################################################################
 
$vNetRGName = "Show-vNet"
$location = "australiaeast"
 
### Create the Resource Group
cls
Write-Host "`n`tCreating the target resource group $vNetRGName (if it don't exist already)..." -ForegroundColor Cyan
#region
if(!(Get-AzureRmResourceGroup -Name $vNetRGName -Location $location -ErrorAction SilentlyContinue)){
New-AzureRmResourceGroup -Name $vNetRGName -Location $location -Force}
 
#Virtual Network
$vNetName = "Demo-vNet"
$vNetPrefix = "10.123.0.0/16" # 10.123.0.1 -> 10.123.255.254
$DMZSubnetName = "DMZ"
$DMZSubnetPrefix = "10.123.250.0/24"
$IntSubnetName = "Internal"
$IntSubnetPrefix = "10.123.10.0/24"
$GWSubnetName = "GatewaySubnet"
$GWSubnetPrefix = "10.123.2.0/28"
 
### Create Virtual Network
$DMZSubnet = New-AzureRmVirtualNetworkSubnetConfig -Name $DMZSubnetName -AddressPrefix $DMZSubnetPrefix
$IntSubnet = New-AzureRmVirtualNetworkSubnetConfig -Name $IntSubnetName -AddressPrefix $IntSubnetPrefix
$GWSubnet = New-AzureRmVirtualNetworkSubnetConfig -Name $GWSubnetName -AddressPrefix $GWSubnetPrefix
$vnet = New-AzureRmVirtualNetwork -Name $vNetName -ResourceGroupName $vNetRGName -Location $location -AddressPrefix $vNetPrefix -Subnet $DMZSubnet,$IntSubnet,$GWSubnet
 
##########################################################################
############################# VPN ##############################
##########################################################################
 
### Create vNet Gateway
 
### Create the Resource Group
 
$LocalSite = "SoftLayer"
$GWIPName = "Demo-GWIP"
$gwipconfig = "Demo-GWIPName"
$vnetgwName = "Demo-vNetGW"
$VPNconnection = "LocalToVPN"
$SharedKey = "4wer64erh0js35u4689"
$GatewayIpAddress = '168.1.113.85'
$AddressPrefix = '192.168.111.0/24'
 
New-AzureRmLocalNetworkGateway -Name $LocalSite -ResourceGroupName $vNetRGName -Location $location -GatewayIpAddress $GatewayIpAddress -AddressPrefix $AddressPrefix # @('10.0.0.0/24','20.0.0.0/24')
$gwpip = New-AzureRmPublicIpAddress -Name $GWIPName -ResourceGroupName $vNetRGName -Location $location -AllocationMethod Dynamic
 
$vnet = Get-AzureRmVirtualNetwork -Name $vNetName -ResourceGroupName $vNetRGName
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name $GWSubnetName -VirtualNetwork $vnet
$gwipconfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name $gwipconfig -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id
 
### Create the vNet Gateway
New-AzureRmVirtualNetworkGateway -Name $vnetgwName -ResourceGroupName $vNetRGName -Location $location -IpConfigurations $gwipconfig -GatewayType Vpn -VpnType RouteBased -GatewaySku Standard
 
##########################################################################
############################# Connection #############################
##########################################################################
 
### Create the Connection
$gateway = Get-AzureRmVirtualNetworkGateway -Name $vnetgwName -ResourceGroupName $vNetRGName
$local = Get-AzureRmLocalNetworkGateway -Name $LocalSite -ResourceGroupName $vNetRGName
New-AzureRmVirtualNetworkGatewayConnection -Name $VPNconnection -ResourceGroupName $vNetRGName -Location $location -VirtualNetworkGateway1 $gateway -LocalNetworkGateway2 $local -ConnectionType IPsec -RoutingWeight 10 -SharedKey $SharedKey
 
# https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/
 
$local = Get-AzureRmLocalNetworkGateway -Name LocalSite -ResourceGroupName testrg
Set-AzureRmLocalNetworkGateway -LocalNetworkGateway $local -AddressPrefix @('192.168.111.0/24')

This is what is looks like in Azure:

2016-05-17_1820

My other blog post explains how to setup the other end of the tunnel based on Windows Server 2012 R2 (Routing & Remote Access).