Connecting Azure Virtual Networks (Site-to-Site VPN)

Connecting Azure Virtual Networks (Site-to-Site VPN)

Connecting Azure Virtual Networks

Connecting Subnets in Azure is same as connecting Azure Subnets to on premise Networks using S2S VPN. There are plenty of benefits connecting Azure –

  1. Extend Virtual Networks between Azure regions or subscriptions to allow communication between Azure resources to create own replication or clustering infrastructure like SQL Always On, Exchange DAG, MySQL replication, DFS etc.
  2. Create cross organization network capabilities
  3. Create multi-tier application within same or remote region to create strong isolation and secure inter-tier communication

 

Virtual Networks – Points to remember

  1. Virtual Networks can be extended to same or different Azure region or subscriptions
  2. Virtual Networks within region or subscriptions don’t communicate with each other
  3. Cloud Services or load balancing endpoint cannot span across Virtual networks
  4. Connecting Virtual Networks is same as connecting Azure Network to On-premise network
  5. VNet-to-VNet VPN supports Dynamic routing and not Static routing
  6. Virtual Network Gateway supports up to 10 multi-VPN tunnels
  7. Virtual Networks can’t overlap IP ranges between them

Let us begin creating Virtual Networks and VPN between them

We need to first define the IP ranges, Local network ranges. Make a note of below as they will be used through out of this illustratio

Virtual Network Name Address Range Subnet Local Network IP Range Region
VNet-US 10.1.0.0/16 10.1.1.0/24 VNet-EU 10.2.2.0/24 US
VNet-EU 10.2.0.0/16 10.2.2.0/24 VNet-US 10.1.1.0/24 Europe

Login to Azure Portal, and create new VM Network (Create VNet-US network now, we will repeat the process to create VNet-EU) by selecting New -> Network Services -> Virtual Network -> Custom Create.

VNet-US – Configuration

VNet-1

Either leave the DNS Servers empty or provide any valid DNS servers IP address, this is needed to resolve any name that will be used by Virtual Machines or Cloud Services using this Virtual Network. Move on to next screen to complete the Virtual Network creation

VNet-2On this screen, enter the Address Space and Subnets as explained the table above.

VNet-3

Now, let us create VNet-EU similar to VNet-US, except for the Address Spaces as below –

VNet-EU – Configuration

VNet-5

 

Once the Virtual Networks are created, we need to now define Local Networks.

Local Network is the remote Network that Virtual network will connect to. So, in the Azure Subscription  –

– where VNet-US is used, create VNet-EU Local Network (region US)

– where VNet-EU is used, create VNet-US Local Network (region Europe)

VNet-EU Configuration

Login to Azure Subscription where VNet-EU is being used, and define VNet-US as Local Network.

Use any IP address in the VPN Device IP Address (Optional) section, I have used 1.1.1.1 as dummy IP for now, we need to come back to this and enter the real Gateway address once we create Gateway later in this article. Gateways will be used to connect Virtual Networks to each other. Click Next

If you don’t specify any IP Address in the VPN Gateway section, then you would not be able to select this Local Network in the Virtual Network Configuration

 

 

VNet-8

On the next screen, define the address space of VNet-US.

VNet-9

VNet-US Configuration

Now login to Azure Subscription where VNet-US, and add VNet-EU as local network

VNet-10VNet-11

 

We now need to connect Virtual Networks to the Local Network that was created and create Gateway

VNet-US Configuration

Login to VNet-US Azure Subscription, select the Virtual Network, click on CONFIGURE and in the Site-to-Site connectivity section, select Connect to local network and select the local network that was created for Europe.

In the same screen – click on add gateway subnet to create the gateway

VNet-12

VNet-EU Configuration

Login the VNet-EU Azure Subscription and repeat the steps of VNet-US including addition of gateway subnet

VNet-13

Gateway Creation

VNet-US Configuration

Next, we need to create Virtual Network Gateway. This process takes 15-20 minutes. Login to Azure Subscription, select your Virtual Network and in the bottom select Create Gateway and then Dynamic Routing

VNet-14

 

Once selected, the Virtual Network configuration updates its diagram from Red to Yellow

VNet-15

VNet-EU Configuration

Repeat the process for VNet-EU as well. You need to create the Gateway on VNet-EU side as well so that it can be used as VPN Gateway in the Local Network configuration. You need not wait for one gateway creation to finish before creating one on the remote site.

On successful creation on Virtual Network Gateways, you would see the Gateway IP address generated by Azure, as shown below –

VNet-US

VNet-16

 

VNet-EU

VNet-17

Edit the Local Network

Note down the Gateway IP addresses, and update the Local Network  configuration. Replace 1.1.1.1 with new IP addresses with new Gateway IP addresses shown above.

Region – US; Virtual Network – VNet-US; Local Network – VNet-EU; VPN Device IP – 40.76.216.131

Region – EU; Virtual Network – VNet-EU; Local Network – VNet-US; VPN Device IP – 40.127.135.132

VNet-18

 

Connect the Gateways by entering Pre-shared Key

Once the above configurations are complete on both sides, we need to provide IPSec/IKE pre-shared keys to the gateways for their handshake and connect to each other. This can be done using Azure PowerShell.

VNet-US Configuration

Set-AzureVNetGatewayKey -VNetName VNet-US -LocalNetworkSiteName VNet-EU -SharedKey abcd1234

VNet-EU Configuration

Set-AzureVNetGatewayKey -VNetName VNet-EU -LocalNetworkSiteName VNet-US -SharedKey abcd1234

On receiving success messages for the above commands. Go back to Azure Portal and connect the Virtual Networks to the gateways. Select Virtual Network, go to Dashboard  page and in the bottom  select Connect. Repeat the process on other side Virtual Network as well. Wait for a minute or two, and you will see Virtual Networks connect to each other.

VNet-19

 

VNet-20

 

This completes the Azure Virtual Networks connection and now any Virtual Machines or Cloud Services that are connected to these Virtual Networks will be able to communicate with each other.

About The Author

Related posts

Leave a Reply

Your email address will not be published. Required fields are marked *