Connecting Azure Virtual Networks
Connecting Subnets in Azure is same as connecting Azure Subnets to on premise Networks using S2S VPN. There are plenty of benefits connecting Azure –
- Extend Virtual Networks between Azure regions or subscriptions to allow communication between Azure resources to create own replication or clustering infrastructure like SQL Always On, Exchange DAG, MySQL replication, DFS etc.
- Create cross organization network capabilities
- Create multi-tier application within same or remote region to create strong isolation and secure inter-tier communication
Virtual Networks – Points to remember
- Virtual Networks can be extended to same or different Azure region or subscriptions
- Virtual Networks within region or subscriptions don’t communicate with each other
- Cloud Services or load balancing endpoint cannot span across Virtual networks
- Connecting Virtual Networks is same as connecting Azure Network to On-premise network
- VNet-to-VNet VPN supports Dynamic routing and not Static routing
- Virtual Network Gateway supports up to 10 multi-VPN tunnels
- Virtual Networks can’t overlap IP ranges between them
Let us begin creating Virtual Networks and VPN between them
We need to first define the IP ranges, Local network ranges. Make a note of below as they will be used through out of this illustratio
|Virtual Network Name||Address Range||Subnet||Local Network||IP Range||Region|
Login to Azure Portal, and create new VM Network (Create VNet-US network now, we will repeat the process to create VNet-EU) by selecting New -> Network Services -> Virtual Network -> Custom Create.
VNet-US – Configuration
Either leave the DNS Servers empty or provide any valid DNS servers IP address, this is needed to resolve any name that will be used by Virtual Machines or Cloud Services using this Virtual Network. Move on to next screen to complete the Virtual Network creation
Now, let us create VNet-EU similar to VNet-US, except for the Address Spaces as below –
VNet-EU – Configuration
Once the Virtual Networks are created, we need to now define Local Networks.
Local Network is the remote Network that Virtual network will connect to. So, in the Azure Subscription –
– where VNet-US is used, create VNet-EU Local Network (region US)
– where VNet-EU is used, create VNet-US Local Network (region Europe)
Login to Azure Subscription where VNet-EU is being used, and define VNet-US as Local Network.
Use any IP address in the VPN Device IP Address (Optional) section, I have used 188.8.131.52 as dummy IP for now, we need to come back to this and enter the real Gateway address once we create Gateway later in this article. Gateways will be used to connect Virtual Networks to each other. Click Next
If you don’t specify any IP Address in the VPN Gateway section, then you would not be able to select this Local Network in the Virtual Network Configuration
On the next screen, define the address space of VNet-US.
Now login to Azure Subscription where VNet-US, and add VNet-EU as local network
We now need to connect Virtual Networks to the Local Network that was created and create Gateway
Login to VNet-US Azure Subscription, select the Virtual Network, click on CONFIGURE and in the Site-to-Site connectivity section, select Connect to local network and select the local network that was created for Europe.
In the same screen – click on add gateway subnet to create the gateway
Login the VNet-EU Azure Subscription and repeat the steps of VNet-US including addition of gateway subnet
Next, we need to create Virtual Network Gateway. This process takes 15-20 minutes. Login to Azure Subscription, select your Virtual Network and in the bottom select Create Gateway and then Dynamic Routing
Once selected, the Virtual Network configuration updates its diagram from Red to Yellow
Repeat the process for VNet-EU as well. You need to create the Gateway on VNet-EU side as well so that it can be used as VPN Gateway in the Local Network configuration. You need not wait for one gateway creation to finish before creating one on the remote site.
On successful creation on Virtual Network Gateways, you would see the Gateway IP address generated by Azure, as shown below –
Edit the Local Network
Note down the Gateway IP addresses, and update the Local Network configuration. Replace 184.108.40.206 with new IP addresses with new Gateway IP addresses shown above.
Region – US; Virtual Network – VNet-US; Local Network – VNet-EU; VPN Device IP – 220.127.116.11
Region – EU; Virtual Network – VNet-EU; Local Network – VNet-US; VPN Device IP – 18.104.22.168
Connect the Gateways by entering Pre-shared Key
Once the above configurations are complete on both sides, we need to provide IPSec/IKE pre-shared keys to the gateways for their handshake and connect to each other. This can be done using Azure PowerShell.
Set-AzureVNetGatewayKey -VNetName VNet-US -LocalNetworkSiteName VNet-EU -SharedKey abcd1234
Set-AzureVNetGatewayKey -VNetName VNet-EU -LocalNetworkSiteName VNet-US -SharedKey abcd1234
On receiving success messages for the above commands. Go back to Azure Portal and connect the Virtual Networks to the gateways. Select Virtual Network, go to Dashboard page and in the bottom select Connect. Repeat the process on other side Virtual Network as well. Wait for a minute or two, and you will see Virtual Networks connect to each other.
This completes the Azure Virtual Networks connection and now any Virtual Machines or Cloud Services that are connected to these Virtual Networks will be able to communicate with each other.