September 27, 2020

Azure s2s VPN configuration.

Azure s2s VPN configuration.

Create the resource group:

$Location = "CanadaCentral" 
$RG = New-AzResourceGroup -Name "resource-group-name" -Location $Location

Create the subnets and virtual network. For VPN connections, there must be a subnet within the virtual network named GatewaySubnet. This subnet contains 2 VM's that host routing tables for connections to other networks, along with specific gateway services.

$subnet1 = New-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.1.255.0/27

$subnet2 = New-AzVirtualNetworkSubnetConfig -Name 'Frontend' -AddressPrefix 10.1.0.0/24

New-AzVirtualNetwork -Name "<vNet-name>" -ResourceGroupName $RG -Location $Location -AddressPrefix 10.1.0.0/16 -Subnet $subnet1, $subnet2

Set the static values required:

$RiP = '<remote-public-IP>'
$rCIDR1 = '<remote/peer subnet CIDR>'

Create the local network gateway. This refers to your on-premise (or remote) network.

To add a local network gateway with a single address prefix:
* $local = New-AzLocalNetworkGateway -Name <local-network-gateway-name> -ResourceGroupName $RG -Location $Location -GatewayIpAddress $RiP -AddressPrefix $rCIDR1

To add a local network gateway with multiple address prefixes:
* $local = New-AzLocalNetworkGateway -Name <local-network-gateway-name> -ResourceGroupName $RG -Location $Location -GatewayIpAddress $RiP -AddressPrefix @($rCIDR1,$rCIDR2)

Request a public IP address:

$gwpip= New-AzPublicIpAddress -Name "<public-IP-name>" -ResourceGroupName $RG -Location $Location -AllocationMethod Dynamic

Create the gateway IP addressing configuration:

* $vnet = Get-AzVirtualNetwork -Name "<vNetname>" -ResourceGroupName $RG

* $subnet = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet

* $gwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name "<gateway-IP-name>" -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id

Create the VPN gateway. This could take up to 45 minutes. Also, specify the appropriate VPN appliance SKU.

$gateway1 = New-AzVirtualNetworkGateway -Name "<VPN-GW-name>" -ResourceGroupName $RG -Location $Location -IpConfigurations $gwipconfig -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1
Get-AzPublicIpAddress -Name "<public-IP-name>' -ResourceGroupName "<resource-group-name>"
The following sample script creates an IPsec/IKE policy with the following algorithms and parameters:
    • IKEv2: AES256, SHA384, DHGroup14
    • IPsec: AES256, SHA256, PFS None, SA Lifetime 28800 seconds & 102400000KB
    • $ipsecpolicy6 = New-AzIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA256 -DhGroup DHGroup14 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup None -SALifeTimeSeconds 28800 -SADataSizeKilobytes 102400000

Create the VPN connection:

New-AzVirtualNetworkGatewayConnection -Name "<VPN-Connection-name>" -ResourceGroupName $RG -Location $Location -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local -ConnectionType IPsec -RoutingWeight 10 -IpsecPolicies $ipsecpolicy6 -SharedKey 'abc123'

Verify the VPN connection:

Get-AzVirtualNetworkGatewayConnection -Name "<VPN-Connection-name>" -ResourceGroupName $RG