Setting up VPN connections is a common practice to provide secure/private connectivity between your OnPremise & your Azure VNETs. Or even between Azure VNETs actually… Though I’ve had various questions regarding the usage of keys ; “Do I have one key for the entire environment or can I use different ones?”
The most basic thing to remember is that Azure will configure the key on the gateway be setting up a connection. In Powershell this would look something like…
New-AzureRmVirtualNetworkGatewayConnection -Name $connectionName-ResourceGroupName $resourceGroupName -Location $locationName -VirtualNetworkGateway1 $MyAzureVpnGateway -LocalNetworkGateway2 $MyLocalGateway -ConnectionType IPsec -RoutingWeight 10 -SharedKey $mySharedKey
When executing this command, the Virtual Network Gateway will be configured to use a given Shared Key in the connection to that specific Local Network Gateway.
The complexity starts when you want to connect two virtual networks in Azure to each other. In that case, you’ll need to configure TWO connections; one from gateway “A” to “B” and one from gateway “B” to “A”.
New-AzureRmVirtualNetworkGatewayConnection -Name $connectionName-ResourceGroupName $resourceGroupName -Location $locationName -VirtualNetworkGateway1 $MyAzureVpnGatewayA -LocalNetworkGateway2 $MyLocalGatewayB -ConnectionType IPsec -RoutingWeight 10 -SharedKey $mySharedKey New-AzureRmVirtualNetworkGatewayConnection -Name $connectionName-ResourceGroupName $resourceGroupName -Location $locationName -VirtualNetworkGateway1 $MyAzureVpnGatewayB -LocalNetworkGateway2 $MyLocalGatewayA -ConnectionType IPsec -RoutingWeight 10 -SharedKey $mySharedKey
The above was to show you how it looks under the hood… Though you can also use the concept of a “Connection”…
Here you can let Azure do the dirty work for you and setup the bidirectional configuration.
Be aware that this is only relevant for VNET-2-VNET connections! Being that the source AND target are both located in Azure.
Now let’s head back to one of the first questions… Can I use different keys per “link”? Yes, you can! Let’s go back to the drawing we kicked off this post with…
You can setup the following topology where each “link” (two gateway connections) will use their own key. This to ensure that you do not need one “master key”.
You do not believe me? No problem, use the following script as a Proof-of-Concept on your own environment. It will setup the above topology. Be aware that the creation of a VPN Gateway takes about 45 minutes. So this script will run for a while… 😉 Have fun testing!
- You can use different shared keys per connection.
- VNET-2-VNET connections can be done more easily via a “connection”
- The creation of a VPN gateway will take about 45 minutes.
- A VNET-2-VNET deployment will expect two gateway connections (under the hood) to ensure that both keys are setup correctly on the gateways