Azure : Understanding VPN Connections in ARM

Introduction

Setting up VPN connections is a common practice to provide secure/private connectivity between your OnPremise & your Azure VNETs.  Or even between Azure VNETs actually… Though I’ve had various questions regarding the usage of keys ; “Do I have one key for the entire environment or can I use different ones?”

kvaes-azure-vpn-arm-connections-local-gateway-key

Basics

The most basic thing to remember is that Azure will configure the key on the gateway be setting up a connection. In Powershell this would look something like…

New-AzureRmVirtualNetworkGatewayConnection -Name $connectionName-ResourceGroupName $resourceGroupName -Location $locationName -VirtualNetworkGateway1 $MyAzureVpnGateway -LocalNetworkGateway2 $MyLocalGateway -ConnectionType IPsec -RoutingWeight 10 -SharedKey $mySharedKey

When executing this command, the Virtual Network Gateway will be configured to use a given Shared Key in the connection to that specific Local Network Gateway.

 

VNET-2-VNET

The complexity starts when you want to connect two virtual networks in Azure to each other. In that case, you’ll need to configure TWO connections; one from gateway “A” to “B” and one from gateway “B” to “A”.

New-AzureRmVirtualNetworkGatewayConnection -Name $connectionName-ResourceGroupName $resourceGroupName -Location $locationName -VirtualNetworkGateway1 $MyAzureVpnGatewayA -LocalNetworkGateway2 $MyLocalGatewayB -ConnectionType IPsec -RoutingWeight 10 -SharedKey $mySharedKey
New-AzureRmVirtualNetworkGatewayConnection -Name $connectionName-ResourceGroupName $resourceGroupName -Location $locationName -VirtualNetworkGateway1 $MyAzureVpnGatewayB -LocalNetworkGateway2 $MyLocalGatewayA -ConnectionType IPsec -RoutingWeight 10 -SharedKey $mySharedKey

 

Easy Peazy…

The above was to show you how it looks under the hood… Though you can also use the concept of a “Connection”…

2016-04-19 12_03_00-Connection - Microsoft Azure

Here you can let Azure do the dirty work for you and setup the bidirectional configuration.

2016-04-19 12_02_32-Settings - Microsoft Azure

Be aware that this is only relevant for VNET-2-VNET connections! Being that the source AND target are both located in Azure.

 

Proof-of-Concept

Now let’s head back to one of the first questions… Can I use different keys per “link”? Yes, you can! Let’s go back to the drawing we kicked off this post with…

kvaes-azure-vpn-arm-connections-local-gateway-key

You can setup the following topology where each “link” (two gateway connections) will use their own key. This to ensure that you do not need one “master key”.

You do not believe me? No problem, use the following script as a Proof-of-Concept on your own environment. It will setup the above topology. Be aware that the creation of a VPN Gateway takes about 45 minutes. So this script will run for a while… 😉 Have fun testing!

 

TL;DR

  • You can use different shared keys per connection.
  • VNET-2-VNET connections can be done more easily via a “connection”
  • The creation of a VPN gateway will take about 45 minutes.
  • A VNET-2-VNET deployment will expect two gateway connections (under the hood) to ensure that both keys are setup correctly on the gateways
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s