Multi-site VNet-to-VNet VPN

29 Dec Multi-site VNet-to-VNet VPN

We will create 3 Virtual Networks and corresponding Local Networks in Azure and then connect a Virtual Networks with Multiple other Virtual Networks.

 Scenario –

We will create 3 virtual networks VNet-1, VNet-2 and VNet3 and then connect VNet-1 with VNet-2 and VNet-3 as shown in the below diagram:

clip_image002

Create Local Networks

When you create a VNet-to-VNet VPN tunnel, you need to configure each VNet to identify as a local network site. We will create following local network for each VNet:

Local Networks AddressPrefix
L-Vnet-1 10.10.1.0/24
L-Vnet-2 20.20.1.0/24
L-Vnet-3 30.30.1.0/24

 

1. Log in to Azure subscription

2. Click New. In the navigation pane, click Network Services, and then click Add Local Network to begin the configuration wizard

clip_image004

3. Provide a name to the Local Network.

4. For VPN device IP address, typically you would use the actual external IP address of a VPN device but for VNet-to-VNet configuration you will use the Gateway IP address, which we will create later.

5. For now provide any IP address, we will change it later once our VNets and gateways are created.

clip_image006

6. On the Specify the address space, put the actual IP address range of VNet-1 virtual network and then complete the wizard.

clip_image008

Perform the same steps to create two other Local networks.

clip_image010

Create Virtual Networks

In this section, we will create 3 Virtual Networks (VNet) as follows:

Virtual Network AddressPrefix Location Connected Local Site
Vnet-1 10.10.1.0/24 East US L-VNet-2 and L-VNet-3
Vnet-2 20.20.1.0/24 East US L-Vnet-1
Vnet-3 30.30.1.0/24 East Asia L-VNet-1

 

1. Log in to Azure subscription

2. Click New. In the navigation pane, click Network Services, and then click custom create to begin the configuration wizard

3. On the Virtual Network Details page, provide Virtual Network Name and Location.

clip_image012

4. On the DNS Server and VPN Connectivity page, select checkbox Configure a site-to-site VPN and then select a local network which you want to connect (refer the above table).

clip_image014

5. On the Virtual Address Spaces page, provide the IP address detail. Create a Subnet and then click add gateway subnet to add a gateway subnet.

clip_image016

6. Perform the same steps to create two other Virtual Networks.

clip_image018

Create Dynamic Gateways

1. After creating all 3 VNets we will configure VNet gateways for each VNet

2. Select a VNet on the Network page. Select the Dashboard page at the bottom of the page click Create Gateway and select Dynamic Routing.

clip_image020

Note: VNet-to-VNet VPN connection and multisite VPN is possible only using Dynamic Routing gateway.

3. Repeat the same steps to create Dynamic Gateway for other two VNets.

4. Once the Gateway is created, the IP address for each gateway will be visible on the dashboard. Write down the IP address that corresponds to each VNet. These are the IP address that will be used when you edit your placeholder IP address for the VPN Device in Local Networks

5. Also click on the Manage Key button and note down the Manage Shared Key. This key will be used in the command line to connect the VPN Gateways.

clip_image022

Edit the Local Network

1. On the Local Network page, select a Local Network that you want to edit and then click Edit button at the bottom. For the VPN Device IP address, input the IP address of the gateway that corresponds to the VNet. For Example, for L-VNet-1, put the gateway IP address of VNet-1.

clip_image024

Edit Network Configuration

When all the previous steps have been completed we can connect any tow VNets with each other by setting the IPsec/IKE pre-shared key to be the same using below PowerShell commands.

Command for VNet-1

PS C:\> Set-AzureVNetGatewayKey -VNetName VNet-1 -LocalNetworkSiteName L-VNet-2 -SharedKey S98naUvuXP35xYCBmtz34dCBN8ETgmfV

Command for VNet-2

PS C:\> Set-AzureVNetGatewayKey -VNetName VNet-2 -LocalNetworkSiteName L-VNet-1 -SharedKey S98naUvuXP35xYCBmtz34dCBN8ETgmfV

But in this scenario, we are connecting VNet-1 with VNet-2 and VNet-3 so we have to add two Local Networks (L-VNet-2 and L-VNet-3) for the VNet-1 which cannot be done for the Azure portal.

To achieve this we have to export the Network configuration and manually add the second Local Network for VNet-1 and then import the network file to get the changes.

1. Export the Network configuration file using below PowerShell command.

PS C:\Users\admin> Get-AzureVNetConfig -ExportToFile d:\mynet.netcfg

2. Open the Network file in notepad and manually add the L-VNet-3 local network for the VNet-1 (highlight in the below script)

————————————————-

<?xml version=”1.0″ encoding=”utf-8″?>

<NetworkConfiguration xmlns:xsd=”http://www.w3.org/2001/XMLSchema” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns=”http://schemas.microsoft.com/ServiceHosting/2011/07/NetworkConfiguration”>

<VirtualNetworkConfiguration>

<LocalNetworkSites>

<LocalNetworkSite name=”L-VNET-1″>

<AddressSpace>

<AddressPrefix>10.10.1.0/24</AddressPrefix>

</AddressSpace>

<VPNGatewayAddress>40.117.96.43</VPNGatewayAddress>

</LocalNetworkSite>

<LocalNetworkSite name=”L-VNET-2″>

<AddressSpace>

<AddressPrefix>20.20.1.0/24</AddressPrefix>

</AddressSpace>

<VPNGatewayAddress>40.117.101.239</VPNGatewayAddress>

</LocalNetworkSite>

<LocalNetworkSite name=”L-VNET-3″>

<AddressSpace>

<AddressPrefix>30.30.1.0/24</AddressPrefix>

</AddressSpace>

<VPNGatewayAddress>23.97.75.57</VPNGatewayAddress>

</LocalNetworkSite>

</LocalNetworkSites>

<VirtualNetworkSite name=”VNET-1″ Location=”East US”>

<AddressSpace>

<AddressPrefix>10.10.1.0/24</AddressPrefix>

</AddressSpace>

<Subnets>

<Subnet name=”Subnet-1″>

<AddressPrefix>10.10.1.0/25</AddressPrefix>

</Subnet>

<Subnet name=”GatewaySubnet”>

<AddressPrefix>10.10.1.128/29</AddressPrefix>

</Subnet>

</Subnets>

<Gateway>

<ConnectionsToLocalNetwork>

<LocalNetworkSiteRef name=”L-VNET-2″>

<Connection type=”IPsec” />

</LocalNetworkSiteRef>

<LocalNetworkSiteRef name=”L-VNET-3″>

<Connection type=”IPsec” />

</LocalNetworkSiteRef>

</ConnectionsToLocalNetwork>

</Gateway>

</VirtualNetworkSite>

<VirtualNetworkSite name=”VNET-2″ Location=”East US”>

<AddressSpace>

<AddressPrefix>20.20.1.0/24</AddressPrefix>

</AddressSpace>

<Subnets>

<Subnet name=”Subnet-1″>

<AddressPrefix>20.20.1.0/25</AddressPrefix>

</Subnet>

<Subnet name=”GatewaySubnet”>

<AddressPrefix>20.20.1.128/29</AddressPrefix>

</Subnet>

</Subnets>

<Gateway>

<ConnectionsToLocalNetwork>

<LocalNetworkSiteRef name=”L-VNET-1″>

<Connection type=”IPsec” />

</LocalNetworkSiteRef>

</ConnectionsToLocalNetwork>

</Gateway>

</VirtualNetworkSite>

<VirtualNetworkSite name=”VNET-3″ Location=”East Asia”>

<AddressSpace>

<AddressPrefix>30.30.1.0/24</AddressPrefix>

</AddressSpace>

<Subnets>

<Subnet name=”Subnet-1″>

<AddressPrefix>30.30.1.0/25</AddressPrefix>

</Subnet>

<Subnet name=”GatewaySubnet”>

<AddressPrefix>30.30.1.128/29</AddressPrefix>

</Subnet>

</Subnets>

<Gateway>

<ConnectionsToLocalNetwork>

<LocalNetworkSiteRef name=”L-VNET-1″>

<Connection type=”IPsec” />

</LocalNetworkSiteRef>

</ConnectionsToLocalNetwork>

</Gateway>

</VirtualNetworkSite>

</VirtualNetworkSites>

</VirtualNetworkConfiguration>

</NetworkConfiguration>

———————————————————-

3. Import the Network configuration file using below PowerShell command.

PS C:\Users\admin> Set-AzureVNetConfig -ConfigurationPath D:\mynet.netcfg

Connect VPN Gateways

When all the previous steps have been completed we will set the IPSec/IKE pre-shared keys to be the same.

Note: all 3 VNets must use the same key value.

Command to connect VNet-1 to L-VNet-2

PS C:\> Set-AzureVNetGatewayKey -VNetName VNet-1 -LocalNetworkSiteName L-VNet-2 -SharedKey S98naUvuXP35xYCBmtz34dCBN8ETgmfV

Command to connect VNet-2 to L-VNet-1

PS C:\> Set-AzureVNetGatewayKey -VNetName VNet-2 -LocalNetworkSiteName L-VNet-1 -SharedKey S98naUvuXP35xYCBmtz34dCBN8ETgmfV

Command to connect VNet-1 to L-VNet-3

PS C:\> Set-AzureVNetGatewayKey -VNetName VNet-1 -LocalNetworkSiteName L-VNet-3 -SharedKey S98naUvuXP35xYCBmtz34dCBN8ETgmfV

Command to connect VNet-3 to L-VNet-1

PS C:\> Set-AzureVNetGatewayKey -VNetName VNet-3 -LocalNetworkSiteName L-VNet-1 -SharedKey S98naUvuXP35xYCBmtz34dCBN8ETgmfV

Command example:

PS C:\Users\admin> Set-AzureVNetGatewayKey -VNetName VNET-1 -LocalNetworkSiteName L-VNET-3 -SharedKey S98naUvuXP35xYCBmtz34dCBN8ETgmfV

Error :

HttpStatusCode : OK

Id : 9c082011-32e8-4bef-9194-acdfcf2c2bd2

Status : Successful

RequestId : e17edd10ac835d8387bb0a9994689d83

StatusCode : OK

After running all the commands, click on the Dashboard page of the VNet and verify the connectivity.

clip_image026

Web Admin
digital@mismosystems.com
No Comments

Post A Comment