How to create a Virtual Network using Azure Resource Manager (ARM)

Share this:

Configuring a Virtual Network and a VPN connection between Microsoft Azure and a local site using Azure Resource Manager deployment model.


When using Azure Resource Manager deployment model is that the VPN creation is done using PowerShell only at this time. We can start creating with Azure Preview Portal and continue using PowerShell, however we will create the Resource Group, Network and VPN site-to-site using PowerShell. The process is well documented in the Azure Portal (the link can be found at the final of this Tutorial), and in this Tutorial we will focus more on the scenario and the planning to get things in order before start running cmdlets and a long the way, we will provide some hints how to deploy the connectivity between Microsoft Azure and your on-premises environment.


For this Tutorial, we are going to use a brand new Microsoft Azure subscription and the first thing that we are going to perform is the VPN site-to-site connection.


The PowerShell requires a lot of typing and in order to keep things easier it is better to review the entire process first before going to the PowerShell, another hint is to use the following table (replace with your values) to avoid any mistakes.

Item Value (in this Tutorial)
Resource Group azna-rg-corenetwork
Virtual Network azna-vn-default
Azure Datacenter East US
Azure Local Network ITLAB (On-premises)
Azure Network Gateway azna-gw

Step 01 – Resource Group..

The first step is to create the Resource Group and we will use the following cmdlet.

New-AzureResourceGroup -Name azna-rg-corenetwork -Location “East US”


The results can be seen on the Azure Preview Portal under Resource Groups.


In the new panel, define the name, address space, subnet name and address range and at the end define the name for the new resource group. Click on finish.

Step 02 – Virtual Network and Gateway Subnet

In our scenario, we decided that the Microsoft Azure will have the network and in order to have VPN site-to-site we need a small network to be used as Gateway Subnet and we will be using, and a second subnet for our regular servers will be the There are 3 cmdlets required to build the Virtual Network, the first two lines are variables to store the GatewaySubnet and Servers subnets, and on the third one we create the network using the previous variables.

$subnet1 = New-AzureVirtualNetworkSubnetConfig -Name “GatewaySubnet” -AddressPrefix
$subnet2 = New-AzureVirtualNetworkSubnetConfig -Name “Servers” -AddressPrefix
New-AzureVirtualNetwork -Name azna-vn-default -ResourceGroupName azna-rg-corenetwork -Location “East US” -AddressPrefix -Subnet $subnet1, $subnet2


Make sure that you have the ProvisioningState of Succeeded before moving forward.

Step 03 – Defining on-premises in Microsoft Azure

The next step is to define the information about the on-premises environment, and we will need to define a name, Public IP that will receive the VPn connection and the address that is currently using it.

New-AzureLocalNetworkGateway -Name ITLAB -ResourceGroupName azna-rg-corenetwork -Location “East US” -GatewayIpAddress “” -AddressPrefix “”


Step 04 – Microsoft Azure Gateway configuration

In the Microsoft step-by-step they consider the Public IP as a separate task, however I will include on the same step all variables created to build the Gateway configuration. The first thing to do here is to run the following cmdlet to get the Public IP configuration.

$gwpip = New-AzurePublicIpAddress -Name gwip -ResourceGroupName azna-rg-corenetwork -Location “East US” -AllocationMethod Dynamic


Before creating the gateway on the Microsoft Azure side, a series of configuration must be in the right place to make it work. Unfortunately there is no easy way to get the configuration with a single cmdlet, and for that reason we need to use 4 (four) variables $gwpip, $vnet, $subnet and $gwipconfig, and this last one will use the information retrieved on the previous two, and that variable will be used during the Gateway creation process.

$vnet = Get-AzureVirtualNetwork -Name azna-vn-default -ResourceGroupName azna-rg-corenetwork

$subnet = Get-AzureVirtualNetworkSubnetConfig -Name “GatewaySubnet” -VirtualNetwork $vnet

$gwipconfig = New-AzureVirtualNetworkGatewayIPConfig -Name gwipconfig -SubnetId $subnet.Id -PublicIpAddressId $gwpip.ID


Note: It is a lot of commands and sometimes the administrator may confuse names when typing in. The hint here is before adding the information in a variable, try to run by itself first, and if you have positive results, then you can add the variable. In the example below, we are testing the cmdlet that we are going to add the previous $vnet variable.

Get-AzureVirtualNetwork -Name azna-vn-default -ResourceGroupName azna-rg-corenetwork


Step 05 – Finally, the Gateway!!!

This process will take a while, and it will use the information gathered on the $gwipconfig variable to create the gateway in Microsoft Azure. Here is the cmdlet to create the gateway:

New-AzureVirtualNetworkGateway -Name azna-gw -ResourceGroupName azna-rg-corenetwork -Location “East US” -IpConfigurations $gwipconfig -GatewayType VPN -VpnType RouteBased


Step 06 – Wrapping up and getting ready to configure the on-premises side

The last configuration on the Microsoft Azure side is to create the connection and try to establish the VPN between Microsoft Azure and On-premises, it won’t work because the on-premises side wasn’t configured yet. The first step is to create 2 (two) variables which will collect the information between the previous objects created to reference your on-premises network and the Azure Virtual network Gateway, the following cmdlets must be run (the third cmdlet was used just to test the $local variable)

$gateway = Get-AzureVirtualNetworkGateway -Name azna-gw -ResourceGroupName azna-rg-corenetwork
$local = Get-AzureLocalNetworkGateway -Name ITLAB -ResourceGroupName azna-rg-corenetwork


The final step is to create the connection, and it can be done using the following cmdlet. The most important thing here is the SharedKey and you need to save that information because it has to be used by the Firewall administrator on-premises to establish the VPN tunnel later on.

New-AzureVirtualNetworkGatewayConnection -Name azna-itlab -ResourceGroupName azna-rg-corenetwork -Location “East US” -VirtualNetworkGateway1 $gateway -LocalNetworkGateway2 $local -ConnectionType IPSec -RoutingWeight 10 -SharedKey “Urucubaca-vpn-test-02”


The Firewall administrator on-premises has the SharedKey however another important piece is the Public IP where to terminate the VPN tunnel, and we can get this information using the following cmdlet:

Get-AzurePublicIpAddress -Name gwip -ResourceGroupName azna-rg-corenetwork


At this point, with all the information your firewall administrator should configure the VPN (in the final section of this Tutorial we provide a link with configurations that can be used based on your device).

Testing the VPN Connection…

After bringing the tunnel up, using PowerShell we can check the status of the connection using the following cmdlet:

Get-AzureVirtualNetworkGatewayConnection -Name azna-itlab -ResourceGroupName azna-rg-corenetwork -Debug


In the output look at Connection Status and the value should be Connected, as shown in the figure below.


This are the steps required to configure a VPN Site-to-Site using PowerShell in Azure Resource Manager deployment mode.

More information:

Written by Anderson Patricio

Anderson Patricio is a Canadian Exchange Server MVP and MCSM (Solutions Master) and he contributes to the Microsoft Community with articles, tutorials, blog posts, forums and book reviews. He is a regular contributor at, and (Portuguese).