How to create a Virtual Network using Azure Resource Manager (ARM)

Share this:

Configuring a Virtual Network and a VPN connection between Microsoft Azure and a local site using Azure Resource Manager deployment model.

Solution


When using Azure Resource Manager deployment model is that the VPN creation is done using PowerShell only at this time. We can start creating with Azure Preview Portal and continue using PowerShell, however we will create the Resource Group, Network and VPN site-to-site using PowerShell. The process is well documented in the Azure Portal (the link can be found at the final of this Tutorial), and in this Tutorial we will focus more on the scenario and the planning to get things in order before start running cmdlets and a long the way, we will provide some hints how to deploy the connectivity between Microsoft Azure and your on-premises environment.

Planning..

For this Tutorial, we are going to use a brand new Microsoft Azure subscription and the first thing that we are going to perform is the VPN site-to-site connection.

image

The PowerShell requires a lot of typing and in order to keep things easier it is better to review the entire process first before going to the PowerShell, another hint is to use the following table (replace with your values) to avoid any mistakes.

Item Value (in this Tutorial)
Resource Group azna-rg-corenetwork
Virtual Network azna-vn-default
Azure Datacenter East US
Azure Local Network ITLAB (On-premises)
Azure Network Gateway azna-gw

Step 01 – Resource Group..

The first step is to create the Resource Group and we will use the following cmdlet.

New-AzureResourceGroup -Name azna-rg-corenetwork -Location “East US”

image

The results can be seen on the Azure Preview Portal under Resource Groups.

image

In the new panel, define the name, address space, subnet name and address range and at the end define the name for the new resource group. Click on finish.

Step 02 – Virtual Network and Gateway Subnet

In our scenario, we decided that the Microsoft Azure will have the network 10.190.0.0/16 and in order to have VPN site-to-site we need a small network to be used as Gateway Subnet and we will be using 10.190.0.0/28, and a second subnet for our regular servers will be the 10.190.10.0/24. There are 3 cmdlets required to build the Virtual Network, the first two lines are variables to store the GatewaySubnet and Servers subnets, and on the third one we create the network using the previous variables.

$subnet1 = New-AzureVirtualNetworkSubnetConfig -Name “GatewaySubnet” -AddressPrefix 10.190.0.0/28
$subnet2 = New-AzureVirtualNetworkSubnetConfig -Name “Servers” -AddressPrefix 10.190.10.0/24
New-AzureVirtualNetwork -Name azna-vn-default -ResourceGroupName azna-rg-corenetwork -Location “East US” -AddressPrefix 10.190.0.0/16 -Subnet $subnet1, $subnet2

image

Make sure that you have the ProvisioningState of Succeeded before moving forward.

Step 03 – Defining on-premises in Microsoft Azure

The next step is to define the information about the on-premises environment, and we will need to define a name, Public IP that will receive the VPn connection and the address that is currently using it.

New-AzureLocalNetworkGateway -Name ITLAB -ResourceGroupName azna-rg-corenetwork -Location “East US” -GatewayIpAddress “38.99.160.10” -AddressPrefix “10.60.0.0/16”

image

Step 04 – Microsoft Azure Gateway configuration

In the Microsoft step-by-step they consider the Public IP as a separate task, however I will include on the same step all variables created to build the Gateway configuration. The first thing to do here is to run the following cmdlet to get the Public IP configuration.

$gwpip = New-AzurePublicIpAddress -Name gwip -ResourceGroupName azna-rg-corenetwork -Location “East US” -AllocationMethod Dynamic

image

Before creating the gateway on the Microsoft Azure side, a series of configuration must be in the right place to make it work. Unfortunately there is no easy way to get the configuration with a single cmdlet, and for that reason we need to use 4 (four) variables $gwpip, $vnet, $subnet and $gwipconfig, and this last one will use the information retrieved on the previous two, and that variable will be used during the Gateway creation process.

$vnet = Get-AzureVirtualNetwork -Name azna-vn-default -ResourceGroupName azna-rg-corenetwork

$subnet = Get-AzureVirtualNetworkSubnetConfig -Name “GatewaySubnet” -VirtualNetwork $vnet

$gwipconfig = New-AzureVirtualNetworkGatewayIPConfig -Name gwipconfig -SubnetId $subnet.Id -PublicIpAddressId $gwpip.ID

image

Note: It is a lot of commands and sometimes the administrator may confuse names when typing in. The hint here is before adding the information in a variable, try to run by itself first, and if you have positive results, then you can add the variable. In the example below, we are testing the cmdlet that we are going to add the previous $vnet variable.

Get-AzureVirtualNetwork -Name azna-vn-default -ResourceGroupName azna-rg-corenetwork

image

Step 05 – Finally, the Gateway!!!

This process will take a while, and it will use the information gathered on the $gwipconfig variable to create the gateway in Microsoft Azure. Here is the cmdlet to create the gateway:

New-AzureVirtualNetworkGateway -Name azna-gw -ResourceGroupName azna-rg-corenetwork -Location “East US” -IpConfigurations $gwipconfig -GatewayType VPN -VpnType RouteBased

image

Step 06 – Wrapping up and getting ready to configure the on-premises side

The last configuration on the Microsoft Azure side is to create the connection and try to establish the VPN between Microsoft Azure and On-premises, it won’t work because the on-premises side wasn’t configured yet. The first step is to create 2 (two) variables which will collect the information between the previous objects created to reference your on-premises network and the Azure Virtual network Gateway, the following cmdlets must be run (the third cmdlet was used just to test the $local variable)

$gateway = Get-AzureVirtualNetworkGateway -Name azna-gw -ResourceGroupName azna-rg-corenetwork
$local = Get-AzureLocalNetworkGateway -Name ITLAB -ResourceGroupName azna-rg-corenetwork

image

The final step is to create the connection, and it can be done using the following cmdlet. The most important thing here is the SharedKey and you need to save that information because it has to be used by the Firewall administrator on-premises to establish the VPN tunnel later on.

New-AzureVirtualNetworkGatewayConnection -Name azna-itlab -ResourceGroupName azna-rg-corenetwork -Location “East US” -VirtualNetworkGateway1 $gateway -LocalNetworkGateway2 $local -ConnectionType IPSec -RoutingWeight 10 -SharedKey “Urucubaca-vpn-test-02”

image

The Firewall administrator on-premises has the SharedKey however another important piece is the Public IP where to terminate the VPN tunnel, and we can get this information using the following cmdlet:

Get-AzurePublicIpAddress -Name gwip -ResourceGroupName azna-rg-corenetwork

image

At this point, with all the information your firewall administrator should configure the VPN (in the final section of this Tutorial we provide a link with configurations that can be used based on your device).

Testing the VPN Connection…

After bringing the tunnel up, using PowerShell we can check the status of the connection using the following cmdlet:

Get-AzureVirtualNetworkGatewayConnection -Name azna-itlab -ResourceGroupName azna-rg-corenetwork -Debug

image

In the output look at Connection Status and the value should be Connected, as shown in the figure below.

image

This are the steps required to configure a VPN Site-to-Site using PowerShell in Azure Resource Manager deployment mode.

More information:

Written by Anderson Patricio

Anderson Patricio

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange and several other certifications. Anderson has been contributing to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at ITPROCentral.com, MSExchange.org, Techgenix.com and Anderson Patricio.org (Portuguese).

Related Post

Containers on Azure – Part 1 In the last decade, hardware virtualization has drastically changed the IT landscape. One of many consequences of this trend is the emergence of cloud...
Azure Free Trial expired. How to continue using th... The Azure free trial expiration is common for administrator that are starting with Microsoft Azure. In this Tutorial, we are going over the simple ste...
Windows Azure and Office365 – Installing the Synch... In order to synchronize our on-premises Active Directory with Windows Azure Active Directory (WAAD) we can use a tool called Windows Azure Active Dire...
Azure Backup – Part 4 – System Center and Azure Ba... On the first post (see here), I explained how the Azure backup works. On this post, I’m explaining how to integrate Azure Backup with System Center Da...