I set out to implement a VPN tunnel from my on-prem network to my Azure subscription virtual network. There are several good Microsoft Documentation articles for configuring the Azure side but here I will provide some additional information for configuration of the on-prem router as well. I am using a Ubiquiti EdgeRouter X-SFP for my on-prem router which offers flexibility for a good price.
Below is the table of values used to correlate to the commands ran below:
| Value Name | Updated Values | Default Values from MS Documentation Article |
| VnetName | SLAzurevnet | (TestVNet1) |
| ResourceGroup | sl_azure_rg | (TestRG1) |
| Location | East US 2 | (East US) |
| AddressSpace | 10.38.0.0/16 | (10.11.0.0/16) |
| SubnetName | sl_azure_subnet1 | (Subnet1) |
| Subnet | 10.38.1.0/28 | (10.11.1.0/28) |
| GatewaySubnet | 10.38.0.0/27 | (10.11.0.0/27) |
| LocalNetworkGatewayName | sl_onprem | (Site2) |
| LNG Public IP | onprempublicip | (<VPN device IP address>) |
| Local Address Prefixes | 10.37.0.0/16 | (10.0.0.0/24, 20.0.0.0/24) |
| Gateway Name | slazuregateway | (VNet1GW) |
| PublicIP | slazuregatewayip | (VNet1GWIP) |
| Gateway IP Config | gwipconfig1 | (gwipconfig1) |
| VPNType | RouteBased | (RouteBased) |
| GatewayType | Vpn | (Vpn) |
| ConnectionName | slazuretoslonprem | (VNet1toSite2) |
Below is the configuration ran from the PowerShell console in the Azure RM Portal:
2. Create a virtual network and a gateway subnet
#Create resource group
New-AzureRmResourceGroup -Name sl_azure_rg -Location ‘East US 2’
##To create a virtual network and a gateway subnet
$subnet1 = New-AzureRmVirtualNetworkSubnetConfig -Name ‘GatewaySubnet’ -AddressPrefix 10.38.1.0/28
$subnet2 = New-AzureRmVirtualNetworkSubnetConfig -Name ‘Subnet1’ -AddressPrefix 10.38.0.0/27
New-AzureRmVirtualNetwork -Name SLAzurevnet -ResourceGroupName sl_azure_rg -Location ‘East US 2’ -AddressPrefix 10.38.0.0/16 -Subnet $subnet1, $subnet2
##To add a gateway subnet to a virtual network you have already created
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName sl_azure_rg -Name SLAzurevnet
Add-AzureRmVirtualNetworkSubnetConfig -Name ‘GatewaySubnet’ -AddressPrefix 10.38.1.0/28 -VirtualNetwork $vnet
Set-AzureRmVirtualNetwork -VirtualNetwork $vnet
3. Create the local network gateway
New-AzureRmLocalNetworkGateway -Name sl_onprem -ResourceGroupName sl_azure_rg -Location ‘East US 2’ -GatewayIpAddress ‘onprempublicip’ -AddressPrefix ‘10.37.0.0/16’
4. Request a Public IP address
$gwpip= New-AzureRmPublicIpAddress -Name gwpip -ResourceGroupName sl_azure_rg -Location ‘East US 2’ -AllocationMethod Dynamic
5. Create the gateway IP addressing configuration
$vnet = Get-AzureRmVirtualNetwork -Name SLAzurevnet -ResourceGroupName sl_azure_rg
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name ‘GatewaySubnet’ -VirtualNetwork $vnet
$gwipconfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name gwipconfig1 -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id
6. Create the VPN gateway
New-AzureRmVirtualNetworkGateway -Name slazuregateway -ResourceGroupName sl_azure_rg -Location ‘East US 2’ -IpConfigurations $gwipconfig -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1
7. Configure your VPN device (Read part 2 for my Ubiquiti Router setup)
Get-AzureRmPublicIpAddress -Name gwpip -ResourceGroupName sl_azure_rg
8. Create the VPN connection
$gateway1 = Get-AzureRmVirtualNetworkGateway -Name slazuregateway -ResourceGroupName sl_azure_rg
$local = Get-AzureRmLocalNetworkGateway -Name sl_onprem -ResourceGroupName sl_azure_rg
New-AzureRmVirtualNetworkGatewayConnection -Name slazuretoslonprem -ResourceGroupName sl_azure_rg -Location ‘East US 2’ -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local -ConnectionType IPsec -RoutingWeight 10 -SharedKey ‘supersecretpw’
9. Verify the VPN connection
Get-AzureRmVirtualNetworkGatewayConnection -Name slazuretoslonprem -ResourceGroupName sl_azure_rg
Please continue to the next part of this topic to configure the on-prem router.
Thanks for reading,
Shane
shilllabs.com 