Azure VNet-to-VNet VPN configuration – Part 3

In this blog post series, I will cover what you need to configure to create a VNet-to-VNet VPN between to Azure regions on the same subscription. Although is about the same configuration if you want to configure two different VNets on different subscriptions. You can see the part 1 post here and the part 2 here.

So, at this moment I have both networks setup with their gateways configured. Although I need to connect them to each other. For this I only have to choose one of them to setup the connection. Because I’m on the same subscription, this is one of the difference. If I want to connect different VNets on different subscription, I have to setup the connection on both sides. What they need to have in common is the Shared Key.

It’s exactly the same when setup a Site-to-Site VPN. One of the requirements after setup the networks, is connecting them with the Shared Key

How to connect two VNet gateways using Azure Portal

After this running successful, we need to connect both networks. To be able to do it just follow the steps bellow:

  1. On the VNet created, navigate to Connections (in this case I used the network that I configured with PowerShell – SW-EUS2-WUS2-VPN)
  2. Click Add
  3. When the Add connection blade open, you need to configure all the requirement fields:
    1. Name – This is where you insert the name of the VPN connection.
    2. Connection type – This is where you define which of connection want to use. VNet-to-VNet is used between two networks on Azure, Site-to-Site is used between a Azure network and on premise network. ExpressRoute is used between an Azure network and an existing circuit.
    3. First virtual network gateway – This is the network that you are configuring from.
    4. Second virtual network gateway – This where you want to connect. In this case, is the other region.
    5. Shared key – This is the key that is shared on both side to stablish the connection. This key only accepts number and/or letters.
  4. Then click OK
  5. After the connection it’s created, it will connect automatically.

 

 

Cheers,

Marcos Nogueira
Azure MVP

azurecentric.com
Twitter: @mdnoga

Azure VNet-to-VNet VPN configuration – Part 2

In this blog post series, I will cover what you need to configure to create a VNet-to-VNet VPN between to Azure regions on the same subscription. Although is about the same configuration if you want to configure two different VNets on different subscriptions. You can see the previous post here.

On Part 1, I create one side of the network using Azure Portal. Although, that is not my usual method of configured Network and VPN. I prefer using PowerShell. One of the reasons is related to the fact that I spin a lot of environments, for testing, for Proof-of-Concepts, and for production.

As a result of that, I always look a way to automate and be more productive. But the main reason is not only those, it’s more related to the fact that I found through PowerShell I’m reducing the human mistake factor! Yes, as everyone, I also do mistakes!

How to configure using PowerShell

Now that we have on side of the net configured (see previous post), I need to configure the network on a different region. For this I will show my script that I use to configure. I’m sure there way other ways (probably better than mine), to script that. I like to keep it simple.

Here is the script:

#Setting all the variables

$Sub = “Your_Subcription_Name”

$RG = “RG-SW-EUS2-VM”

$Region = “East US 2”

$VNetName = “SW-EUS2-VM-VNET”

$SubName = “SW-EUS2-VM-SUBNET”

$GWSubName = “GatewaySubnet”

$VNetPrefix11 = “10.11.0.0/16”

$SubPrefix = “10.11.0.0/24”

$GWSubPrefix = “10.11.254.0/24”

$GWName = “SW-EUS2-WUS2-VPN”

$GWIPName = “SW-EUS2-WUS2-VPN”

$GWIPconfName = “SW-EUS2-WUS2-VPN-CON”

 

#1 – Login to Azure

Login-AzureRmAccount

#2 – Select the appropriated subscription

Get-AzureRmSubscription

Select-AzureRmSubscription -SubscriptionName $Sub

#3 – Create the Resource Group

New-AzureRmResourceGroup -Name $RG -Location $Region

#4 – Create the VNets and Subnets

$subnet = New-AzureRmVirtualNetworkSubnetConfig -Name $SubName -AddressPrefix $SubPrefix

$gwsub = New-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName -AddressPrefix $GWSubPrefix

New-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $RG -Location $Region -AddressPrefix $VNetPrefix11 -Subnet $subnet,$gwsub1

#5 – Request the Public IP

$gwpip = New-AzureRmPublicIpAddress -Name $GWIPName -ResourceGroupName $RG -Location $Region -AllocationMethod Dynamic

#6 – Create the gateway

$vnet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $RG

$gwsubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name “GatewaySubnet” -VirtualNetwork $vnet

$gwipconf = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GWIPconfName -Subnet $gwsubnet -PublicIpAddress $gwpip

New-AzureRmVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG -Location $Region -IpConfigurations $gwipconf -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1

 

So, after you run you should have both VNets configured. Although they are not connected yet. That is the next step.

 

Cheers,

Marcos Nogueira
Azure MVP
azurecentric.com
Twitter: @mdnoga

Azure VNet-to-VNet VPN configuration – Part 1

In this blog post series, I will cover what you need to configure to create a VNet-to-VNet VPN between to Azure regions on the same subscription. Although is about the same configuration if you want to configure two different VNets on different subscriptions.

A lot of my costumers think that you setup multiple VNets on Azure they automatically are connected to each other, because it’s Azure. That is a huge misconception, a huge one. A VNet is a totally isolated/segregated network from the other ones, only if you manually decide to connect them, they will communicate.

Even if you have ExpressRoute and you have multiple VNets on the same subscription, you manually have to connected them. This is called peering.

On the scenario bellow I will demonstrate how you can setup a VNet-to-VNet VPN between 2 VNets in Azure on different regions.

So, this is my architecture that I will show how to configure:

In this scenario, you have to configure both sides, that means that I will use the Azure Portal for one and PowerShell on the other. Then you have both ways that you can configure the VNet-to-VNet VPN. Let’s start.

Before to begin the configuration, I already have my VNets configured and being used. I just want to create a VPN between the two regions.

How to configure using Azure Portal

To setup a VNet-to-VNet VPN follow these steps:

  1. On the Azure Portal, navigate to the Virtual network gateways
  2. On the Virtual network gateways blade, click on Create Virtual network gateway button.
  3. At the Create virtual network gateway blade, fill the required information
    1. Name – This is the name of the VNet gateway.
      NOTE: I highly recommend that you create a name convention that make sense for your organization. In this scenario, I use the direction of the connection on the name (EX: SW-WUS2-EUS2-VPN, this means that the connection is from West US 2 to East US 2)
    2. Gateway type – This is the type of gateway. Instead of a VPN, you can have an ExpressRoute configuration.
    3. VPN type – This is where you define if you want your VPN based on policy or routing.
    4. SKU – This is where you define the SKU of the VPN. The SKU will give you different configurations and throughputs. For more information visit About VPN Gateway configuration settings
    5. Virtual Network – This is where you will choose the network that you want to connect the VPN.
    6. Public IP Address – The Public IP is the IP that you will have your other VPN connected too. It’s recommended that you create a new Public IP for the VPN.
    7. Subscription – This is where you configure the subscription
    8. Location – This is the region that you are creating all the configuration.
  4. After configured all the requirements fields, click on Create

  5. After Azure create all the resources to enable the VNet gateway you need to configure the other region’s network.

 

Cheers,

Marcos Nogueira
Azure MVP

azurecentric.com
Twitter: @mdnoga

How to use Azure Cloud Shell

Since when they announce the Azure Cloud Shell (see post here), I’ve been waiting to use the PowerShell on the Azure Cloud Shell. I’m still growing my learning how to use the Azure CLI, but PowerShell I’ve been using for years, and I feel way more comfortable with it.

So, how I can use Azure Cloud Shell? Just open the Azure Portal, and on the top bar, between the Notifications and the Settings you will find the Azure Cloud Shell icon   .

When you click on the icon, it will ask you to configure the Azure Cloud Shell. The process will provision machines, where you can run the shells (Azure CLI and Azure PowerShell). It’s a fairly simple process. Just follow the steps below.

  1. Choose what is your Shell of choice. It doesn’t matter if you choose Bash or PowerShell. You can always switch back and forward after the initial setup.
  2. Choose what is the subscriptions that you want to use. Then you have the simple option of creating the storage or click in Show advanced setting. In this case I opt for the advanced settings.
  3. On the Advanced setting, you can specify the Resource Group, Storage Account and File Share names that you want to use.

    NOTE: Just remember that you have to follow the requirements how to create storage account and file shares (small caps and alphanumeric characters).
  4. In this case I select the Bash. After I click create, starting to provision the machines. First create all the resources from the previous step.
  5. After the creation of the resources, it’s connecting to the Bash terminal.
  6. And that is the end! Now you can start to use the Azure CLI on the Azure Portal.

Changing to PowerShell (or Shell)

After you create the Azure Cloud Shell, you can switch from Bash to PowerShell and vice versa. To do that, just follow the steps:

  1. Click on the Shell that you are using. In this case I was using Bash. When you click the drop box, you will see the other Shell.
  2. Select the Shell that you want. In this case PowerShell, then click Restart.

  3. After that, the Azure Cloud Shell is shutdown the previous Shell and it will restart on the new Shell (even if you never use it before).
  4. Now it’s creating all the resources required for the first use.
  5. After the creating of all the resources, it will connect to the terminal.
  6. Finished! Now you can you use the PowerShell on Azure portal.

Because you are login at the Azure Portal, you don’t need to run the PowerShell command Login-AzureRm. You can start from there.

Cheers,

Marcos Nogueira
Azure MVP

azurecentric.com
Twitter: @mdnoga

Disaster Recovery solution within Azure – Part 2

On the previous post (see here), I create the Recovery Service vault that is required to configured the Site Recovery infrastructure to protect the workloads, in order to have a Disaster Recovery solution within Azure. In the post, I will show how you can protect your workloads (Azure VMs) from one region into another region.

First step is to prepare the infrastructure. Azure Site Recovery have many scenarios that you can protect the workloads, but in these case, I will only cover the Azure VM protection to another region.

As mention on the previous blog post, my workloads are running on the West US 2 region. After creating the Recovery Services vault on East US 2 region, I need to prepare the infrastructure.

To step up the infrastructure follow the steps:

  1. On the Recovery Services vault, click on Site Recovery, under GETTING STARTED
  2. It will open another blade. Click on Prepare Infrastructure

  3. Select Azure – PREVIEW, under Where are your machines located?
  4. Make sure that you select To Azure on Where do you want to replicate your machines to?
  5. Click OK

  6. Fill all the details required:
    1. Source Location – is the region where your workloads are running
    2. Azure virtual machine deployment model – make sure that you select Resource Manager
    3. Source resource group – is the recourse group where your workloads are running
      NOTE: If you have more than one resource group on the same region, you must run this setup again, to add more workloads located on another resource group.
  7. Click OK to proceed
  8. Select the workloads that you want to protect.
  9. Click OK

  10. On the Configure settings blade, click Create target resources button to conclude the preparation of the infrastructure.
    NOTE: Under Target location, by default choose the location where you create the Recovery Services vault, although you can select another region where do you want to replicate too. It’s not recommend that you choose the location where your workloads are running.

  11. If you do want to change the default settings, then you can click on Customize. Otherwise you can skip to the last step.
    There are two different settings that you can customize:

    1. Resource group, Network, Storage and Availability sets – On this setting you will configure witch resource group, network, storage account and availability set your workload will run, when your failover the virtual machine.
    2. Replication policy – is where you change the name of the replication policy, RPO and the frequency of the replication.
  12. If you want to change any of the following setting:
    1. Target resource group – This is the Resource group where your workload will run in case of failover. On the drop down, list you will see only the resource group available on the region that you previous select. Although you can either create a new (by default) or use an existing one.
    2. Target virtual network – This is where you can define witch network your workload will run in case of failover. On the drop down, list you will see only the networks available on the region that you previous select. Although you can either create a new (by default) or use an existing one.
    3. Storage accounts
      1. Target Storage – This is where your workload will be replicated too. On the drop down, list you will see only the storages accounts available on the region that you previous select. Although you can either create a new (by default) or use an existing one.
      2. Cache Storage – This is where your workload will be replicated too. On the drop down, list you will see only the storages accounts available on the region that you previous select. Although you can either create a new (by default) or use an existing one.
    4. Availability sets – This is availability set that your workload will be running in case of failover. On the drop down, list you will see only the availability sets available on the region that you previous select. Although you can either create a new (by default), use an existing one or choose not to set an availability set (Not Applicable option).
  13. After you change the settings that you want, click OK

  14. If you want to change the policies setting, these are your options:
    1. Choose by creating a new policy or an existing one.
      NOTE: If you are running these for the first time, it’s recommended that you create a new policy. Although if you are running for the second or more times, you can either choose an existing policy (if the settings are the same) or create a new policy, if the settings are different. It’s not recommended that you create new policies with the same settings.
    2. Name – This is where you can change the name of the policy
    3. Recovery point retention – This is where you can configure how long do you want to keep each recovery point.
    4. App consistent snapshot frequency – This is where you can choose the frequency of the replication.
  15. After you change the settings that you want, click OK

  16. Click Enable replication button, to start the workload protection.

  17. After the configuration is done. Azure will start to replicate the workload from on region to another. The time of the replication it will depend on the size of the disks attached to the workload.

All this process is live. That means you don’t have any downtime while Azure is doing the initial replication.

Cheers,

Marcos Nogueira
Azure MVP

azurecentric.com
Twitter: @mdnoga