orndor/Azure-Site2Site-VPN

This walks one through the process of creating a hybrid cloud with Azure to a GNS3 lab on their local workstation.

Steps to setup Hybrid Cloud with GNS3

Head to my blog article on this topic to get the full writeup on this tutorial

1. Install Azure PowerShell module. Instructions

   Install-Module -Name Az -AllowClobber -Scope CurrentUser

2. Connect to Azure Account (the integration with windows is nice):

   Connect-AzAccount

3. Define common network parameters

   # Virtual network
   $RG1         = "TestRG1"
   $VNet1       = "VNet1"
   $Location1   = "East US"
   $VNet1Prefix = "10.1.0.0/16"
   $VNet1ASN    = 65001
   $GW1         = "VNet1GW"
   $FESubnet1   = "FrontEnd"
   $BESubnet1   = "Backend"
   $GwSubnet1   = "GatewaySubnet"
   $FEPrefix1   = "10.1.0.0/24"
   $BEPrefix1   = "10.1.1.0/24"
   $GwPrefix1   = "10.1.255.0/27"
   $GwIP1       = "VNet1GWIP"
   $GwIPConf1   = "gwipconf1"
   # On-premises network - LNGIP1 is the VPN device public IP address
   $LNG1        = "VPNsite1"
   $LNGprefix1  = "10.101.0.0/24"
   $LNGprefix2  = "10.101.1.0/24"
   $LNGIP1      = "65.191.34.34"
   # On-premises BGP properties
   $LNGASN1     = 65000
   $BGPPeerIP1  = "10.101.1.254"
   # Connection
   $Connection1 = "VNet1ToSite1"

4. Create a resource group

   New-AzResourceGroup -ResourceGroupName $RG1 -Location $Location1

5. Create a virtual network

   $fesub1 = New-AzVirtualNetworkSubnetConfig -Name $FESubnet1 -AddressPrefix $FEPrefix1
   $besub1 = New-AzVirtualNetworkSubnetConfig -Name $BESubnet1 -AddressPrefix $BEPrefix1
   $gwsub1 = New-AzVirtualNetworkSubnetConfig -Name $GWSubnet1 -AddressPrefix $GwPrefix1
   $vnet   = New-AzVirtualNetwork `
               -Name $VNet1 `
               -ResourceGroupName $RG1 `
               -Location $Location1 `
               -AddressPrefix $VNet1Prefix `
               -Subnet $fesub1,$besub1,$gwsub1

6. Request a public IP address for the VPN gateway (this will be a dynamic IP)

   $gwpip    = New-AzPublicIpAddress -Name $GwIP1 -ResourceGroupName $RG1 `
               -Location $Location1 -AllocationMethod Dynamic
   $subnet   = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' `
               -VirtualNetwork $vnet
   $gwipconf = New-AzVirtualNetworkGatewayIpConfig -Name $GwIPConf1 `
               -Subnet $subnet -PublicIpAddress $gwpip

7. Create a VPN gateway (this will take up to 45 minutes)

   New-AzVirtualNetworkGateway -Name $Gw1 -ResourceGroupName $RG1 `
   -Location $Location1 -IpConfigurations $gwipconf -GatewayType Vpn `
   -VpnType RouteBased -GatewaySku VpnGw1 -EnableBgp $True -Asn $VNet1ASN

8. Create a local network gateway

   New-AzLocalNetworkGateway -Name $LNG1 -ResourceGroupName $RG1 `
   -Location 'East US' -GatewayIpAddress $LNGIP1 `
   -AddressPrefix $LNGprefix1,$LNGprefix2 -Asn $LNGASN1 `
   -BgpPeeringAddress $BGPPeerIP1

9. Create a S2S VPN connection with BGP Enabled

   $vng1 = Get-AzVirtualNetworkGateway -Name $GW1  -ResourceGroupName $RG1
   $lng1 = Get-AzLocalNetworkGateway   -Name $LNG1 -ResourceGroupName $RG1
   
   New-AzVirtualNetworkGatewayConnection -Name $Connection1 `
   -ResourceGroupName $RG1 -Location $Location1 `
   -VirtualNetworkGateway1 $vng1 -LocalNetworkGateway2 $lng1 `
   -ConnectionType IPsec -SharedKey "Azure@!b2C3" -EnableBGP $True

10. Download Premise equipment sample configs. Go to here. or run the following Powershell snippet:

    $RG          = "TestRG1"
    $GWName      = "VNet1GW"
    $Connection  = "VNet1toSite1"
    
    Get-AzVirtualNetworkGatewayConnectionVpnDeviceConfigScript `
    -Name $Connection -ResourceGroupName $RG -DeviceVendor Cisco `
    -DeviceFamily "Cisco-ISR(IOS)" -FirmwareVersion "Cisco-ISR-15.x--IKEv2+BGP"
    

Verification and Troubleshooting commands for the CLI

• Verify the status of the VPN connection

  Get-AzVirtualNetworkGatewayConnection -Name VNet1toSite1 -ResourceGroupName TestRG1

• Get the BGP peer status

  Get-AzureRmVirtualNetworkGatewayBGPPeerStatus -VirtualNetworkGatewayName VNet1GW -ResourceGroupName TestRG1

• View the gateway public IP address

  $myGwIp = Get-AzPublicIpAddress -Name $GwIP1 -ResourceGroup $RG1
  $myGwIp.IpAddress

• Resize a gateway

  $gateway = Get-AzVirtualNetworkGateway -Name $Gw1 -ResourceGroup $RG1
  Resize-AzVirtualNetworkGateway -GatewaySku VpnGw2 -VirtualNetworkGateway $gateway

• Reset a gateway (for troubleshooting)

  $gateway = Get-AzVirtualNetworkGateway -Name $Gw1 -ResourceGroup $RG1
  Reset-AzVirtualNetworkGateway -VirtualNetworkGateway $gateway

Removal and Clean-Up

• Delete a Site-to-Site VPN connection

  Remove-AzVirtualNetworkGatewayConnection -Name $Connection1 -ResourceGroupName $RG1
  
  Remove-AzVirtualNetworkGatewayConnection -Name $LNG1 -ResourceGroupName $RG1

• Clean up resources (this deletes everything)

  Remove-AzResourceGroup -Name $RG1