Azurecloud~10 mins

VPN Gateway for hybrid connectivity in Azure - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes your cloud and your office network need to talk securely. A VPN Gateway creates a safe tunnel between them so they can share data without risks.

When you want your office computers to access cloud resources securely.

When you have apps running partly in the cloud and partly on your own servers and they need to connect.

When you want to extend your company network to the cloud without exposing it to the internet.

When you need to connect multiple office locations to the same cloud network.

When you want to protect data moving between your cloud and on-premises systems.

Config File - vpn-gateway-template.json

vpn-gateway-template.json

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "virtualNetworkGatewayName": {
      "type": "string",
      "defaultValue": "myVpnGateway"
    },
    "publicIpAddressName": {
      "type": "string",
      "defaultValue": "myVpnGatewayPublicIP"
    },
    "location": {
      "type": "string",
      "defaultValue": "eastus"
    },
    "virtualNetworkId": {
      "type": "string"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Network/publicIPAddresses",
      "apiVersion": "2021-05-01",
      "name": "[parameters('publicIpAddressName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Basic"
      },
      "properties": {
        "publicIPAllocationMethod": "Dynamic"
      }
    },
    {
      "type": "Microsoft.Network/virtualNetworkGateways",
      "apiVersion": "2021-05-01",
      "name": "[parameters('virtualNetworkGatewayName')]",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpAddressName'))]"
      ],
      "properties": {
        "ipConfigurations": [
          {
            "name": "vnetGatewayConfig",
            "properties": {
              "publicIPAddress": {
                "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpAddressName'))]"
              },
              "subnet": {
                "id": "[concat(parameters('virtualNetworkId'), '/subnets/GatewaySubnet')]"
              }
            }
          }
        ],
        "gatewayType": "Vpn",
        "vpnType": "RouteBased",
        "enableBgp": false,
        "activeActive": false,
        "sku": {
          "name": "VpnGw1",
          "tier": "VpnGw1"
        }
      }
    }
  ]
}

This template creates a VPN Gateway in Azure.

publicIPAddresses: Creates a public IP for the gateway to be reachable.
virtualNetworkGateways: Defines the VPN Gateway with its IP config and links it to the virtual network's GatewaySubnet.
parameters: Allow you to set names, location, and the virtual network ID where the gateway will be deployed.

Commands

Create a virtual network with a special subnet named GatewaySubnet, which is required for the VPN Gateway.

Terminal

az network vnet create --resource-group myResourceGroup --name myVnet --address-prefix 10.0.0.0/16 --subnet-name GatewaySubnet --subnet-prefix 10.0.255.0/27 --location eastus

Expected OutputExpected

{ "newVNet": { "addressSpace": { "addressPrefixes": [ "10.0.0.0/16" ] }, "location": "eastus", "name": "myVnet", "resourceGroup": "myResourceGroup", "subnets": [ { "addressPrefix": "10.0.255.0/27", "name": "GatewaySubnet" } ] } }

→

--subnet-name - Defines the subnet name; must be 'GatewaySubnet' for VPN Gateway.

→

--subnet-prefix - Sets the IP range for the GatewaySubnet.

Deploy the VPN Gateway using the ARM template, linking it to the virtual network created earlier.

Terminal

az deployment group create --resource-group myResourceGroup --template-file vpn-gateway-template.json --parameters virtualNetworkId=/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet

Expected OutputExpected

{ "properties": { "provisioningState": "Succeeded" }, "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/myVpnGateway", "name": "myVpnGateway", "type": "Microsoft.Network/virtualNetworkGateways" }

→

--template-file - Specifies the ARM template file to deploy.

→

--parameters - Passes parameters to the template, here the virtual network ID.

Create a VPN connection between the Azure VPN Gateway and your on-premises local gateway using a shared key for security.

Terminal

az network vpn-connection create --resource-group myResourceGroup --name myVpnConnection --vnet-gateway1 myVpnGateway --local-gateway2 myLocalGateway --shared-key MySharedKey123

Expected OutputExpected

{ "connectionStatus": "Connecting", "egressBytesTransferred": 0, "ingressBytesTransferred": 0, "name": "myVpnConnection", "resourceGroup": "myResourceGroup", "type": "Microsoft.Network/connections" }

→

--vnet-gateway1 - Specifies the Azure VPN Gateway name.

→

--local-gateway2 - Specifies the on-premises local gateway name.

→

--shared-key - Sets the shared secret key for the VPN tunnel.

Check the status of the VPN connection to confirm it is established and working.

Terminal

az network vpn-connection show --resource-group myResourceGroup --name myVpnConnection

Expected OutputExpected

{ "connectionStatus": "Connected", "egressBytesTransferred": 12345, "ingressBytesTransferred": 67890, "name": "myVpnConnection", "resourceGroup": "myResourceGroup", "type": "Microsoft.Network/connections" }

Key Concept

If you remember nothing else from this pattern, remember: the VPN Gateway creates a secure tunnel between your cloud network and your on-premises network using a special subnet called GatewaySubnet.

Common Mistakes

Not creating the GatewaySubnet in the virtual network before deploying the VPN Gateway.

The VPN Gateway requires a subnet named GatewaySubnet; without it, deployment fails.

Always create a GatewaySubnet with the correct IP range in your virtual network before deploying the VPN Gateway.

Using a public IP address that is not dynamic or not linked properly to the VPN Gateway.

The VPN Gateway needs a public IP address resource with dynamic allocation to function correctly.

Create a public IP address resource with dynamic allocation and link it to the VPN Gateway's IP configuration.

Not verifying the VPN connection status after creation.

Without checking, you might miss connection issues and think the tunnel is ready when it is not.

Use the command to show the VPN connection status and confirm it is 'Connected'.

Summary

Create a virtual network with a GatewaySubnet to host the VPN Gateway.

Deploy the VPN Gateway using an ARM template that includes a public IP and links to the GatewaySubnet.

Create a VPN connection between the Azure VPN Gateway and your on-premises gateway using a shared key.

Check the VPN connection status to ensure the secure tunnel is active.