Skip to content

Instantly share code, notes, and snippets.

@jackawatts

jackawatts/Basic Azure VPN Setup.md

Last active November 27, 2023 15:36
Show Gist options
  • Save jackawatts/9e62bfd60187e4a3b3a24bb231f2c7fc to your computer and use it in GitHub Desktop.
Save jackawatts/9e62bfd60187e4a3b3a24bb231f2c7fc to your computer and use it in GitHub Desktop.
Download ZIP
Setting up a Basic, Policy-Based Site-to-site Azure VPN for *TEST* purposes
Raw
Basic Azure VPN Setup.md

Getting started

This is some doco covering how to set-up a VPN for TESTING PURPOSES within Azure

This simple scenario will use: A Policy Bases VPN Type on a Site-to-site network using the Basic gateway SKU

This can be done via PowerShell and the Azure Portal, what follows is essentially a copy of: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

Naming of the italicised components is up to the end user, however naming should be consistent between components ie. The use of DevVNet below, should appear wherever DevVNet appears, similarly for DevVNetPGateway... (P for policy in this case as this was an exploratory exercise as opposed to Route-based which is not covered here)

Create a virtual network

  1. Azure portal
  2. New => Virtual Network
  3. Deployment Model: "Resource Manager"
  4. Configure:
    • Name: DevVNet
    • Address space:
    • Subscription: ...
    • Resource Group: ...
    • Location: ...
    • Subnet: default
    • Address Range: eg. x.y.z.1/28

DNS

Not required

Create the Gateway Subnet

  1. DevVNet => Subnets
  2. Add Gateway subnet
  3. Configure:
    • Address range: eg. x.y.z.128/28
    • The name is preset and should not be changed

Create the VPN Gateway

  1. New => "Virtual network gateway"
  2. Configure:
    • Name: DevVNetPGateway
    • Gateway type: VPN
    • VPN type: Policy-based
    • SKU: Basic
    • Virtual network: DevVNet
    • Public IP address: => Create New => DevVNetPGatewayIP
    • Subscription: ...
    • Location: ...

Create the Local network Gateway

  1. New => "Local network gateway"
  2. Create
  3. Configure:
    • Name: DevVNetPLocalGateway
    • IP address: (this must not be NATed)
    • Address space:
    • Configure BGP: blank
    • Subscription: ...
    • Resource Group: ...
    • Location: ...

Configure the VPN Device

Here be dragons, it is useful for the client to know what they are doing here and that they have admin access to the device. It is inadvisable to do this configuration as a non-expert. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

Create the VPN connection

  1. DevVNetLocalGateway => Add Connection
  2. Configure:
    • Name: DevVNetGatewayConnection
    • Connection Type: Site-to-site
    • Virutal network gateway: DevVNetPGateway
    • Local network gateway: DevVNetPLocalGateway
    • Shared Key: as specified on the VPN device

Troubleshooting

Installing the Azure Management PowerShell Modules

  1. Install PowerShellGet: Get-Module PowerShellGet -list | Select-Object Name,Version,Path
  2. Install AzureRM Module: Install-Module AzureRM -AllowClobber => A for All
  3. Import the Module: Import-Module AzureRM
  4. Install Azure Services (Classic) Module: Install-Module Azure -AllowClobber
  5. Import the Module: Import-Module Azure

Testing the gateway endpoint is up

Visit: https://*DevVNetGatewayIP*:8081/healthprobe1

Enabling basic diagnostic logs

The logs captured here seemed to show traffic on the VPN gateway, but not the VPN tunnel negotiation process.

The following link outlined enablign diagnostics logs via PowerShell and the UI https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-of-diagnostic-logs

However, the VPN resource was not visible within the Azure Portal UI, but did appear to be configurable through PowerShell doing the following:

Set-AzureRmDiagnosticSetting -ResourceId [your-vpn-gateway-resource-id] -StorageAccountId [your-storage-account-id] -Enabled $true

Enabling diagnostic logs (if you are lucky)

This WILL not work if the subscription you have provisioned the VPN in is not available in the Classic Portal

Thanks Keith Mayer.

Seems like a great resource though, for posterity's sake (though also accessible via: https://raw.githubusercontent.com/robotechredmond/Azure-PowerShell-Snippets/master/AzureRM%20-%20Get%20VNET%20Gateway%20Logs.ps1)

STEP 1: Sign-in to Azure via Azure Resource Manager

Login-AzureRmAccount

STEP 2: Select Azure Subscription

$subscriptionId = ( Get-AzureRmSubscription | Out-GridView -Title "Select an Azure Subscription ..." -PassThru ).SubscriptionId

Select-AzureRmSubscription ` -SubscriptionId $subscriptionId

STEP 3: If needed, register ARM core resource providers

Register-AzureRmResourceProvider ` -ProviderNamespace Microsoft.Compute

Register-AzureRmResourceProvider ` -ProviderNamespace Microsoft.Storage

Register-AzureRmResourceProvider ` -ProviderNamespace Microsoft.Network

Get-AzureRmResourceProvider | Select-Object -Property ProviderNamespace -ExpandProperty ResourceTypes

STEP 4: Select Azure Resource Group in which existing VNET is provisioned

$rgName = ( Get-AzureRmResourceGroup | Out-GridView -Title "Select an Azure Resource Group ..." -PassThru ).ResourceGroupName

STEP 5: Select Azure VNET gateway on which to start diagnostics logging

$vnetGwName = ( Get-AzureRmVirtualNetworkGateway -ResourceGroupName $rgName ).Name | Out-GridView -Title "Select an Azure VNET Gateway ..." ` -PassThru

STEP 6: Select Azure Storage Account on which to send logs

$storageAccountName = ( Get-AzureRmStorageAccount -ResourceGroupName $rgName ).StorageAccountName | Out-GridView -Title "Select an Azure Storage Account ..." ` -PassThru

STEP 7: Get Key for Azure Storage Account

$storageAccountKey = ( Get-AzureRmStorageAccountKey -Name $storageAccountName -ResourceGroupName $rgName )[0].Value

STEP 8: Sign-in to Azure via Azure Service Management

Add-AzureAccount

STEP 9: Select same Azure subscription via Azure Service Management

Select-AzureSubscription ` -SubscriptionId $subscriptionId

STEP 10: Set Storage Context for storing logs

$storageContext = New-AzureStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountKey

STEP 11: Get Gateway ID for VNET Gateway

$vnetGws = Get-AzureVirtualNetworkGateway

$vnetGwId = ( $vnetGws | ? GatewayName -eq $vnetGwName ).GatewayId

STEP 12: Start Azure VNET Gateway logging

$captureDuration = 60

$storageContainer = "vpnlogs"

Start-AzureVirtualNetworkGatewayDiagnostics -GatewayId $vnetGwId -CaptureDurationInSeconds $captureDuration -StorageContext $storageContext -ContainerName $storageContainer

STEP 13: Test VNET gateway connection to another server across the tunnel

Test-NetConnection -ComputerName 10.0.0.4 -CommonTCPPort RDP

STEP 14: Wait for diagnostics capturing to complete

Sleep -Seconds $captureDuration

STEP 15: Download VNET gateway diagnostics log

$logUrl = ( Get-AzureVirtualNetworkGatewayDiagnostics ` -GatewayId $vnetGwId ).DiagnosticsUrl

$logContent = ( Invoke-WebRequest ` -Uri $logUrl ).RawContent

$logContent | Out-File ` -FilePath vpnlog.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment