This is some doco covering how to set-up a VPN for TESTING PURPOSES within Azure
This simple scenario will use: A Policy Bases VPN Type on a Site-to-site network using the Basic gateway SKU
This can be done via PowerShell and the Azure Portal, what follows is essentially a copy of: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
Naming of the italicised components is up to the end user, however naming should be consistent between components ie. The use of DevVNet below, should appear wherever DevVNet appears, similarly for DevVNetPGateway... (P for policy in this case as this was an exploratory exercise as opposed to Route-based which is not covered here)
- Azure portal
- New => Virtual Network
- Deployment Model: "Resource Manager"
- Configure:
- Name: DevVNet
- Address space:
- Subscription: ...
- Resource Group: ...
- Location: ...
- Subnet: default
- Address Range: eg. x.y.z.1/28
Not required
- DevVNet => Subnets
- Add Gateway subnet
- Configure:
- Address range: eg. x.y.z.128/28
- The name is preset and should not be changed
- New => "Virtual network gateway"
- Configure:
- Name: DevVNetPGateway
- Gateway type: VPN
- VPN type: Policy-based
- SKU: Basic
- Virtual network: DevVNet
- Public IP address: => Create New => DevVNetPGatewayIP
- Subscription: ...
- Location: ...
- New => "Local network gateway"
- Create
- Configure:
- Name: DevVNetPLocalGateway
- IP address: (this must not be NATed)
- Address space:
- Configure BGP: blank
- Subscription: ...
- Resource Group: ...
- Location: ...
Here be dragons, it is useful for the client to know what they are doing here and that they have admin access to the device. It is inadvisable to do this configuration as a non-expert. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices
- DevVNetLocalGateway => Add Connection
- Configure:
- Name: DevVNetGatewayConnection
- Connection Type: Site-to-site
- Virutal network gateway: DevVNetPGateway
- Local network gateway: DevVNetPLocalGateway
- Shared Key: as specified on the VPN device
- Install PowerShellGet:
Get-Module PowerShellGet -list | Select-Object Name,Version,Path
- Install AzureRM Module:
Install-Module AzureRM -AllowClobber
=> A for All - Import the Module:
Import-Module AzureRM
- Install Azure Services (Classic) Module:
Install-Module Azure -AllowClobber
- Import the Module:
Import-Module Azure
Visit: https://*DevVNetGatewayIP*:8081/healthprobe1
The logs captured here seemed to show traffic on the VPN gateway, but not the VPN tunnel negotiation process.
The following link outlined enablign diagnostics logs via PowerShell and the UI https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-of-diagnostic-logs
However, the VPN resource was not visible within the Azure Portal UI, but did appear to be configurable through PowerShell doing the following:
Set-AzureRmDiagnosticSetting -ResourceId [your-vpn-gateway-resource-id] -StorageAccountId [your-storage-account-id] -Enabled $true
This WILL not work if the subscription you have provisioned the VPN in is not available in the Classic Portal
Thanks Keith Mayer.
Seems like a great resource though, for posterity's sake (though also accessible via: https://raw.githubusercontent.com/robotechredmond/Azure-PowerShell-Snippets/master/AzureRM%20-%20Get%20VNET%20Gateway%20Logs.ps1)
Login-AzureRmAccount
$subscriptionId = ( Get-AzureRmSubscription | Out-GridView
-Title "Select an Azure Subscription ..."
-PassThru ).SubscriptionIdSelect-AzureRmSubscription ` -SubscriptionId $subscriptionId
Register-AzureRmResourceProvider ` -ProviderNamespace Microsoft.Compute
Register-AzureRmResourceProvider ` -ProviderNamespace Microsoft.Storage
Register-AzureRmResourceProvider ` -ProviderNamespace Microsoft.Network
Get-AzureRmResourceProvider | Select-Object
-Property ProviderNamespace
-ExpandProperty ResourceTypes$rgName = ( Get-AzureRmResourceGroup | Out-GridView
-Title "Select an Azure Resource Group ..."
-PassThru ).ResourceGroupName$vnetGwName = ( Get-AzureRmVirtualNetworkGateway
-ResourceGroupName $rgName ).Name | Out-GridView
-Title "Select an Azure VNET Gateway ..." ` -PassThru$storageAccountName = ( Get-AzureRmStorageAccount
-ResourceGroupName $rgName ).StorageAccountName | Out-GridView
-Title "Select an Azure Storage Account ..." ` -PassThru$storageAccountKey = ( Get-AzureRmStorageAccountKey
-Name $storageAccountName
-ResourceGroupName $rgName )[0].ValueAdd-AzureAccount
Select-AzureSubscription ` -SubscriptionId $subscriptionId
$storageContext = New-AzureStorageContext
-StorageAccountName $storageAccountName
-StorageAccountKey $storageAccountKey$vnetGws = Get-AzureVirtualNetworkGateway
$vnetGwId = ( $vnetGws | ? GatewayName -eq $vnetGwName ).GatewayId
$captureDuration = 60
$storageContainer = "vpnlogs"
Start-AzureVirtualNetworkGatewayDiagnostics
-GatewayId $vnetGwId
-CaptureDurationInSeconds $captureDuration-StorageContext $storageContext
-ContainerName $storageContainerTest-NetConnection
-ComputerName 10.0.0.4
-CommonTCPPort RDPSleep -Seconds $captureDuration
$logUrl = ( Get-AzureVirtualNetworkGatewayDiagnostics ` -GatewayId $vnetGwId ).DiagnosticsUrl
$logContent = ( Invoke-WebRequest ` -Uri $logUrl ).RawContent
$logContent | Out-File ` -FilePath vpnlog.txt