Step-by-Step: Multi-Site Azure VPN

Hello folks,

This subject as been one of the more requested scenario from this audience.  In the past we’ve looked at 2 different scenarios that dealt with virtual network connectivity.

• Step-By-Step: Create a Site-to-Site VPN between your network and Azure
• Step-by-Step: Configure VNet to VNet Connectivity in Azure

To get more information and to increase your Azure skills, I highly recommend you take advantage of the Microsoft Virtual Academy modules for Azure.

• Windows Azure for IT Pros Jump Start
• Microsoft Azure IaaS Deep Dive Jump Start

Today we will setup a Multi-site VPN between our datacenter and 2 virtual networks in azure.  One in the US West region and the other in the US East region.

For sake of simplicity I deleted all virtual Networks in my MSDN subscription and started from scratch.  I used the steps documented in the post Step-By-Step: Create a Site-to-Site VPN between your network and Azure to create 2 new network as depicted in here

I normally use a Cisco ASA 5505 as my edge device. It works great for setting up a Site to Site VPN using Static routing. However as stated in Azure documentation About VPN Devices for Virtual Network the Cisco ASA family is not supported for Dynamic routing VPN gateway which is required for a Multi-site VPN. In order to get my infrastructure ready to setup a multi-site VPN I changed my edge device with a Windows Server 2012.

Configure Gateways on both virtual networks

1- first I exported the virtual network configuration to an XML file on my local machine by using the management portal.

 

2- in both Vnet1 and Vnet2 I Created a Dynamic Routing gateway.

 

Define the Local Network of each virtual networks

3- Once the gateways have both been created I updated the downloaded NetworkConfig.xml file downloaded in step 1 and created the entries for the reciprocal local network for each virtual networks including the IP address of each gateways and the definition for my local datacenter.

I am defining for my environment VNet1-Local has the local Vnet name of the VNet1 virtual network and VNet2-Local as the VNet2 virtual network.

<NetworkConfiguration xmlns:xsd="https://www.w3.org/2001/XMLSchema" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns="https://schemas.microsoft.com/ServiceHosting/2011/07/NetworkConfiguration">
<VirtualNetworkConfiguration>
<Dns />
<LocalNetworkSites>
<LocalNetworkSite name="Homenet">
<AddressSpace>
<AddressPrefix>192.168.12.0/24</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>206.248.137.111</VPNGatewayAddress>
</LocalNetworkSite>
<LocalNetworkSite name="Vnet1-local">
<AddressSpace>
<AddressPrefix>10.2.0.0/16</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>23.100.17.169</VPNGatewayAddress>
</LocalNetworkSite>
<LocalNetworkSite name="Vnet2-local">
<AddressSpace>
<AddressPrefix>10.3.0.0/16</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>23.100.42.158</VPNGatewayAddress>
</LocalNetworkSite>
</LocalNetworkSites>
<VirtualNetworkSites>
<VirtualNetworkSite name="Vnet1" Location="East US">
<AddressSpace>
<AddressPrefix>10.2.0.0/16</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="FE">
<AddressPrefix>10.2.1.0/24</AddressPrefix>
</Subnet>
<Subnet name="BE">
<AddressPrefix>10.2.2.0/24</AddressPrefix>
</Subnet>
<Subnet name="GatewaySubnet">
<AddressPrefix>10.2.0.0/29</AddressPrefix>
</Subnet>
</Subnets>
<Gateway>
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="Homenet">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
</VirtualNetworkSite>
<VirtualNetworkSite name="Vnet2" Location="West US">
<AddressSpace>
<AddressPrefix>10.3.0.0/16</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="FE">
<AddressPrefix>10.3.1.0/24</AddressPrefix>
</Subnet>
<Subnet name="BE">
<AddressPrefix>10.3.2.0/24</AddressPrefix>
</Subnet>
<Subnet name="GatewaySubnet">
<AddressPrefix>10.3.0.0/29</AddressPrefix>
</Subnet>
</Subnets>
<Gateway>
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="Homenet"><Connection type="IPsec" /></LocalNetworkSiteRef>
<LocalNetworkSiteRef name="Vnet1-local"><Connection type="IPsec" /></LocalNetworkSiteRef>
<LocalNetworkSiteRef name="Vnet2-local"><Connection type="IPsec" /></LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
</VirtualNetworkSite>
</VirtualNetworkSites>
</VirtualNetworkConfiguration>
</NetworkConfiguration>

Update the Azure Network configuration

4- Import the file in your azure portal.  In the navigation pane on the bottom left, click New Click Network Services-> Virtual Network-> Import Configuration.  On the Import the network configuration file page, browse to your network configuration file, and then click the next arrow to complete the import.

You’ll notice that after uploading and processing the file it will show you the items that will be created and/or updated.

Assign the pre-shared key to each Gateway

5 – Once this is done the gateways will try to connect.  However, they can’t connect without a shared secret gateway key.  So using the PowerShell module for Azure I first added my account to the session with the Add-AzureAccount .

6- Once I’m authenticated, I use the following command to set the shared key between each virtual network.  We need to set the key for the connection between VNet1—>VNet2-Local and VNet2—>VNet1-Local

Set-AzureVNetGatewayKey –VNetName VNet1 –LocalNetworkSiteName VNet2-Local –SharedKey A1B2C3D4

Set-AzureVNetGatewayKey –VNetName VNet2 –LocalNetworkSiteName VNet1-Local –SharedKey A1B2C3D4

Setup the Site to site VPN between the on-premises site and Azure

in the case of a multi-site VPN, you cannot use the script that is provided in the Azure portal

so you must setup the VPN manually

7- Since I am using Windows 2012 RRAS.  I logged on my edge device, and in the RRAS manager, navigate to Network Interface 

8- I used PowerShell to create my VPN demand-dial adaptors. (remember we have 2 sites) and configure the connection. (this assumes that your RRAS is already up and functioning as the edge router for your network)

# Add and configure S2S VPN interface for VNet1
Add-VpnS2SInterface`
-Protocol IKEv2`
-AuthenticationMethod PSKOnly`
-NumberOfTries 3`
-ResponderAuthenticationMethod PSKOnly`
-Name 23.100.17.169`#<— Gateway address of VNet1
-Destination 23.100.17.169`#<— Gateway address of VNet1
-IPv4Subnet @("10.2.0.0/16:100")`#<— IP Address Space VNet1
-SharedSecret pkmq9xXv0qtuJNj2TZBGz9fU0gdKM1zv #<— Gateway IP Address of VNet1

# Add and configure S2S VPN interface for VNet2
Add-VpnS2SInterface`
-Protocol IKEv2`
-AuthenticationMethod PSKOnly`
-NumberOfTries 3`
-ResponderAuthenticationMethod PSKOnly`
-Name 23.100.42.158`#<— Gateway address of VNet2
-Destination 23.100.42.158`#<— Gateway address of VNet2
-IPv4Subnet @("10.3.0.0/16:100")`#<— IP Address Space VNet2
-SharedSecret HIfK8SflilS1m9LqU8fFC0gpc9zvs9sj#<— Gateway IP Address of VNet2

Set-VpnServerIPsecConfiguration -EncryptionType MaximumEncryption

# default value for Windows 2012 is 100MB, which is way too small. Increase it to 32GB.
Set-VpnServerIPsecConfiguration -SADataSizeForRenegotiationKilobytes 33553408

New-ItemProperty`
-Path HKLM:\System\CurrentControlSet\Services\RemoteAccess\Parameters\IKEV2`
-Name SkipConfigPayload`
-PropertyType DWord -Value 1

# Set S2S VPN connections to be persistent by editing the router.pbk file (required admin priveleges)note that the IdelDisconnectSeconds and RedialOnLinkFailure are set for reach adaptors.
Set-PrivateProfileString $env:windir\System32\ras\router.pbk "23.100.42.158" "IdleDisconnectSeconds" "0"
Set-PrivateProfileString $env:windir\System32\ras\router.pbk "23.100.42.158" "RedialOnLinkFailure" "1"
Set-PrivateProfileString $env:windir\System32\ras\router.pbk "23.100.17.169" "IdleDisconnectSeconds" "0"
Set-PrivateProfileString $env:windir\System32\ras\router.pbk "23.100.17.169" "RedialOnLinkFailure" "1"

# Restart the RRAS service
Restart-Service RemoteAccess

# Dial-in to Azure gateway
Connect-VpnS2SInterface -Name 23.100.17.169
Connect-VpnS2SInterface -Name 23.100.42.158

9- Wait for the gateways to do their job et voila!! (pardon my French) .

We now have a multi-site VPN going

I hope this helps.  let me know if there is anything else I should look into.

Cheers!

Pierre Roman | Technology Evangelist
Twitter | Facebook | LinkedIn

Comments

• Anonymous
  July 02, 2014
  Beside Server 2012, is there any hardware appliance supported for this scenario? Never thought of doing this but yeah its a good idea when using multiple datacenters.
  
• Anonymous
  July 02, 2014
  Hey Todd,
  
  take a look at the list of known compatible VPN devices here http://msdn.microsoft.com/en-us/library/azure/jj156075.aspx#bkmk_VPN_Devics Any of the ones that support dynamic routing will work.
  
  P.