Technical Blog | REBELADMIN

Learn about Active Directory and Various Azure Services

Azure

Step-by-Step Guide: High available VNet-to-VNet connectivity via Active-Active Azure VPN gateways (PowerShell Guide)

In this blog post we are going to learn about Active-Active Azure VPN gateways. There are two methods to connect two virtual networks.

1. Azure VPN Gateways
2. Azure VNET Peering

Azure VNET Peering
Azure VNET peering allows connecting virtual networks seamlessly via Azure backbone infrastructure. This is similar to inter-VLAN routing in on-premises networks. The traffic will not pass via the public internet. It provides low latency, high bandwidth connectivity between virtual networks. VNET peering can use to connect virtual networks in the same Azure region or different Azure regions.

Azure VPN Gateways
If we are connecting virtual networks over the internet, we have to use VPN gateway option. This is the same for connecting Azure networks with on-premises networks. Also, if the encryption is a requirement, we have to use VPN gateways. Azure VPN Gateways can use to connect,

• Virtual Networks in the same region
• Virtual Networks in different regions
• Virtual Networks in different subscriptions

If the connection is over the public internet, it is not possible to guarantee the uptime as it depends on many facts. By using Active-Active Azure VPN gateways to improve the high availability of the VNet-to-VNet connections. This is important if you connecting the virtual network between different Azure regions. We also can use Active-Active Azure VPN gateways with cross-premises VPN connections.

In Active-Active Azure VPN gateway setup,
• There are two Gateway IP configurations with two public IP addresses for one VPN gateway. This allows initiating full-mesh connectivity between two virtual networks.
• VPN gateway SKU must be VpnGw1, VpnGw2, VpnGw3, or HighPerformance
• Supported to use BGP

In this demo, I am going to demonstrate how we can establish VNet-to-VNet connectivity between two Azure regions via Active-Active Azure VPN gateways.

azure infrastructure

In this demo setup, I got two virtual networks in East US and UK South region. As shown above, I am going to establish a fully mesh connectivity between two virtual networks.
For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0

Create Active-Active Azure VPN Gateway in East US

Create a resource group in East US

The first step of the configuration is to create a new resource group in East US.
To do that,
1. Launch PowerShell console and connect to Azure using Connect-AzAccount
2. Create a new resource group using New-AzResourceGroup -Name REBELRG1 -Location “East US”. Here REBELRG1 is RG group name and East US is the location.

create azure resource group in East US region

Create a virtual network

The next step is to create a new virtual network under REBELRG1 resource group.

$subn1 = New-AzVirtualNetworkSubnetConfig -Name VMNet1 -AddressPrefix 10.0.0.0/24

$gwsubn1 = New-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -AddressPrefix 10.0.255.0/27

New-AzVirtualNetwork -Name EUSVnet1 -ResourceGroupName REBELRG1 -Location “East US” -AddressPrefix 10.0.0.0/16 -Subnet $subn1,$gwsubn1

EUSVnet1 address space is 10.0.0.0/16. It is a class B IP address range. We do not need the entire range for workloads. Therefore, I am going to create two small subnets under it.

• VM Network – 10.0.0.0/24
• Gateway subnet – 10.0.255.0/27

In the above, VM network is going to use for virtual machines and Gateway Subnet is going to use for the VPN gateway setup.

Virtual Network Gateway can only be created in a subnet with name ‘GatewaySubnet’

create virtual network in East US region [Read more…] about Step-by-Step Guide: High available VNet-to-VNet connectivity via Active-Active Azure VPN gateways (PowerShell Guide)

Step-by-Step Guide: Source network address translation (SNAT) for a subnet using Azure NAT Gateway (PowerShell Guide)

By using source network address translation (SNAT), we can translate a local IP address, a pool of local IP addresses, or even a subnet to a specific public IP address for outbound connections. This is important as it will help to control traffic flow through firewalls by using ACLs. In Azure, we can do SNAT by using Azure NAT gateway. This allows virtual machines in the subnet to use a specific static public IP address when initiate outbound traffic.

Azure NAT Gateway has the following characteristics,

• NAT gateway resources can use up to 16 public IP addresses.
• One public IP can provide up to 64,000 concurrent UDP and TCP flows.
• NAT gateway is a fully managed service. No need to worry about high availability.
• NAT is only compatible with standard SKU public IP, public IP prefix, and load balancer resources. It is not supported to work with basic SKUs.

In this blog post, I am going to demonstrate how to set up Azure NAT gateway.

For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0

Let’s start the configuration by creating a new resource group.

1. Launch PowerShell console and connect to Azure using Connect-AzAccount
2. Then create a new resource group using,

New-AzResourceGroup -Name REBELRG1 -Location “East US”

Create Azure Resource Group

In the above, REBELRG1 is the resource group names and it is created in the Azure East US region.

3. The next step of the configuration is to create a public IP address to use in Azure NAT gateway.

$REBELPublicIP =
New-AzPublicIpAddress -Name “REBELPUB1” -ResourceGroupName “REBELRG1” -AllocationMethod Static -Location “East US” -Sku “Standard”

Create new Azure Public IP Address

In the above, REBELPUB1 is the name for new public IP resources. This New IP address is using Static allocation method and Standard SKU.

4. We also need to create public IP prefix to use with NAT gateway.

$REBELPublicIPPrefix =
New-AzPublicIpPrefix -Name “REBELPUB1PREFIX” -ResourceGroupName “REBELRG1” -Location “East US” -PrefixLength 31

Create Public IP Prefix for Azure NAT Gateway

In the above, the prefix name is REBELPUB1PREFIX and prefix length is set to 31.

5. Now we are ready to create NAT gateway. We can do that with following command,

$REBELNATGW =
New-AzNatGateway -Name “REBELNAT1” -ResourceGroupName “REBELRG1” -PublicIpAddress $REBELPublicIP -PublicIpPrefix $REBELPublicIPPrefix -Location “East US” -Sku “Standard” -IdleTimeoutInMinutes 10

Create Azure NAT Gateway

The gateway is using Standard SKU. Its idle time out setting is set to 10 minutes.

6. The next step is to create a new virtual network under REBELRG1 resource group.

$vmsubnet = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix “10.0.2.0/24” -NatGateway $REBELNATGW
$REBELVNET = New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG1 -Location “East US” -AddressPrefix “10.0.0.0/16” -Subnet $vmsubnet

Create Azure Virtual Network

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines. [Read more…] about Step-by-Step Guide: Source network address translation (SNAT) for a subnet using Azure NAT Gateway (PowerShell Guide)

Step-by-Step Guide: How to setup Azure Global VNET Peering? (PowerShell Guide)

Azure VNET peering allows connecting virtual networks seamlessly via Azure backbone infrastructure. This is similar to inter-VLAN routing in on-premises networks. VNET peering can use to connect virtual networks in the same Azure region or different Azure regions. If it is between regions, we call it “Azure Global VNET Peering”.
Global VNET Peering has following benefits,

• Low latency and high bandwidth as it uses Azure network backbone
• No requirement for encryptions, VPN gateways or public internet to connect VNETs

In this demo, I am going to demonstrate how to connect two virtual networks in two different Azure regions using Azure Global VNET peering.
For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0

As the first part of the configuration, I am going to create two new resource groups and two virtual networks.

1. Launch PowerShell console and connect to Azure using Connect-AzAccount

2. Then create two new resource group using,

New-AzResourceGroup -Name REBELRG1 -Location “East US”

New-AzResourceGroup -Name REBELRG2 -Location “UK South”

Create new Azure Resource Groups

In the above, REBELRG1 & REBELRG2 are the resource group names and East US is the resource group names. REBELRG1 is created in Azure East US region and REBELRG2 is created in Azure UK South region.

3. The next step is to create a new virtual network under REBELRG1 resource group.

$vmsubnet = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix “10.0.2.0/24”
New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRG1 -Location “East US” -AddressPrefix “10.0.0.0/16” -Subnet $vmsubnet

Create Azure Virtual Network in East US region

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines.

4. Then let’s go ahead and create another virtual network under REBELRG2 resource group. This will be in UK South Azure region.

$vmsubnet2 = New-AzVirtualNetworkSubnetConfig -Name vmsubnet2 -AddressPrefix “10.1.3.0/24”
New-AzVirtualNetwork -Name REBELVN2 -ResourceGroupName REBELRG2 -Location “UK South” -AddressPrefix “10.1.0.0/16” -Subnet $vmsubnet2

Create Azure virtual network in UK South region [Read more…] about Step-by-Step Guide: How to setup Azure Global VNET Peering? (PowerShell Guide)

Step-by-Step Guide: Azure AD Authentication for Azure Point-to-Site (P2S) VPN (PowerShell Guide)

Azure AD authentication is supported for Azure Point-to-Site (P2S) VPN. This means we can use Azure AD features such as conditional access, user-based policies, Azure MFA with VPN authentication. In this Demo, I am going to demonstrate how to enable Azure AD authentication for Azure P2S VPN.

As we go along, we will be working on the following tasks,

• Setup Azure point-to-site VPN with native Azure certificate authentication
• Configure OpenVPN for Azure P2S VPN
• Enable Azure AD Authentication for Azure point-to-site VPN
• Configure VPN Client
• Testing

I am going to use Azure PowerShell for configuration. Please make sure you have the Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-2.6.0

Setup Azure point-to-site VPN with native Azure certificate authentication

Before we configure OpenVPN for Azure Point-to-Site (P2S) VPN, first we need to set up Azure Point-to-Site (P2S) VPN with native Azure certificate authentication. To do this,

1. Launch PowerShell console and connect to Azure using Connect-AzAccount (Using Global Administrator Account)
2. Create a new resource group using New-AzResourceGroup -Name REBELVPNRG -Location “East US”. Here REBELVPNRG is RG group name and East US is the location.

Create new Azure Resoruce Group

3. Now we need to create a new virtual network. We can create a virtual network using,

New-AzVirtualNetwork -ResourceGroupName REBELVPNRG -Name REBEL-VNET -AddressPrefix 192.168.0.0/16 -Location “East US”

Create Azure Virtual Network

In the above, REBEL-VNET is the virtual network name. it uses 192.168.0.0/16 IP address range.

4. Under the virtual network, I am going to create two subnets. One for servers and one for VPN gateway. To create subnets,

$vn = Get-AzVirtualNetwork -ResourceGroupName REBELVPNRG -Name REBEL-VNET
Add-AzVirtualNetworkSubnetConfig -Name “REBEL-SVR-SUB” -VirtualNetwork $vn -AddressPrefix 192.168.100.0/24
Add-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -VirtualNetwork $vn -AddressPrefix 192.168.5.0/24
Set-AzVirtualNetwork -VirtualNetwork $vn

In above REBEL-SVR-SUB is the server subnet and its address prefix is 192.168.100.0/24. GatewaySubnet is the VPN gateway subnet and its address prefix is 192.168.5.0/24.

Virtual Network Gateway can only be created in a subnet with name ‘GatewaySubnet’

5. VPN gateway is required a public IP address. To create one use,

$publicip = New-AzPublicIpAddress -Name REBELVPNPublicIP -ResourceGroupName REBELVPNRG -Location “East US” -AllocationMethod Dynamic

VPN Gateway currently only supports Dynamic Public IP address allocation.

Then update ip configuration using,

$vn = Get-AzVirtualNetwork -ResourceGroupName REBELVPNRG -Name REBEL-VNET
$gwsubnet = Get-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -VirtualNetwork $vn
$gwipconf = New-AzVirtualNetworkGatewayIpConfig -Name REBELVPNGWipconf -Subnet $gwsubnet -PublicIpAddress $publicip

Azure VPN Gateway IP address configuration

6. Next step of the configuration is to create a new VPN gateway,

New-AzVirtualNetworkGateway -Name REBELVPNGW -ResourceGroupName REBELVPNRG -Location “East US” -IpConfigurations $gwipconf -GatewayType Vpn -VpnType RouteBased -EnableBgp $false -GatewaySku VpnGw1 -VpnClientProtocol “IKEv2”

In the above, VpnType must be RouteBased. -GatewaySku should not be Basic as we are going to use OpenVPN and IKEv2. This can take up to 45 minutes to create the gateway.

Create Azure VPN Gateway

7. Now we have the gateway. The next step is to configure VPN client address pool. In this demo, I am going to use 172.16.25.0/24 as a client pool.

$gw = Get-AzVirtualNetworkGateway -ResourceGroupName REBELVPNRG -Name REBELVPNGW
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -VpnClientAddressPool “172.16.25.0/24”

Assign Azure VPN Client Address Pool [Read more…] about Step-by-Step Guide: Azure AD Authentication for Azure Point-to-Site (P2S) VPN (PowerShell Guide)