As I have stated throughout this book, most (if not all) companies will have both an onsite network and an Azure network. Because of this, you will need to know how to connect both networks. This is where you would use a site- to- site VPN gateway connection.
Site- to- site VPN gateway connections allow you to connect both networks together over a secure IPsec/IKE VPN tunnel. To make this type of connection between networks, you need to have a VPN device located onsite. This VPN device will require a public IP address on the external side (the side facing the Internet) of the device.
To use a site- to- site VPN connection, you must meet the following requirements:
■ Compatible VPN device that you can configure to connect to the external device .
■ An external public IP address for that VPN device.
■ Knowledge of your onsite IP configuration and subnetting. None of your onsite IP subnets can overlap your Azure virtual network subnets.
Example Values for Site- to- Site VPN Connection
To help IT people better understand and configure site- to- site VPN connections, Microsoft released example values on their website. These example values can be used to set up a test environment, or they can be used to help you better understand what values are needed to set up a site- to- site VPN connection.
Site- to- Site VPN Connection Examples
The following examples were taken directly from Microsoft’s website, https://docs.microsoft.com/en- us/azure/vpn- gateway/vpn- gateway- howto- site- to- site- resource- manager- portal.
■ VNet Name: TestVNet1
■ Address Space: 10.1.0.0/16
■ Subscription: The subscription you want to use
■ Resource Group: TestRG1
■ Location: East US
■ Subnet: FrontEnd: 10.1.0.0/24, BackEnd: 10.1.1.0/24 (optional for this exercise)
■ Gateway Subnet name: GatewaySubnet (this will autofill in the portal)
■ Gateway Subnet address range: 10.1.255.0/27
■ DNS Server: 8.8.8.8 – Optional. The IP address of your DNS server
■ Virtual Network Gateway Name: VNet1GW
■ Public IP: VNet1GWIP
■ VPN Type: Route- based
■ Connection Type: Site- to- site (IPsec)
■ Gateway Type: VPN
■ Local Network Gateway Name: Site1
■ Connection Name: VNet1toSite1
■ Shared key: For this example, we use abc123. But you can use whatever is compatible with your VPN hardware. The important thing is that the values match on both sides of the connection.
Creating the VPN Gateway
Now that understand why you would need a VPN gateway, let’s look at what it takes to create one. Since every VPN device is different, I will show you how to create the actual site- to- site VPN connection in Exercise 10.6. You need to have someone create the connection on the VPN device.
EXERCISE 10.6
Creating the Site- to- Site VPN connection
- Log into the Azure dashboard.
- On the left side of the portal page, click + Create A Resource and then type Virtual Network Gateway in the search box. In the Results section, click Virtual Network Gateway.
- On the Virtual Network Gateway page, click the Create button.
- On the Create Virtual Network Gateway page, enter the values for your virtual network gateway settings:
■ Name: This is the name of your gateway object.
■ Gateway type: Select VPN. VPN gateways use the VPN type.
■ VPN type: Choose the VPN type that fits your configuration. Route- based VPNs are the most common type.
■ SKU: Select your gateway SKU. This will depend on the VPN type you select.
■ Enable active- active mode: If you are creating an active-a ctive gateway configuration, select this check box. If you are not creating an active-a ctive gateway configuration, leave this check box unselected.
■ Location: Choose your appropriate geographical location.
■ Virtual network: Choose the virtual network you want for this gateway. You can choose the virtual network we created earlier in this book.
■ Gateway subnet address range: This setting will only be seen if you did not already create a gateway subnet for your virtual network. If you did create a valid gateway subnet, this setting will not appear.
■ Public IP address: This setting specifies the public IP address that gets associated to the VPN gateway. Make sure Create New is the selected radio button and type a name for your public IP address.
■ BGP ASN: Unless your configuration specifically requires BGP ASN, leave this configuration’s check box unselected. If BGP ASN is required, the default setting for ASN is 65515. You can change this if needed.
5. Click Create. The settings will be validated and you’ll see the Deploying Virtual network gateway message on the dashboard. This process can take up to 45 minutes. Refresh your portal page to see the current status.
Creating the Local Network Gateway
The next step is creating the local network gateway. The local network gateway refers to your onsite network. What you need to do is give your onsite network a name that Azure can use to access that network.
After you name the onsite network on Azure, you then have to tell Azure what IP address to use to access the onsite VPN device. You also have to specify the IP address prefix (that is located on your onsite location) that will be used to route traffic through the VPN gateway and to the VPN device.
In Exercise 10.7, I will show you how to set up the local network gateway. To complete this exercise, you need to know the IP address information for your onsite test or live network.
EXERCISE 10.7
Creating the Local Network Gateway
- Log into the Azure dashboard.
- On the left side of the portal page, click + Create A Resource and then type Local network gateway in the search box. In the Results section, click Virtual Network Gateway.
- On the Local Network Gateway page, click Create.
- On the Create Local Network Gateway page, enter the values for your virtual network gateway settings:
■ Name: Specify the name of your local network gateway.
■ IP address: This is the public IP address of the VPN device.
■ Address Space: This is the IP address ranges for the local network.
■ Configure BGP settings: Use this setting when configuring BGP. Otherwise, don’t select this check box.
■ Subscription: Verify that your current Azure subscription is showing.
■ Resource Group: You can create a new resource group or choose one that you have already created.
■ Location: Choose your appropriate geographical location.
5. Click Create.
Once you have finished creating the VPN connection, you must configure your company’s VPN device. As stated earlier, site-t o- site connections require a VPN device. Once the VPN device is configured properly, your site-t o- site communications are completed.
Understanding ExpressRoute
ExpressRoute allows you to set up another way to connect your two networks.
ExpressRoute allows you to connect your internal network to your external network using a private connection provided by your connection provider. Using ExpressRoute allows you to connect your internal network with any or all of the different Microsoft networks, including Azure, Microsoft 365, and Dynamics 365.
Since the connection is through your connection provider and not the Internet, ExpressRoute is a much faster, more reliable, better security, and lower-l atency connection over the Internet.