Exercise - Create a site-to-site VPN gateway by using Azure CLI commands

25 minutes

You're now ready to complete your site-to-site VPN gateway by creating the public IP addresses, virtual network gateways, and connections. Remember that you used placeholders for the public IP address references when you created your local network gateways, so one of your tasks now is to update these gateways with the actual public IP addresses assigned to your virtual network gateways.

Ideally, the public IP addresses and virtual network gateways should be created before the local network gateways. In this exercise, you learn how to update the local network gateways. You can use the same commands to update any configuration elements in the local network gateways, like remote network address spaces.

Note

This exercise is optional. If you want to complete this exercise, you'll need to create an Azure subscription before you begin. If you don't have an Azure account or you don't want to create one at this time, you can read through the instructions so you understand the information that's being presented.

Note

Throughout this exercise, replace myResourceGroupName in the examples with the name of an existing resource group, or the name of the resource group that you created for this exercise.

Create the Azure-side VPN gateway

First, create the VPN gateway for the Azure end of the connection. It can take up to 45 minutes to create a virtual network gateway. To save time, you use Azure CLI commands with the --no-wait parameter. This parameter lets you create both virtual network gateways simultaneously to minimize the overall time required to create these resources.

Run the following command in Cloud Shell to create the PIP-VNG-Azure-VNet-1 public IP address:

az network public-ip create \
    --resource-group "myResourceGroupName" \
    --name PIP-VNG-Azure-VNet-1 \
    --allocation-method Static

Run the following command in Cloud Shell to create the VNG-Azure-VNet-1 virtual network:

az network vnet create \
    --resource-group "myResourceGroupName" \
    --name VNG-Azure-VNet-1 \
    --subnet-name GatewaySubnet

Run the following command in Cloud Shell to create the VNG-Azure-VNet-1 virtual network gateway:

az network vnet-gateway create \
    --resource-group "myResourceGroupName" \
    --name VNG-Azure-VNet-1 \
    --public-ip-addresses PIP-VNG-Azure-VNet-1 \
    --vnet VNG-Azure-VNet-1 \
    --gateway-type Vpn \
    --vpn-type RouteBased \
    --sku VpnGw1 \
    --no-wait

Create the on-premises VPN gateway

Next, you create a VPN gateway to simulate an on-premises VPN device.

Run the following command in Cloud Shell to create the PIP-VNG-HQ-Network public IP address:

az network public-ip create \
    --resource-group "myResourceGroupName" \
    --name PIP-VNG-HQ-Network \
    --allocation-method Static

Run the following command in Cloud Shell to create the VNG-HQ-Network virtual network:

az network vnet create \
    --resource-group "myResourceGroupName" \
    --name VNG-HQ-Network \
    --subnet-name GatewaySubnet

Run the following command in Cloud Shell to create the VNG-HQ-Network virtual network gateway:

az network vnet-gateway create \
    --resource-group "myResourceGroupName" \
    --name VNG-HQ-Network \
    --public-ip-addresses PIP-VNG-HQ-Network \
    --vnet VNG-HQ-Network \
    --gateway-type Vpn \
    --vpn-type RouteBased \
    --sku VpnGw1 \
    --no-wait

Gateway creation takes approximately 30+ minutes to complete. To monitor the progress of the gateway creation, run the following command. We're using the Linux watch command to run the az network vnet-gateway list command periodically, which enables you to monitor the progress:
```
watch -d -n 5 az network vnet-gateway list \
    --resource-group "myResourceGroupName" \
    --output table
```

After each VPN gateway shows a ProvisioningState of Succeeded, you're ready to continue. Press Ctrl+C to halt the command after the gateway is created.

ActiveActive    EnableBgp    EnablePrivateIpAddress   GatewayType    Location        Name              ProvisioningState    ResourceGroup                         ResourceGuid                          VpnType
--------------  -----------  ------------------------ -------------  --------------  ----------------  -------------------  -----------------------------  ------------------------------------  ----------
False           False        False                    Vpn            southcentralus  VNG-Azure-VNet-1  Succeeded            "myResourceGroupName"  48dc714e-a700-42ad-810f-a8163ee8e001  RouteBased
False           False        False                    Vpn            southcentralus  VNG-HQ-Network    Succeeded            "myResourceGroupName"  49b3041d-e878-40d9-a135-58e0ecb7e48b  RouteBased

Update the local network gateway IP references

Important

Your virtual network gateways must be successfully deployed before you start the next exercise. A gateway can take 30 or more minutes to complete. If the ProvisioningState does not show "Succeeded" yet, you need to wait.

In this section, you update the remote gateway IP address references that are defined in the local network gateways. You can't update the local network gateways until you've created the VPN gateways and an IPv4 address is assigned to and associated with them.

Run the following Azure CLI command to check whether both virtual network gateways have been created. The initial state shows Updating. You want to see Succeeded on both VNG-Azure-VNet-1 and VNG-HQ-Network.

az network vnet-gateway list \
    --resource-group "myResourceGroupName" \
    --output table

Name              Location    GatewayType    VpnType     VpnGatewayGeneration    EnableBgp    EnablePrivateIpAddress    Active    ResourceGuid                        ProvisioningState    ResourceGroup
----------------  ----------  -------------  ----------  ----------------------  -----------  ------------------------  --------  ------------------------------------  -------------------  ------------------------------------------
VNG-Azure-VNet-1  westus      Vpn            RouteBased  Generation1         False        False                     False     9a2e60e6-da57-4274-99fd-e1f8b2c0326d  Succeeded            learn-cfbcca66-16fd-423e-b688-66f242d8f09e
VNG-HQ-Network    westus      Vpn            RouteBased  Generation1         False        False                     False     c36430ed-e6c0-4230-ae40-cf937a102bcd  Succeeded            learn-cfbcca66-16fd-423e-b688-66f242d8f09e

Remember to wait until the lists of gateways are successfully returned. Also, remember that the local network gateway resources define the settings of the remote gateway and network that they're named after. For example, the LNG-Azure-VNet-1 local network gateway contains information like the IP address and networks for Azure-VNet-1.

Run the following command in Cloud Shell to retrieve the IPv4 address assigned to PIP-VNG-Azure-VNet-1 and store it in a variable:

PIPVNGAZUREVNET1=$(az network public-ip show \
    --resource-group "myResourceGroupName" \
    --name PIP-VNG-Azure-VNet-1 \
    --query "[ipAddress]" \
    --output tsv)

Run the following command in Cloud Shell to update the LNG-Azure-VNet-1 local network gateway so that it points to the public IP address attached to the VNG-Azure-VNet-1 virtual network gateway:
```
az network local-gateway update \
    --resource-group "myResourceGroupName" \
    --name LNG-Azure-VNet-1 \
    --gateway-ip-address $PIPVNGAZUREVNET1
```

Run the following command in Cloud Shell to retrieve the IPv4 address assigned to PIP-VNG-HQ-Network and store it in a variable:

PIPVNGHQNETWORK=$(az network public-ip show \
    --resource-group "myResourceGroupName" \
    --name PIP-VNG-HQ-Network \
    --query "[ipAddress]" \
    --output tsv)

Run the following command in Cloud Shell to update the LNG-HQ-Network local network gateway so that it points to the public IP address attached to the VNG-HQ-Network virtual network gateway:
```
az network local-gateway update \
    --resource-group "myResourceGroupName" \
    --name LNG-HQ-Network \
    --gateway-ip-address $PIPVNGHQNETWORK
```

Create the connections

Here, you complete the configuration by creating the connections from each VPN gateway to the local network gateway that contains the public IP address references for that gateway's remote network.

Create the shared key to use for the connections. In the following command, replace <shared key> with a text string to use for the IPSec preshared key. The preshared key is a string of printable ASCII characters no longer than 128 characters. It can't contain special characters, like hyphens and tildes. You use this preshared key on both connections.

Note

In this example, any set of numbers will work for a shared key: SHAREDKEY=123456789. In production environments, we recommend using a string of printable ASCII characters no longer than 128 characters without special characters, like hyphens or tildes.
```
SHAREDKEY=<shared key>
```

Remember that LNG-HQ-Network contains a reference to the IP address on your simulated on-premises VPN device. Run the following command in Cloud Shell to create a connection from VNG-Azure-VNet-1 to LNG-HQ-Network:

az network vpn-connection create \
    --resource-group "myResourceGroupName" \
    --name Azure-VNet-1-To-HQ-Network \
    --vnet-gateway1 VNG-Azure-VNet-1 \
    --shared-key $SHAREDKEY \
    --local-gateway2 LNG-HQ-Network

Remember that LNG-Azure-VNet-1 contains a reference to the public IP address associated with the VNG-Azure-VNet-1 VPN gateway. This connection would normally be created from your on-premises device. Run the following command in Cloud Shell to create a connection from VNG-HQ-Network to LNG-Azure-VNet-1:
```
az network vpn-connection create \
    --resource-group "myResourceGroupName" \
    --name HQ-Network-To-Azure-VNet-1  \
    --vnet-gateway1 VNG-HQ-Network \
    --shared-key $SHAREDKEY \
    --local-gateway2 LNG-Azure-VNet-1
```

You have now finished the configuration of the site-to-site connection. It might take a few minutes, but the tunnels should automatically connect and become active.

Verification steps

Let's confirm that the VPN tunnels are connected.

Run the following command to confirm that Azure-VNet-1-To-HQ-Network is connected:

az network vpn-connection show \
    --resource-group "myResourceGroupName" \
    --name Azure-VNet-1-To-HQ-Network  \
    --output table \
    --query '{Name:name,ConnectionStatus:connectionStatus}'

You should see output like the following, indicating the connection is successful. If the ConnectionStatus shows as Connecting or Unknown, wait a minute or two, and rerun the command. The connections can take a few minutes to fully connect.

Name                        ConnectionStatus
--------------------------  ------------------
Azure-VNet-1-To-HQ-Network  Connected

The site-to-site configuration is now complete. Your final topology, including the subnets, and connections, with logical connection points, appears in the following diagram. Virtual machines deployed in the Services and Applications subnets can now communicate with each other, now that the VPN connections have been successfully established.

Diagram of resources deployed during unit 4 exercise.

Feedback

Was this page helpful?