| title | description | services | documentationcenter | author | manager | editor | tags | ms.assetid | ms.service | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Connect your on-premises network to an Azure virtual network: Site-to-Site VPN: PowerShell | Microsoft Docs |
Steps to create an IPsec connection from your on-premises network to an Azure virtual network over the public Internet. These steps will help you create a cross-premises Site-to-Site VPN Gateway connection using PowerShell. |
vpn-gateway |
na |
cherylmc |
timlt |
azure-resource-manager |
fcc2fda5-4493-4c15-9436-84d35adbda8e |
vpn-gateway |
na |
hero-article |
na |
infrastructure-services |
10/12/2017 |
cherylmc |
This article shows you how to use PowerShell to create a Site-to-Site VPN gateway connection from your on-premises network to the VNet. The steps in this article apply to the Resource Manager deployment model. You can also create this configuration using a different deployment tool or deployment model by selecting a different option from the following list:
[!div class="op_single_selector"]
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. For more information about VPN gateways, see About VPN gateway.
Verify that you have met the following criteria before beginning your configuration:
- Make sure you have a compatible VPN device and someone who is able to configure it. For more information about compatible VPN devices and device configuration, see About VPN Devices.
- Verify that you have an externally facing public IPv4 address for your VPN device. This IP address cannot be located behind a NAT.
- If you are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. None of the subnets of your on-premises network can over lap with the virtual network subnets that you want to connect to.
- Install the latest version of the Azure Resource Manager PowerShell cmdlets. PowerShell cmdlets are updated frequently and you will typically need to update your PowerShell cmdlets to get the latest feature functionality. If you don't update your PowerShell cmdlets, the values specified may fail. See How to install and configure Azure PowerShell for more information about downloading and installing PowerShell cmdlets.
The examples in this article use the following values. You can use these values to create a test environment, or refer to them to better understand the examples in this article.
#Example values
VnetName = TestVNet1
ResourceGroup = TestRG1
Location = East US
AddressSpace = 10.11.0.0/16
SubnetName = Subnet1
Subnet = 10.11.1.0/28
GatewaySubnet = 10.11.0.0/27
LocalNetworkGatewayName = Site2
LNG Public IP = <VPN device IP address>
Local Address Prefixes = 10.0.0.0/24, 20.0.0.0/24
Gateway Name = VNet1GW
PublicIP = VNet1GWIP
Gateway IP Config = gwipconfig1
VPNType = RouteBased
GatewayType = Vpn
ConnectionName = VNet1toSite2
[!INCLUDE PowerShell login]
If you don't already have a virtual network, create one. When creating a virtual network, make sure that the address spaces you specify don't overlap any of the address spaces that you have on your on-premises network.
Note
In order for this VNet to connect to an on-premises location, you need to coordinate with your on-premises network administrator to carve out an IP address range that you can use specifically for this virtual network. If a duplicate address range exists on both sides of the VPN connection, traffic does not route the way you may expect it to. Additionally, if you want to connect this VNet to another VNet, the address space cannot overlap with other VNet. Take care to plan your network configuration accordingly.
[!INCLUDE About gateway subnets]
[!INCLUDE No NSG warning]
This example creates a virtual network and a gateway subnet. If you already have a virtual network that you need to add a gateway subnet to, see To add a gateway subnet to a virtual network you have already created.
Create a resource group:
New-AzureRmResourceGroup -Name TestRG1 -Location 'East US'Create your virtual network.
- Set the variables.
$subnet1 = New-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.11.0.0/27
$subnet2 = New-AzureRmVirtualNetworkSubnetConfig -Name 'Subnet1' -AddressPrefix 10.11.1.0/28- Create the VNet.
New-AzureRmVirtualNetwork -Name TestVNet1 -ResourceGroupName TestRG1 `
-Location 'East US' -AddressPrefix 10.11.0.0/16 -Subnet $subnet1, $subnet2- Set the variables.
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName TestRG1 -Name TestVet1- Create the gateway subnet.
Add-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.11.0.0/27 -VirtualNetwork $vnet- Set the configuration.
Set-AzureRmVirtualNetwork -VirtualNetwork $vnetThe local network gateway typically refers to your on-premises location. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection. You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on-premises network. If your on-premises network changes, you can easily update the prefixes.
Use the following values:
- The GatewayIPAddress is the IP address of your on-premises VPN device. Your VPN device cannot be located behind a NAT.
- The AddressPrefix is your on-premises address space.
To add a local network gateway with a single address prefix:
New-AzureRmLocalNetworkGateway -Name Site2 -ResourceGroupName TestRG1 `
-Location 'East US' -GatewayIpAddress '23.99.221.164' -AddressPrefix '10.0.0.0/24'To add a local network gateway with multiple address prefixes:
New-AzureRmLocalNetworkGateway -Name Site2 -ResourceGroupName TestRG1 `
-Location 'East US' -GatewayIpAddress '23.99.221.164' -AddressPrefix @('10.0.0.0/24','20.0.0.0/24')To modify IP address prefixes for your local network gateway:
Sometimes your local network gateway prefixes change. The steps you take to modify your IP address prefixes depend on whether you have created a VPN gateway connection. See the Modify IP address prefixes for a local network gateway section of this article.
A VPN gateway must have a Public IP address. You first request the IP address resource, and then refer to it when creating your virtual network gateway. The IP address is dynamically assigned to the resource when the VPN gateway is created. VPN Gateway currently only supports Dynamic Public IP address allocation. You cannot request a Static Public IP address assignment. However, this does not mean that the IP address changes after it has been assigned to your VPN gateway. The only time the Public IP address changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.
Request a Public IP address that will be assigned to your virtual network VPN gateway.
$gwpip= New-AzureRmPublicIpAddress -Name gwpip -ResourceGroupName TestRG1 -Location 'East US' -AllocationMethod DynamicThe gateway configuration defines the subnet and the public IP address to use. Use the following example to create your gateway configuration:
$vnet = Get-AzureRmVirtualNetwork -Name TestVNet1 -ResourceGroupName TestRG1
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet
$gwipconfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name gwipconfig1 -SubnetId $subnet.Id -PublicIpAddressId $gwpip.IdCreate the virtual network VPN gateway. Creating a VPN gateway can take up to 45 minutes or more to complete.
Use the following values:
- The -GatewayType for a Site-to-Site configuration is Vpn. The gateway type is always specific to the configuration that you are implementing. For example, other gateway configurations may require -GatewayType ExpressRoute.
- The -VpnType can be RouteBased (referred to as a Dynamic Gateway in some documentation), or PolicyBased (referred to as a Static Gateway in some documentation). For more information about VPN gateway types, see About VPN Gateway.
- Select the Gateway SKU that you want to use. There are configuration limitations for certain SKUs. For more information, see Gateway SKUs. If you get an error when creating the VPN gateway regarding the -GatewaySku, verify that you have installed the latest version of the PowerShell cmdlets.
New-AzureRmVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1 `
-Location 'East US' -IpConfigurations $gwipconfig -GatewayType Vpn `
-VpnType RouteBased -GatewaySku VpnGw1Site-to-Site connections to an on-premises network require a VPN device. In this step, you configure your VPN device. When configuring your VPN device, you need the following:
-
A shared key. This is the same shared key that you specify when creating your Site-to-Site VPN connection. In our examples, we use a basic shared key. We recommend that you generate a more complex key to use.
-
The Public IP address of your virtual network gateway. You can view the public IP address by using the Azure portal, PowerShell, or CLI. To find the Public IP address of your virtual network gateway using PowerShell, use the following example:
Get-AzureRmPublicIpAddress -Name GW1PublicIP -ResourceGroupName TestRG1
[!INCLUDE Configure VPN device]
Next, create the Site-to-Site VPN connection between your virtual network gateway and your VPN device. Be sure to replace the values with your own. The shared key must match the value you used for your VPN device configuration. Notice that the '-ConnectionType' for Site-to-Site is IPsec.
- Set the variables.
$gateway1 = Get-AzureRmVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1
$local = Get-AzureRmLocalNetworkGateway -Name Site2 -ResourceGroupName TestRG1- Create the connection.
New-AzureRmVirtualNetworkGatewayConnection -Name VNet1toSite2 -ResourceGroupName TestRG1 `
-Location 'East US' -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local `
-ConnectionType IPsec -RoutingWeight 10 -SharedKey 'abc123'After a short while, the connection will be established.
There are a few different ways to verify your VPN connection.
[!INCLUDE Verify connection]
[!INCLUDE Connect to a VM]
If the IP address prefixes that you want routed to your on-premises location change, you can modify the local network gateway. Two sets of instructions are provided. The instructions you choose depend on whether you have already created your gateway connection.
[!INCLUDE Modify prefixes]
[!INCLUDE Modify gateway IP address]
- Once your connection is complete, you can add virtual machines to your virtual networks. For more information, see Virtual Machines.
- For information about BGP, see the BGP Overview and How to configure BGP.
- For information about creating a site-to-site VPN connection using Azure Resource Manager template, see Create a Site-to-Site VPN Connection.
- For information about creating a vnet-to-vnet VPN connection using Azure Resource Manager template, see Deploy HBase geo replication.