Partilhar via

Configuring Multiple Routed VNets in Azure

  • Artigo

I recently worked on an Active Directory Federation proof of concept that required the customer’s network configuration to be emulated in Azure. The design was made up of three routed Networks, which I will call VNet1, VNet2 and VNet3 for simplicity. Having no real previous experience of setting up multiple VNets, I trawled the Internet and found a useful article by Cheryl McGuire which helped me create and get routing configured between the first two VNets: https://azure.microsoft.com/en-gb/documentation/articles/virtual-networks-configure-vnet-to-vnet-connection/, however getting routing up and running to the third VNet was a little more complex as we can’t do all of it through the Azure Classic Portal. So this is what I did…

I created the third VNet, using the Classic Portal. (New Virtual Network, Custom Create). Entered a name, in this case I used VNet3, region West Europe and I selected the subscription to use. On the second screen I didn't add a DNS server as I could do this later, but you could add the name or IP address of your own DNS server here. I left the two check boxes blank regarding point to site and site to site connectivity. On the third screen I entered the network information 192.168.10.0/24 and left Subnet-1 as default. Once the VNet was created I then had to create a Local Network for the routing.

From the Classic portal, select Networks, New, Network Services, Virtual Network, Add Local Network. I used the same name for the local network as I used for the VNet for simplicity. (So I'm using VNet3 as my local Network name).

In the VPN device IP Address box, I typed any IP address as this will act as a placeholder until the gateway address is obtained.

I used 192.168.10.0/24 for the network address range. This is exactly the same range that was used when the network was created in the creation of Virtual Network "VNet3".

I now had three VNets with three corresponding Local Networks. (If you haven't followed Cheryl's article, just repeat the steps above to create your own VNets and Local Networks).

If you haven't yet got routing working between the first two VNets, you can use this process:

From the Classic Portal, select VNet1 and select Configure.

Now click on the Connect to local network check box and supply the name of the local network in the VNet you wish to connect to. In this scenario it is VNet2 and click on the save icon when done.

Repeat the same process for VNet2 to VNet1.

Once you have connected to the local network you will need to create the gateway to produce the proper gateway IP address. To do this, click on the first VNet (in this case VNet1) and from the dashboard click on Create Gateway at the bottom of the screen and select dynamic routing. Gateway creation may take several minutes. You can also Create the Gateway for VNet2 at the same time, you don't need to wait for the first one to complete.

Once the Gateway is created, you need to update the VPN address on the local networks with the newly provisioned Gateway addresses. This address can be seen on the dashboard of the respective VNet.

To add the address to the local network, select local network VNet1 and click edit. Replace the temporary address with the new address from the VNet dashboard. Click on the arrow at the bottom of the pane and the local network will be updated. Repeat this process for the second local network, making sure you add the Gateway address for VNet2 to local Network 2.

The Gateway will display as disconnected at this time. The final step in enabling the gateway is to generate the key used for the connection. To do this, from the  dashboard of the first VNet, click on manage key at the bottom of the screen. This will display the key which can then be copied. This key is used for both sides of the connection.

To create the Gateway, use the following command from Azure PowerShell. If you haven't already got an Azure PowerShell session open you'll need to authenticate and make sure you're working in the correct subscription if you have more than one. To authenticate, use the PowerShell command Add-AzureAccount.

This will prompt you for the user name and password for your Azure subscription. Once successfully authenticated you can display the details of your subscription(s) and will be able to see which subscription is the current subscription. ().

To enable the final part of the gateway, use this command:

Set-AzureVNetGatewayKey -VNetName <VNetname> -LocalNetworkSiteName <Localnetworkname> -SharedKey <Sharedkey>

Here is the command I used:

PS C:\> Set-AzureVNetGatewayKey -VNetName VNet1 -LocalNetworkSiteName VNet2 -SharedKey LsUdEeSk651QFEfQcOjyTvPe2ecG8PPK
Error          :
HttpStatusCode : OK
Id             : b70b2ef8-d535-43a3-9cd7-fa25f0be6cac
Status         : Successful
RequestId      : c797940baa3a68f2904d40057fb41b89
StatusCode     : OK

Repeat the same command to configure the other side of the connection, just swapping the VNet and Local Network names around:

Set-AzureVNetGatewayKey -VNetName VNet2 -LocalNetworkSiteName VNet1 -SharedKey LsUdEeSk651QFEfQcOjyTvPe2ecG8PPK

Once the connection is established you'll see this:

active

Now I need to add the third VNet to the configuration. To do this, I added the required Local Network to the third VNet. This works fine as VNet3 has no other connections at the moment. Once local network VNet2 is added to VNet3 I can create the Gateway to provision the Gateway IP address for VNet3. I then edited local network VNet3 and added the newly generated Gateway address in place of the temporary address I'd used.

The problem comes when I tried to add VNet3 to VNet2.  I can't add another local network to VNet2 from the portal. At this point I had to export the Networkconfig.xml file and edit it to add the second local network to VNet2. (To export the file use the export feature on the bottom of the pane on any of the Virtual Networks). I opened the file with Notepad for ease and navigated to the section for VNet2.

"<VirtualNetworkSite name="VNet2" Location="West Europe">"   then navigated to the  "Gateway" section. I inserted the section in red below, using VNet3 as the VNet I wanted to connect to.

<Gateway>

         <ConnectionsToLocalNetwork>

           <LocalNetworkSiteRef name="VNet1">

             <Connection type="IPsec" />

           </LocalNetworkSiteRef>

            <LocalNetworkSiteRef name="VNet3">

             <Connection type="IPsec" />

           </LocalNetworkSiteRef>

         </ConnectionsToLocalNetwork>

       </Gateway>

I saved the file and went back to the Azure Classic portal, selected NEW, Virtual Network, Import Configuration, I typed in the location of the file. Once successfully uploaded, I checked the dashboard of VNet2 and noticed the display had changed. I now had two connections listed. The final step was to get the key for the connection from the dashboard of VNet3 and copy it. As with the previous connections I just had to run the PowerShell command on each side of the connection using the key for VNet3 at both sides of the connection. Et Voila!

Set-AzureVNetGatewayKey -VNetName VNet2 -LocalNetworkSiteName VNet3 -SharedKey dFmra2EGa75vrbK1KOt1RZNQcbTfxsUv

Set-AzureVNetGatewayKey -VNetName VNet3 -LocalNetworkSiteName VNet2 -SharedKey dFmra2EGa75vrbK1KOt1RZNQcbTfxsUv