Azure VPN Gateway

More and more we are asked by clients to configure site-to-site VPN tunnels from on-premise VPN gateways such as Checkpoint and Cisco to Azure using the native Microsoft Azure VPN Gateway.

The Azure VPN Gateway is a very compelling alternative to procuring a dedicate Network Virtual Appliance (NVA) in Azure, High Availability is built in, it scales, you don’t have to upgrade or maintain the appliance so for most clients it will do the job. However, a few things to consider:

  • Authentication, you can only use pre-shared keys (PSK), this may not be an issue but if you are required to use certificate-based authentication then you will need an NVA.
  • Troubleshooting, this is not particularly easy with the Azure VPN Gateway in comparison to an NVA which provides all information regarding tunnel negotiation. In my experience you are in the hands of the person or 3rd party configuring the on-premise end of the VPN to get it correct and troubleshoot. Now if that person is yourself or a competent engineer then this may not be an issue, however I have spent many an hour troubleshooting with inexperienced engineers configure VPNs.
  • No ACLs, you cannot apply rules to VPN tunnels or the Gateway subnet to limit what traffic or protocols can access services in your VNET/subnet(s). You can do this further up the stack on your destination servers or subnets but ideally you want to do this as close to the source as possible (best practice).

I think the Azure VPN Gateway is a decent offering but does lack the granularity of a Network Virtual Appliance. The choice will depend on your requirements, in-house network skills and budget.

Below is the powershell commands to create an object representing the on-premise VPN gateway and how to create and modify the VPN tunnel parameters. A prerequisite to this is downloading the Azure Powershell Module (i’m using AZ which replaced AzureRM)

logon to your Azure subscription (handy if you have multiple subscriptions)

#login to azure account

#lists all the subscriptions in a form to choose from
$subscriptionId = 
(Get-AzSubscription |
Out-GridView `
-Title "Select an Azure Subscription …" `

Select-AzSubscription -SubscriptionId $subscriptionId 

# if error occurs opening subscriptions try
Set-ExecutionPolicy Unrestricted

Create the on-premise VPN gateway, referred to as a local gateway

#VPN variables
$RG1 = "existing-rg"
$Location1 = "uksouth"
$GWName1 = "Azure-VPN-GW"
$LNGName6 = "Onpremise-GW1"
$LNGIP1 = ""
$LNGprefix1 = ""
$connection16 = "3rd-Party-VPN"

#Create remote VPN Gateway object
New-AzLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1 `
-Location $Location1 -GatewayIpAddress $LNGIP1 -AddressPrefix $LNGprefix1

Create a VPN policy with your desired encryption, hashing algorithms and SA timeouts. Note the Phase 1 SA timeout cannot be changed from 28800 seconds.

#vpn parameters. Note phase 1 SA timeout cant be changed from 28800 seconds
$VPNPolicy-3rdParty = New-AZIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA256 -DhGroup DHGroup14 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup None -SALifeTimeSeconds 14400

Create the VPN Tunnel and bind to your gateways

#create vpn connection
$vnet1gw = Get-AZVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
$lng6 = Get-AZlocalnetworkgateway -Name $LNGName6 -ResourceGroupName $RG1
New-AZVirtualNetworkGatewayConnection -Name $connection16 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng6 -location $Location1 -ConnectionType IPsec -IpsecPolicies $VPNPolicy-3rdParty -SharedKey 'thisisyourpresharedkey'

Show your VPN policy settings

#show ipsec parameters for a policy
$connection6 = get-AZvirtualnetworkgatewayconnection -name $connection16 -ResourceGroupName $RG1 

Show your local and Azure VPN Gateway settings

#show vpn gateway local gateways defined
Get-AZvirtualnetworkgateway -resourcegroupname existing-rg
Get-AZlocalnetworkgateway -resourcegroupname existing-rg

When you create a VPN tunnel with a remote encryption domain, for example, this is automatically added to your system routing table so you don’t need to create User Defined Routes which is pretty neat.