Azure Availability Zones offers high availability for data and applications. In an Azure region, there can be one or more data centers. Azure Availability Zone is made out of one or more datacentres in the same Azure region, which have independent power, hardware, networking, and cooling. All Zone redundant service will replicate data and application across Availability Zone for high resilience. Each Azure region contains a minimum of three Azure Availability Zones.
We can deploy VPN gateway in Azure Availability Zones for resiliency and higher availability. There are two types of deployment methods we can choose.
Zone-redundant gateway
Both types of deployment depend on the Azure public IP address SKU. It must be Standard SKU. If you do not define any zone with the public IP deployment, two gateway instances will be deployed into two different zones.
Zonal gateway
If we define the zone (1,2 or 3) during the public IP deployment, two gateway instances will be deployed into the same zone.
In this demo, I am going to demonstrate, how to create Zone-redundant Azure VPN Gateway in Azure Availability Zone.
Demo Environment
In this demo setup, I got two virtual networks in East US and UK South region. I am going to deploy Zone-redundant Azure VPN Gateway in each virtual network and initiate VNet-to-VNet connection. The zones values shown above are just examples. During the actual setup, the system will pick up the zones automatically.
For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0
Create Resource Groups
The first step of the configuration is to create new resource groups in different regions.
To do that,
1) Launch PowerShell console and connect to Azure using Connect-AzAccount
2) Then create EUSRG1 under East US Azure region by using,
New-AzResourceGroup -Name EUSRG1 -Location “East US”
In the above command, -Name parameter specifies the resource group name, and -Location parameter specifies the Azure region.
3) The next step is to create UKSRG1 resource group in UK South Azure region by using,
New-AzResourceGroup -Name UKSRG1 -Location “UK South”
Create virtual networks
1) The next step is to create a new virtual network under EUSRG1 resource group.
$subn1 = New-AzVirtualNetworkSubnetConfig -Name VMNet1 -AddressPrefix 10.0.0.0/24
$gwsubn1 = New-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -AddressPrefix 10.0.255.0/27
New-AzVirtualNetwork -Name EUSVnet1 -ResourceGroupName EUSRG1 -Location “East US” -AddressPrefix 10.0.0.0/16 -Subnet $subn1,$gwsubn1
EUSVnet1 address space is 10.0.0.0/16. It is a class B IP address range. We do not need the entire range for workloads. Therefore, I am going to create two small subnets under it.
• VM Network – 10.0.0.0/24
• Gateway subnet – 10.0.255.0/27
In the above, VM network is going to use for virtual machines and Gateway Subnet is going to use for the VPN gateway setup.
Virtual Network Gateway can only be created in a subnet with name ‘GatewaySubnet‘
2) The next step is to create the new virtual network UKSVnet1 in UK South region. This VNet contains two subnets.
• VM Network – 10.1.0.0/24
• Gateway subnet – 10.1.255.0/27
In the above, VM network is going to use for virtual machines and Gateway Subnet is going to use for the VPN gateway setup.
$subn2 = New-AzVirtualNetworkSubnetConfig -Name VMNet2 -AddressPrefix 10.1.0.0/24
$gwsubn2 = New-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -AddressPrefix 10.1.255.0/27
New-AzVirtualNetwork -Name UKSVnet1 -ResourceGroupName UKSRG1 -Location “UK South” -AddressPrefix 10.1.0.0/16 -Subnet $subn2,$gwsubn2
Create Public IP Addresses
The next step of the configuration is to create a public IP address to use with VPN Gateways.
East US
$euspip1 = New-AzPublicIpAddress -Name EUSPIP1 -ResourceGroupName EUSRG1 -Location “East US” -AllocationMethod Static -Sku Standard
UK South
$ukspip1 = New-AzPublicIpAddress -Name UKSPIP1 -ResourceGroupName UKSRG1 -Location “UK South” -AllocationMethod Static -Sku Standard
In the above, EUSPIP1 & UKSPIP1 are the new two public ip addresses. For Zone-redundant setup -AllocationMethod must set to Static and -SKU must set to Standard.
Create Azure VPN gateway IP configurations
Before we create the gateway, we need to create ip configuration.
East US
$vnet1 = Get-AzVirtualNetwork -Name EUSVnet1 -ResourceGroupName EUSRG1
$gwsubnet1 = Get-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -VirtualNetwork $vnet1
$eusgw1ipconf1 = New-AzVirtualNetworkGatewayIpConfig -Name eusgw1ipconf1 -Subnet $gwsubnet1 -PublicIpAddress $euspip1
UK South
$vnet2 = Get-AzVirtualNetwork -Name UKSVnet1 -ResourceGroupName UKSRG1
$gwsubnet2 = Get-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -VirtualNetwork $vnet2
$uksgw1ipconf1 = New-AzVirtualNetworkGatewayIpConfig -Name uksgw1ipconf1 -Subnet $gwsubnet2 -PublicIpAddress $ukspip1
In the above, New-AzVirtualNetworkGatewayIpConfig command used to create an IP configuration for gateway (using previously created gateway subnet & public IP addresses)
Create VPN Gateways
Finally, we can create the gateways by using the following commands.
East US
New-AzVirtualNetworkGateway -Name EUSGW1 -ResourceGroupName EUSRG1 -Location “East US” -IpConfigurations $eusgw1ipconf1 -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1AZ
In the above, my new VPN gateway in East US region is called EUSGW1. The gateway SKU is set to VpnGw1AZ.
UK South
New-AzVirtualNetworkGateway -Name UKSGW1 -ResourceGroupName UKSRG1 -Location “UK South” -IpConfigurations $uksgw1ipconf1 -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1AZ
In the above, the new VPN gateway in UK South region is called UKSGW1. This gateway SKU is also set to VpnGw1AZ.
It can take around 45 minutes to complete VPN gateway setup.
Establish the Connection
Now we have both gateways ready. The next step is to establish the connection.
1) First, we need to declare some variables.
$EUSgw = Get-AzVirtualNetworkGateway -Name EUSGW1 -ResourceGroupName EUSRG1
$UKSgw = Get-AzVirtualNetworkGateway -Name UKSGW1 -ResourceGroupName UKSRG1
In the above, I am retrieving both gateway details.
2) Then let’s establish a connection from EUSVnet1 to UKSVnet1
New-AzVirtualNetworkGatewayConnection -Name ConEU2UK -ResourceGroupName EUSRG1 -VirtualNetworkGateway1 $EUSgw -VirtualNetworkGateway2 $UKSgw -Location “East US” -ConnectionType Vnet2Vnet -SharedKey ‘Rebeladmin123’
In the above, I am using the Vnet2Vnet connection type. I am also using pre-shared key ‘Rebeladmin123‘ to establish the connection. This can be changed to a value you required.
3) In the previous step, we create a one-way connection. We also need to create a connection from UKSVnet1 to EUSVnet1.
New-AzVirtualNetworkGatewayConnection -Name ConUK2EU -ResourceGroupName UKSRG1 -VirtualNetworkGateway1 $UKSgw -VirtualNetworkGateway2 $EUSgw -Location “UK South” -ConnectionType Vnet2Vnet -SharedKey ‘Rebeladmin123’
This completes the connection setup between gateways. The next step is to test the connectivity.
Testing
To verify the connection from EUSVnet1 to UKSVnet1, we can use the following command,
Get-AzVirtualNetworkGatewayConnection -Name ConEU2UK -ResourceGroupName EUSRG1
In the output, we can see the connection status as connected.
To verify the connection from UKSVnet1 to EUSVnet1,
Get-AzVirtualNetworkGatewayConnection -Name ConEU2UK -ResourceGroupName EUSRG1
As we can see, the connectivity between two virtual networks is working as expected. I hope now you have a better understanding of how-to setup Zone-redundant Azure VPN Gateway to connect two VNets. If you have any further questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.