Search This Blog

Monday, June 16, 2014

Configure VNet to VNet in Azure

 

In our previous post, we have explore on how to configure multi-site vpn in Azure for our domain controller. Next we are going look on how  to extend our data center network by connecting an Azure virtual network (Vnet) to another Azure virtual network. Both virtual network is going to connect to a secure tunnel using IpSec/IKE.

These connectivity is important when you would like to setup

  • Geo-redundancy via same region / different region without going over internet facing endpoint
  • Connect workload from different Azure subscription
  • Connect same region or different region
  • Setup a DR to another region. Example:- You have setup VM infrastructure at Southeast Asia Region – datacenter located in Singapore (SG). For redundancy we can setup geo-replication storage which replicate entire content to Hong Kong(HK) data center. But these implementation only contained content and we are still require to re-create cloud configuration and remap to our VM when disaster occur. Process of re-creating cloud configuration require more effort and downtime. Therefore one way to reduce downtime is setup another similar infrastructure in another region. That’s what this post is all about.

Let chec out our setup environment

  • Multi-site vpn connection between HQ and Branch. We had configured this our previous post. So we are going to skip these step.
  • Two different Azure subscription
    • Affinity Group 1- Southeast Asia (SG Datacenter)
    • Affinity Group 2 – East Asia (HK Datacenter)

VNet with Vnet

Region Local Network Virtual Network VPN Gateway
Southeast Asia Region 10.0.0.0/24 Ms4U-AzureVnet 138.91.33.133 [Created from our previous post]
East Asia Region 172.160.0.0/24 DR-Vnet [Will determine later]

Since we have completed our 1st region on our previous post, let move on to 2nd region.

  • Create Affinity Group

Settings –> Affinity Group –> +ADD –> “MS4U-DR (located in East Asia Region)

1

  • Create new storage

+NEW –> Data Services –> Storage –> Quick Create

2

  • Create new Virtual network

+New –> Network Services –> Virtual Network –> Custom Create

3

Define name “DR-Vnet”

4

Select “Configure site to site vpn”

5

Define 1st region virtual network address and temporary VPN Gateway IP

  • 10.0.0.0/24 (virtual network)
  • 1.1.1.1 (VPN gateway- we will modify later)

6

Define 2nd Region virtual network. Here we will be using 172.16.0.0/23 subnet. Make sure no overlap subnet on both virtual network.

7

  • Create VPN Gateway for 2nd virtual network – “DR-VNET”

Network –> DR-Vnet –> Dashboard –> Create Gateway –> Dynamic Routing

NOTE:- Creating vpn gateway will took around 20 minute.

8

  • While waiting, check the 1st virtual network VPN Gateway.Jot down the IP

9

  • Go to Networks –> Local Network –> Edit “Cross-MS4ULAN” VPN Gateway. Replace 1.1.1.1 with the correct VPN Gateway which we have capture from previous step

10

Now we have setup the 2nd virtual network. Let modify the 1st virtual network by export 1st virtual network configuration. To do so click on EXPORT.

Modify the entry to include 2nd virtual network (highlighted in green)

<NetworkConfiguration xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/ServiceHosting/2011/07/NetworkConfiguration">
  <VirtualNetworkConfiguration>
    <Dns>
      <DnsServers>
        <DnsServer name="MS4U-DC" IPAddress="192.168.20.10" />
      </DnsServers>
    </Dns>
    <LocalNetworkSites>
      <LocalNetworkSite name="MS4ULAN">
        <AddressSpace>
          <AddressPrefix>192.168.20.0/24</AddressPrefix>
        </AddressSpace>
        <VPNGatewayAddress>14.1.200.30</VPNGatewayAddress>
      </LocalNetworkSite>
      <LocalNetworkSite name="Site2MS4ULAN">
        <AddressSpace>
          <AddressPrefix>192.168.30.0/24</AddressPrefix>
        </AddressSpace>
        <VPNGatewayAddress>113.210.136.157</VPNGatewayAddress>
      </LocalNetworkSite>
     <LocalNetworkSite name="Cross-DR">
        <AddressSpace>
          <AddressPrefix>172.16.0.0/24</AddressPrefix>
        </AddressSpace>
        <VPNGatewayAddress>23.100.93.181</VPNGatewayAddress>
      </LocalNetworkSite>
    </LocalNetworkSites>
    <VirtualNetworkSites>
      <VirtualNetworkSite name="MS4U-AzureVnet" AffinityGroup="MS4U-LabAG">
        <AddressSpace>
          <AddressPrefix>10.0.0.0/24</AddressPrefix>
          <AddressPrefix>10.0.1.0/24</AddressPrefix>
          <AddressPrefix>10.0.2.0/24</AddressPrefix>
        </AddressSpace>
        <Subnets>
          <Subnet name="InfraSubnet">
            <AddressPrefix>10.0.0.0/27</AddressPrefix>
          </Subnet>
          <Subnet name="WebSubnet">
            <AddressPrefix>10.0.1.0/27</AddressPrefix>
          </Subnet>
          <Subnet name="DatabaseSubnet">
            <AddressPrefix>10.0.2.0/27</AddressPrefix>
          </Subnet>
          <Subnet name="GatewaySubnet">
            <AddressPrefix>10.0.2.32/29</AddressPrefix>
          </Subnet>
        </Subnets>
        <DnsServersRef>
          <DnsServerRef name="MS4U-DC" />
        </DnsServersRef>
        <Gateway>
          <ConnectionsToLocalNetwork>
            <LocalNetworkSiteRef name="MS4ULAN">
              <Connection type="IPsec" />
            </LocalNetworkSiteRef>
            <LocalNetworkSiteRef name="Site2MS4ULAN">
              <Connection type="IPsec" />
            </LocalNetworkSiteRef>
        <LocalNetworkSiteRef name="Cross-DR">
              <Connection type="IPsec" />
            </LocalNetworkSiteRef>
          </ConnectionsToLocalNetwork>
        </Gateway>
      </VirtualNetworkSite>
    </VirtualNetworkSites>
  </VirtualNetworkConfiguration>
</NetworkConfiguration>

Then import the new network configuration

+NEW –> Network Services –> Virtual Network –> Import Configuration

12

12a

13

Verify that new virtual network has added- “Cross-DR”

14

Before we connect both network, remember to change both shared key to the same key so these virtual network can communicate with each others.

On 1st virtual network

Set-AzureVnetGatewayKey –VnetName MS4U-AzureVnet –LocalNetworkSiteName Cross-DR –Sharedkey MS4UKEY

15

On 2nd virtual network

Set-AzureVnetGatewayKey –VnetName DR-Vnet -LocalNetworkSiteName Cross-MS4ULAN –Sharedkey MS4UKEY

16

17

Once you’ve change the key, click on CONNECT

18

Connection on 2nd virtual network is “Connected”

19

On the 1st virtual network is also “Connected”

21

Once connection has established, virtual machine from 1st region was able to ping to 2nd region. We have successfully connect vNet to another vNet.

Vnet

Our above configuration was guided from the documentation published by Microsoft Azure. To know more, please click here.