Tags

, , ,

 

We can now configure Express Route and Site-To-Site VPN connection that coexist. Can configure Site-to-Site VPN as a secure failover path for ExpressRoute, or use Site-to-Site VPNs to connect to sites that are not connected through ExpressRoute.

There are some limitation and restriction; for details please check:

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager

In this example I already have VPN Gateway configured with /24 Gateway Subnet

 

az-1

Now will create a New VPN Gateway for IPSEC

Step 1: Get the VNET, Gateway Subnet details

$vnet = Get-AzVirtualNetwork -Name SEGResourceGroup-vnet -ResourceGroupName SEGResourceGroup
$subnet = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet

Step 2: New Public IP address and assign it to VPN gateway

$gwpip= New-AzPublicIpAddress -Name SEG-GatewayVPNPublicIP -ResourceGroupName SEGResourceGroup -Location australiaeast -AllocationMethod Dynamic
$gwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name SEG-GatewayVPNPublicIPConfig -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id

Step 3: Now create site-to-site VPN gateway

New-AzVirtualNetworkGateway -Name SEG-GatewayVPN -ResourceGroupName SEGResourceGroup -Location australiaeast -IpConfigurations $gwipconfig -GatewayType Vpn -VpnType RouteBased -GatewaySku Standard

Verify the VPN Gateway configuration. Important things to check:

GatewayType: VPN

VPNType: RouteBased

VPNClientConfiguration: IkeV2

az-2.PNG

Step 4: Create the Local Network Gateway

Replace x.x.x.x with the Public IP of your on-premise router

$OnPremNetworkAddress = @("192.168.100.0/24") # these are the on-premise IP ranges we want to access
$localVpn = New-AzLocalNetworkGateway -Name "DoubleBayLocalGateway" -ResourceGroupName SEGResourceGroup -Location australiaeast -GatewayIpAddress "x.x.x.x" -AddressPrefix $OnPremNetworkAddress

az-3.PNG

Step 5: Create the connection between the Site-to-Site VPN Gateway the the Local Network Gateway

$azureVpn = Get-AzVirtualNetworkGateway -Name "SEG-GatewayVPN" -ResourceGroupName SEGResourceGroup
New-AzVirtualNetworkGatewayConnection -Name "DoubleBay" -ResourceGroupName SEGResourceGroup -Location australiaeast -VirtualNetworkGateway1 $azureVpn -LocalNetworkGateway2 $localVpn -ConnectionType IPsec -SharedKey "presharedkey"

az-4.PNG

Step 6: Configure on-prem VPN

In this example we are using Meraki MX68. Till today (05/04/2019) Meraki version MX15.13 support IKEv2. After upgrading the firmware you need to inform support to enable IKEv2 form backend.

After setting up the VPN you should see in under non-meraki peer

az-5.PNG

To test if required you can disable Express Route connection

Select-AzSubscription -SubscriptionName "Default Friendly Name"
$ckt = Get-AzExpressRouteCircuit -Name "seg" -ResourceGroupName "seg"
$ckt.Peerings[0].State = "Disabled"
Set-AzExpressRouteCircuit -ExpressRouteCircuit $ckt

az-6