Azure VNet – Site to Site VPN (between VNet and VNet)
In Azure VNet – Step-by-Step to create your own Virtual Network, I demonstrated how to create a standalone VNet within Azure. In this article, I will show how to connect a VNet to other existing VNet using Site to Site VPN option.
The following figure shows the details, based on the example settings in this tutorial.
Why connect virtual networks?
You may want to connect virtual networks for the following reasons:
1) Cross region geo-redundancy and geo-presence
- You can set up your own geo-replication or synchronization with secure connectivity without going over internet-facing endpoints.
- With Azure Load Balancer and Microsoft or third-party clustering technology, you can setup highly available workload with geo-redundancy across multiple Azure regions. One important example is to setup SQL Always On with Availability Groups spreading across multiple Azure regions.
2) Regional multi-tier applications with strong isolation boundary
- Within the same region, you can setup multi-tier applications with multiple virtual networks connected together with strong isolation and secure inter-tier communication.
3) Cross subscription, inter-organization communication in Azure
- If you have multiple Azure subscriptions, you can connect workloads from different subscriptions together securely between virtual networks.
- For enterprises or service providers, you can enable cross organization communication with secure VPN technology within Azure.
Configure VNet to VNet connection
1) Create corresponding local networks for VNets
Please note that you will need to define each virtual network twice: first as an Azure virtual network, then as a local network site connected to the other virtual network. You must ensure the Address Space elements specified in both definitions are the same, or the communication will not work correctly between the two virtual networks.
|Virtual Network||Virtual Network Site Definition||Local Network Site Definition||Local Network Site to Connect|
|nguyens-onpremise-vnet||nguyens-onpremise-vnet (10.0.0.0/26)||nguyens-onpremise-local (10.0.0.0/26)||nguyens-cloud-local|
|nguyens-cloud-vnet||nguyens-cloud-vnet (10.1.0.0/26)||nguyens-cloud-local (10.1.0.0/26)||nguyens-onpremise-local|
In order to create local network, click New > Network Services > Virtual Network > Add Local Network.
Specify your local network information with any VPN Device IP Address (we need to come back and update this information later).
Define address space for your local network (it must be matched with respective VNet configuration).
2) Configure connection gateway
Access to each VNet, then Configure tab enable Site to Site VPN by select Connect to local network option.
Azure required to add gateway subnet.
To deploy gateway, back to Dashboard tab and click to Create Gateway button (In my case I choose Dynamic Routing option).
Azure takes minutes to finish deploying gateway for each VNet.
The gateway IP address will appeared after gateway created. You need to update configuration of each local network to match with relevant gateway IP address.
3) Establish cross-premise tunnel
You can use any private key but I would suggest to generate private key by using VNet Manage Key feature.
Azure PowerShell is required to establish cross-premise tunnel between two networks. To enable site to site connection, you need to execute Set-AzureVNetGatewayKey cmdlet. In my scenario, the following script will be executed.
Set-AzureVNetGatewayKey -VNetName nguyens-onpremise-vnet -LocalNetworkSiteName nguyens-cloud-local -SharedKey <<private key>>
Set-AzureVNetGatewayKey -VNetName nguyens-cloud-vnet -LocalNetworkSiteName nguyens-onpremise-local -SharedKey <<private key>>
And here’s the result
You can connect or disconnect connection between two VNets any time you want. You also to reuse Active Directory/ DNS Server like I did with my networks.
VNet to VNet FAQ
- The virtual networks can be in the same or different subscriptions.
- The virtual networks can be in the same or different Azure regions (locations).
- A cloud service or a load balancing endpoint CANNOT span across virtual networks, even if they are connected together.
- Connecting multiple Azure virtual networks together doesn’t require any on-premises VPN gateways, unless cross-premises connectivity is required.
- VNet-to-VNet supports connecting Azure Virtual Networks. It does not support connecting virtual machines or cloud services NOT in a virtual network.
- VNet-to-VNet requires Azure VPN gateways with dynamic routing VPNs. Azure static routing VPN gateways are not supported.
- Virtual network connectivity can be used simultaneously with multi-site VPNs, with a maximum of 10 VPN tunnels for a virtual network VPN gateway connecting to ether other virtual networks or on premises sites.
- The address spaces of the virtual networks and on-premises local network sites must not overlap. Overlapping address spaces will cause the creation of virtual networks or uploading netcfg configuration files to fail.
- Redundant tunnels between a pair of virtual networks are not supported.
- All VPN tunnels of the virtual network, including P2S VPNs, share the available bandwidth on the Azure VPN gateway and the same VPN gateway uptime SLA in Azure.