1
00:00:00,940 --> 00:00:01,980
In this demonstration,

2
00:00:01,980 --> 00:00:05,750
we're going to look at the ingredients that go into a site‑to‑site VPN in

3
00:00:05,750 --> 00:00:09,380
Azure, and we'll also do a brief tour of Azure Virtual WAN.

4
00:00:09,380 --> 00:00:12,340
So let me open up my browser here and get into the portal,

5
00:00:12,340 --> 00:00:15,160
and let me jump directly to the end case.

6
00:00:15,160 --> 00:00:17,270
If we go to Connections we can see,

7
00:00:17,270 --> 00:00:20,640
I want you to look at this top entry here, cloud to local.

8
00:00:20,640 --> 00:00:27,490
So this is a site‑to‑site VPN that's linking a VPN gateway in my Azure

9
00:00:27,490 --> 00:00:32,670
environment with a local environment where I've terminated the IPsec‑like

10
00:00:32,670 --> 00:00:36,120
connection on that side, all right? And remember what we're dealing with

11
00:00:36,120 --> 00:00:38,640
here. I think if I go back to my dashboard,

12
00:00:38,640 --> 00:00:42,330
I've got several network topology diagrams that we can look at here.

13
00:00:42,330 --> 00:00:42,630
Yeah,

14
00:00:42,630 --> 00:00:46,440
so if you take a look at the left part where my mouse is, the exam is not

15
00:00:46,440 --> 00:00:50,160
going to have us mess with the local side of the equation, but of course,

16
00:00:50,160 --> 00:00:54,130
you're going to need to set up your VPN endpoint with a pre‑shared key.

17
00:00:54,130 --> 00:00:58,320
That's how the authentication works between your virtual network gateway in

18
00:00:58,320 --> 00:01:05,310
Azure and your local device, just PSK, pretty low tech. And it's basic IKEv2,

19
00:01:05,310 --> 00:01:08,570
IPsec, but I'll show you how to modify those properties if you need to. In

20
00:01:08,570 --> 00:01:09,440
the Azure side,

21
00:01:09,440 --> 00:01:13,760
we're going to need our virtual network gateway deployed into its own subnet,

22
00:01:13,760 --> 00:01:17,930
and that subnet has to have the name label, GatewaySubnet. Hopefully, it makes

23
00:01:17,930 --> 00:01:21,920
sense that the gateway will have a public IP on it, at least one. We'll do a

24
00:01:21,920 --> 00:01:26,940
local gateway that's essentially the way to notify the VNet gateway of what

25
00:01:26,940 --> 00:01:30,870
your on‑premises environment looks like, and then you tie it all together with

26
00:01:30,870 --> 00:01:31,620
the connection.

27
00:01:31,620 --> 00:01:34,190
So there's three main ingredients, the gateway,

28
00:01:34,190 --> 00:01:36,140
the local gateway, and the connection.

29
00:01:36,140 --> 00:01:37,310
So speaking of gateway,

30
00:01:37,310 --> 00:01:41,420
let's look up gateway in the global search and go to Virtual network gateways.

31
00:01:41,420 --> 00:01:43,290
All right, so when you're setting up one of these,

32
00:01:43,290 --> 00:01:44,790
what are some things to consider?

33
00:01:44,790 --> 00:01:47,570
Well, let's see. If we go down under Configuration,

34
00:01:47,570 --> 00:01:49,630
we've got a number of stock keeping units.

35
00:01:49,630 --> 00:01:52,860
Now unfortunately, you can't choose them all after you've already

36
00:01:52,860 --> 00:01:56,500
deployed the gateway. There are some availability zone aware gateway

37
00:01:56,500 --> 00:02:00,670
SKUs, and I chose one of the non‑availability zone gateway SKUs, and

38
00:02:00,670 --> 00:02:03,840
it's not giving me a chance to upgrade, unfortunately. I've mentioned

39
00:02:03,840 --> 00:02:05,060
active‑active mode.

40
00:02:05,060 --> 00:02:06,910
If you're going to do active‑active mode,

41
00:02:06,910 --> 00:02:10,750
you're going to need a second public IP address besides the initial one that

42
00:02:10,750 --> 00:02:13,660
you start with. And then in your on‑premises environment,

43
00:02:13,660 --> 00:02:17,960
you'll create two VPN tunnels, one to each public IP address. As

44
00:02:17,960 --> 00:02:20,350
long as you're using Border Gateway Protocol,

45
00:02:20,350 --> 00:02:23,920
you then can configure active‑active failover. Now in BGP,

46
00:02:23,920 --> 00:02:27,990
you're going to need a separate and distinct autonomous system number for your

47
00:02:27,990 --> 00:02:32,040
VNet gateway, as well as your on‑premises gateway. There's public and private

48
00:02:32,040 --> 00:02:37,830
ASN numbers just like there are with IPv4 addresses. I'm using 65501 here, and

49
00:02:37,830 --> 00:02:41,430
I believe I'm using 65502 on‑premises.

50
00:02:41,430 --> 00:02:43,820
And then again, because I'm using BGP,

51
00:02:43,820 --> 00:02:47,810
I have a private peer address on the gateway, and I've configured one

52
00:02:47,810 --> 00:02:51,710
in the same subnet range on‑prem on my edge device.

53
00:02:51,710 --> 00:02:54,190
So I think that's mainly what we're talking about.

54
00:02:54,190 --> 00:02:56,370
Let me disable active‑active mode here.

55
00:02:56,370 --> 00:02:57,800
If I go back to Overview,

56
00:02:57,800 --> 00:03:01,930
we can see the placement of this virtual network gateway here. It's on my

57
00:03:01,930 --> 00:03:06,500
virtual network called vnet1. And if I go to Subnets, we can see that I've

58
00:03:06,500 --> 00:03:11,360
created the Gateway subnet, and it's sitting at 10.11.1/24.

59
00:03:11,360 --> 00:03:14,570
If I go back to the gateway one more time, here is the public IP

60
00:03:14,570 --> 00:03:18,600
address. So we're going to absolutely want that, and we're also

61
00:03:18,600 --> 00:03:22,490
going to want to have a pre‑shared key that will be shared between

62
00:03:22,490 --> 00:03:25,530
our connection and our local router.

63
00:03:25,530 --> 00:03:25,800
Okay,

64
00:03:25,800 --> 00:03:28,700
so speaking of local router, we also in Azure need to

65
00:03:28,700 --> 00:03:30,380
create a local network gateway.

66
00:03:30,380 --> 00:03:31,460
Now, what are these?

67
00:03:31,460 --> 00:03:36,430
These are simply the metadata of your on‑premises environment, what's going on

68
00:03:36,430 --> 00:03:39,260
on the other side of the tunnel. If we go to Configuration,

69
00:03:39,260 --> 00:03:44,730
this is going to be the public IP address of the remote on‑premises VPN device.

70
00:03:44,730 --> 00:03:47,530
If you want to propagate private network ranges

71
00:03:47,530 --> 00:03:50,930
from your on‑premises environment, you can list them under Address space.

72
00:03:50,930 --> 00:03:54,120
Hopefully, it makes sense that you'd want to do that. And you can automate

73
00:03:54,120 --> 00:03:58,220
that in terms of routes changing and so on by using BGP.

74
00:03:58,220 --> 00:04:03,580
And this is specifying the ASN and BGP peer address of the local router,

75
00:04:03,580 --> 00:04:06,450
you see. And they have to be different ASNs, and the BGP

76
00:04:06,450 --> 00:04:09,160
peer IP should be in the same subnet range.

77
00:04:09,160 --> 00:04:11,870
So that's what's going on with the local network gateway.

78
00:04:11,870 --> 00:04:15,520
And lastly, we create a connection, and what is a connection? Well,

79
00:04:15,520 --> 00:04:19,380
as I mentioned, they can take different forms based on what you're doing.

80
00:04:19,380 --> 00:04:21,540
There's VNet‑to‑VNet VPN.

81
00:04:21,540 --> 00:04:25,380
There's site‑to‑site VPN. There's ExpressRoute. This is a

82
00:04:25,380 --> 00:04:28,540
site‑to‑site VPN. And if we go to Shared key,

83
00:04:28,540 --> 00:04:32,400
unfortunately it reveals the PSK in plain text. In the real world,

84
00:04:32,400 --> 00:04:36,590
you're going to want to have a really long complicated one, and this allows

85
00:04:36,590 --> 00:04:41,100
the mutual authentication between this machine or this side of the

86
00:04:41,100 --> 00:04:43,960
connection and on‑prem. If we go to Configuration,

87
00:04:43,960 --> 00:04:48,240
this is where, again, you can ensure that BGP is being used or not.

88
00:04:48,240 --> 00:04:52,640
We can customize the security association between your Azure

89
00:04:52,640 --> 00:04:55,960
virtual network gateway and your local VPN gateway. It's called

90
00:04:55,960 --> 00:04:58,840
IPsec / IKE policy. And if we go to Custom,

91
00:04:58,840 --> 00:05:02,070
it allows you to customize the specific settings here.

92
00:05:02,070 --> 00:05:06,120
And then lastly, Connection Mode. This supports businesses

93
00:05:06,120 --> 00:05:09,170
that may not want a bidirectional VPN, you see.

94
00:05:09,170 --> 00:05:13,120
So we can set up our Azure gateway to be only a responder that

95
00:05:13,120 --> 00:05:17,200
hosts incoming traffic over the tunnel, or by contrast, we can set

96
00:05:17,200 --> 00:05:21,040
it up as an initiator where we send traffic to on‑prem, but we

97
00:05:21,040 --> 00:05:23,120
don't accept traffic from on‑prem.

98
00:05:23,120 --> 00:05:26,000
All that make sense? And then as far as troubleshooting, we

99
00:05:26,000 --> 00:05:28,440
can see the connection status right here,

100
00:05:28,440 --> 00:05:31,370
but you'll probably want to go over to Network Watcher.

101
00:05:31,370 --> 00:05:35,490
They have a capability in there called VPN troubleshoot.

102
00:05:35,490 --> 00:05:40,770
And what you do here is you set up a storage account to store the detailed logs,

103
00:05:40,770 --> 00:05:44,800
and then you specify your Azure VPN gateway and connection.

104
00:05:44,800 --> 00:05:49,950
And it just does some long‑running transactions to gather low‑level

105
00:05:49,950 --> 00:05:53,070
data in terms of what's transpiring on the gateway.

106
00:05:53,070 --> 00:05:55,700
So it's a good tool to have in your toolkit,

107
00:05:55,700 --> 00:05:58,730
as far as troubleshooting stuff, to get that level of

108
00:05:58,730 --> 00:06:06,000
familiarity. And you can go into the storage account and capture those log files to your heart's content.