
close
close
In a previous article, I explained how to create a 1:1 connection between two Azure virtual networks (VNETs) using VNET-to-VNET VPN. In this article, I will show you how to connect multiple networks together in Microsoft Azure.
There are many situations where you might need to connect more than two VNETs together using VPN connections. Some of these might include:
advertisment
A design for connecting multiple Azure virtual networks (Image Credit: Aidan Finn)
There are a number of prerequisites for connecting more than two networks in Azure:
Each network, on-premises or an Azure VNET, must have a unique network address in your finished solution. For example, you cannot connect an on-premises network with an address of 10.0.0.0/8 to an Azure VNET with the same address. Plan your addressing for site expansion. In the previous example, an Azure VNET with a network address of 10.2.0.0/16 might be used to connect to an on-premises network of 10.1.0.0/16.
Azure VNETs support static routing and dynamic routing gateways, where each network must be deployed with a dynamic routing gateway if more than two networks will be connected. Make sure that your on-premises VPN device (such as edge firewall) supports connections to dynamic routing gateways.
You must have a local network to enable a gateway in an Azure VNET, but you cannot create your required local networks until you have the necessary public IP addresses of the gateways. This chicken and egg scenario requires the usage of a temporary local network.
Create a temporary local network that has:
advertisment
Create the necessary networks in Azure. In this example, I am going to connect three Azure VNETs, as shown in the above diagram.
Edit the settings of your Azure VNETs, check the box to Connect To The Local Network, and select the temporary local network that you have already created.
Enable site-to-site connectivity (Image Credit: Aidan Finn)
Note the gateway IP address of each VNET (Image Credit: Aidan Finn)
The role of a local network in Azure is to allow a VNET gateway to know:
Each VNET will be connecting to each other VNET in this design. This means that you need to create a local network for each VNET. Net1 will connect to the local networks of Net2 and Net3, and so on. I find it useful to write down the details of the networks before deploying anything:
advertisment
Local Network Name | Gateway IP Address | Starting IP | CIDR (Address Count) |
Net1LocalNetwork | 23.100.XX.XX | 10.1.0.0 | /16 |
Net2LocalNetwork | 23.100.XX.XX | 10.2.0.0 | /16 |
Net3LocalNetwork | 23.101.XX.XX | 10.3.0.0 | /16 |
Click New > Network Services > Virtual Network > Add Local Network to launch the wizard to create each local network in turn.
Creating a local network for Net1 (Image Credit: Aidan Finn)
In a 1:1 site-to-site VPN connection, we normally would set the local network of a VNET to point at the other network. However, the drop-down select box only allows you to select one item, and we need each VNET to have two local networks.
We can accomplish this requirement by:
Launch an Azure PowerShell window, and run the following snippet:
Get-AzureVNetConfig -ExportToFile "C:\Temp\MyAzureVNetConfig.XML"
Edit a copy of the XML file using a text editor, such as Notepad, and search for <VirtualNetworkSites>. Here’s where you will find the definition for each VNET, the gateway for the VNET, and the local network that the gateway is configured to connect to. Search for <ConnectionsToLocalNetwork>; each local network requires the following:
<LocalNetworkSiteRef name="NameOfLocalNetwork"> <Connection type="IPsec" /> </LocalNetworkSiteRef>
The original VNET XML definition (Image Credit: Aidan Finn)
Modified XML config for Azure VNET Net1 (Image Credit: Aidan Finn)
Set-AzureVNetConfig -ConfigurationPath "C:\Temp\MyAzureVNetConfigCopy.XML"
Importing an Azure network configuration XML file – note the error in the first attempt (Image Credit: Aidan Finn)
Each VNET gateway now knows which network it needs to connect to; however, they do not have a shared key to enable a secure connected. Create a long passphrase or random string that will be used for each connection:
Then run this PowerShell script, substituting the shared key as required:
Set-AzureVNetGatewayKey -VNetName Net1 -LocalNetworkSiteName Net2LocalNetwork -SharedKey $Secret12 Set-AzureVNetGatewayKey -VNetName Net2 -LocalNetworkSiteName Net1LocalNetwork -SharedKey $Secret12 Set-AzureVNetGatewayKey -VNetName Net2 -LocalNetworkSiteName Net3LocalNetwork -SharedKey $Secret23 Set-AzureVNetGatewayKey -VNetName Net3 -LocalNetworkSiteName Net2LocalNetwork -SharedKey $Secret23 Set-AzureVNetGatewayKey -VNetName Net1 -LocalNetworkSiteName Net3LocalNetwork -SharedKey $Secret13 Set-AzureVNetGatewayKey -VNetName Net3 -LocalNetworkSiteName Net1LocalNetwork -SharedKey $Secret13
The dashboard of each VNET should start to show a connection coming online within a few minutes of setting the shared keys. You can then verify communications. In my lab, I deployed a VM to each VNET, enabled ICMP in the Windows Firewall, and ran some tests:
Verifying communications between the connected Azure networks (Image Credit: Aidan Finn)
More from Aidan Finn
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Microsoft Azure
Microsoft's Azure AD Conditional Access Service Can Now Require Reauthentication
May 13, 2022 | Rabia Noureen
Microsoft Addresses Cross-Tenant Database Vulnerability in Azure PostgreSQL
Apr 29, 2022 | Rabia Noureen
Microsoft Simplifies IT Monitoring with New Azure Managed Grafana Service
Apr 19, 2022 | Rabia Noureen
System Center 2022 is Now Available with New Datacenter Management Capabilities
Apr 4, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group