loading...

Configure Azure Virtual Network gateways

cheahengsoon profile image Eng Soon Cheah ・4 min read

An Azure Virtual Network gateway serves as the cross-premises gateway connecting your workloads in Azure virtual networks to on-premises sites. It’s required to connect to on-premises sites through Internet Protocol security (IPsec) site-to-site VPN (S2S VPN) tunnels or through ExpressRoute circuits. For IPsec / Internet Key Exchange (IKE) VPN tunnels, the gateways perform IKE handshakes and establish the IPsec S2S VPN tunnels between the virtual networks and on-premises sites. For ExpressRoute, the gateways advertise the prefixes in your virtual networks via the peering circuits, and they forward packets from your ExpressRoute circuits to your VMs inside your virtual networks.

Create a high-performance gateway

To create a gateway for a virtual network named MyAzureVNET, use the following Azure PowerShell cmdlet:

PS D:> New-AzureVNETGateway –Newname MyAzureVNET –GatewayType DynamicRouting –GatewaySKU HighPerformance

Note that DynamicRouting is the GatewayType for both the DynamicRouting gateway and the dedicated (ExpressRoute) gateway. Therefore, you can also use the cmdlet example to create a virtual network gateway to connect to an ExpressRoute circuit.

Test the Azure load balancer

1.Create a virtual network by using New-AzureRmVirtualNetwork. The following example creates a virtual network named myVNET with mySubnet:

Create the subnet configuration.

$subnetConfig = New-AzureRmVirtualNetworkSubnetConfig `

-Name “mySubnet” `

-AddressPrefix 10.0.2.0/24

Create the virtual network.

$vNET = New-AzureRmVirtualNetwork `

-ResourceGroupName “myResourceGroupLB” `

-Location “EastUS” `

-Name “myVNET” `

-AddressPrefix 10.0.0.0/16 `

-Subnet $subnetConfig

2.Create a network security group to define inbound connections to your virtual network by creating a network security group rule for port 3389.
Create a network security group rule to allow RDP connections through port 3389 by using New-AzureRmNetworkSecurityRuleConfig.

$rule1 = New-AzureRmNetworkSecurityRuleConfig -Name ‘myNetworkSecurityGroupRuleRDP’ -Description 'Allow RDP' `

-Access Allow -Protocol Tcp -Direction Inbound -Priority 1000 `

-SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * `

-DestinationPortRange 3389

3.Create a network security group rule to allow inbound connections through port 80 by using New-AzureRmNetworkSecurityRuleConfig.
$rule2 = New-AzureRmNetworkSecurityRuleConfig `

-Name ‘myNetworkSecurityGroupRuleHTTP’ `

-Description ‘Allow HTTP’ -Access Allow -Protocol Tcp `

-Direction Inbound -Priority 2000 -SourceAddressPrefix Internet `

-SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 80

4.Create a network security group by using New-AzureRmNetworkSecurityGroup.

$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName ‘myResourceGroupLB’ -Location 'EastUS' -Name ‘myNetworkSecurityGroup’ -SecurityRules $rule1,$rule2

5.Create virtual network adapters by using New-AzureRmNetworkInterface. The following example creates two virtual network adapters (one for each VM you create for your app in the following steps). You can create additional virtual network adapters and VMs at any time and add them to the load balancer.

Create a network adapter for the first VM.

$nicVM1 = New-AzureRmNetworkInterface `

-ResourceGroupName ‘myResourceGroupLB’ `

-Location ‘EastUS’ `

-Name ‘MyNic1’ `

-LoadBalancerBackendAddressPool $backendPool `

-NetworkSecurityGroup $nsg `

-LoadBalancerInboundNatRule $natrule1 `

-Subnet $vNET.Subnets[0]

Create a network adapter for the second VM.

$nicVM2 = New-AzureRmNetworkInterface `

-ResourceGroupName ‘myResourceGroupLB’ `

-Location ‘EastUS’ `

-Name ‘MyNic2’ `

-LoadBalancerBackendAddressPool $backendPool `

-NetworkSecurityGroup $nsg `

-LoadBalancerInboundNatRule $natrule2 `

-Subnet $vNET.Subnets[0]

6.Create VMs for load balancing. To improve the high availability of your app, place your VMs in an availability set.
Create an availability set by using New-AzureRmAvailabilitySet. The following example creates an availability set named myAvailabilitySet:

$availabilitySet = New-AzureRmAvailabilitySet `

-ResourceGroupName “myResourceGroupLB” `

-Name “myAvailabilitySet” `

-Location “EastUS” `

-Sku aligned `

-PlatformFaultDomainCount 2 `

-PlatformUpdateDomainCount 2

7.Set an administrator username and password for the VMs by using Get-Credential.
$cred = Get-Credential

8.Create the VMs by using New-AzureRmVM. The following example creates two VMs and the required virtual network components if they do not already exist. During the VM creation, the previously created network adapters are associated with the VMs, because they’re assigned the same virtual network (myVNET) and subnet (mySubnet).
for ($i=1; $i -le 2; $i++)

{

New-AzureRmVm `

-ResourceGroupName “myResourceGroupLB” `

-Name “myVM$i” `

-Location “East US” `

-VirtualNetworkName “myVNET” `

-SubnetName “mySubnet” `

-SecurityGroupName “myNetworkSecurityGroup” `

-OpenPorts 80 `

-AvailabilitySetName “myAvailabilitySet” `

-Credential $cred `

-AsJob

}

The -AsJob parameter creates the VM as a background task, so the Azure PowerShell prompts return to you. You can get the details of background jobs by using the Job cmdlet. It takes a few minutes to create and configure the two VMs.

Install Microsoft Internet Information Services (IIS) with a custom webpage on the new VMs as follows:

1.Get the public IP address of the load balancer by using Get-AzureRmPublicIPAddress.
Get-AzureRmPublicIPAddress -ResourceGroupName “myResourceGroupLB” `

-Name “myPublicIP” | select IpAddress

2.Create a remote desktop connection to VM1 by using the public IP address that you got in the previous step. (Note that in the following command, mstsc refers to Microsoft Terminal Services Client.)
mstsc /v:PublicIpAddress:4221

3.Enter the credentials for VM1 to start the RDP session.

4.Launch Windows PowerShell on VM1, and then use the following commands to install IIS and update the default .htm file.

Install IIS.

Install-WindowsFeature -name Web-Server -IncludeManagementTools

Remove the default .htm file.

remove-item C:\inetpub\wwwroot\iisstart.htm

Add a custom .htm file.

Add-Content -Path “C:\inetpub\wwwroot\iisstart.htm” -Value $("Hello from" + $env:computername)

5.Close the RDP connection with myVM1.

6.Create an RDP connection with myVM2 by running the mstsc /v:PublicIpAddress:4222 command, and then repeat step 4 for VM2.

Finally, test the load balancer

Get the public IP address of your load balancer by using Get-AzureRmPublicIPAddress. The following example gets the IP address for myPublicIP, created earlier:

Get-AzureRmPublicIPAddress -ResourceGroupName “myResourceGroupLB” `

-Name “myPublicIP” | select IpAddress

You can now enter the public IP address into a web browser. The website is displayed, including the hostname of the VM that the load balancer distributed traffic to. To see the load balancer distribute traffic across both of the VMs running your app, you can force a refresh of your web browser.

Revert the Exercise

You can use the Remove-AzureRmResourceGroup command to remove the resource groups, VMs, and all related resources when you no longer need them.

Remove-AzureRmResourceGroup -Name myResourceGroupLB

Discussion

pic
Editor guide