To configure the virtual network gateway, follow the given steps:
- At first, we need to deploy the virtual network gateway. Therefore, we click Add in our resource group and search after virtual network gateway in the Azure marketplace:
- After changing to the next blade, you need to configure your gateway. Therefore, you need to proceed as follows:
-
- Name: Set the name of the virtual network gateway.
- Gateway type: You need to choose between VPN and ExpressRoute. In our case we choose VPN.
- VPN type: Now you need to decide between Route-based and Policy-based, it is recommended to use Route-based if possible.
- SKU: Choose your gateway size, you can also enable active/active mode.
- Virtual network: Connect the virtual network gateway to a specific virtual network.
- Public IP address: Create a public IP for the gateway. You can also create BGP if necessary .
- Subscription: Choose a subscription you want to deploy into.
- Location: Choose an Azure region to deploy to. The region must be the same than the virtual network.
Which type of VPN you can use is based on your on-premises firewall. The following table shows the configuration you need to do on your on-premises firewall. IKE phase 1 setup:
|
Property |
Policy-based |
Route-based and standard or high performance VPN gateway |
|
IKE version |
IKEv1 |
IKEv2 |
|
Diffie-Hellman group |
Group 2 (1024 bit) |
Group 2 (1024 bit) |
|
Authentication method |
Pre-shared Key |
Pre-shared Key |
|
Encryption algorithms |
AES256 AES128 3DES |
AES256 3DES |
|
Hashing algorithm |
SHA1(SHA128) |
SHA1(SHA128), SHA2 (SHA256) |
|
Phase 1 Security Association (SA) lifetime (time) |
28,800 seconds |
10,800 seconds |
IKE phase 2 setup:
|
Property |
Policy-based |
Route-based and standard or high performance VPN gateway |
|
IKE version |
IKEv1 |
IKEv2 |
|
Hashing algorithm |
SHA1(SHA128) |
SHA1(SHA128) |
|
Phase 2 SA lifetime (time) |
3,600 seconds |
3,600 seconds |
|
Phase 2 SA lifetime (throughput) |
102,400,000 KB |
- |
|
IPSEC SA encryption and authentication offers (in the order of preference) |
1. ESP-AES256 2. ESP-AES128 3. ESP-3DES 4. N/A |
See Route-based gateway IPSEC SA offers |
|
Perfect forward secrecy (PFS) |
No |
No (*) |
|
Dead Peer Detection |
Not supported |
Supported |
If you don't have any of these devices or you didn't want to use a Windows server as VPN gateway, there is also the option to use free firewall solutions such as pfSense. Bart Decker wrote a great blog about the topic. You can find the blog at http://www.hybrid-cloudblog.com/pfsense-azure-hybrid-cloud/.
- To finish the setup, we click Create. Now it will take around 45 minutes until our gateway is deployed.
- After the deployment is finished, we have created an Azure virtual network gateway as with the SKU basic. If you want to upgrade the gateway to standard or performance, you only need to run following PowerShell script against your Azure environment:
Resize-AzureVNetGateway -GatewaySKU <gatewaysize>
-VnetName <gatewayname>
- PowerShell command example to resize to high performance gateway:
Resize-AzureVNetGateway -GatewaySKU HighPerformance
-VnetName DCF-ANE-GW01
- PowerShell command example to resize to standard gateway :
Resize-AzureVNetGateway -GatewaySKU Standard -VnetName
DCF-ANE-GW01
- The same works also with downsizing a gateway:
Resize-AzureVNetGateway -GatewaySKU Basic -VnetName
DCF-ANE-GW01
- Besides the PowerShell way of resizing the gateway, Microsoft started to include the feature into the portal GUI. Therefor you need to navigate to the Gateway and open the detail blade:
- Within the detail blade you go to Configuration and change the SKU. Afterwards you need to save the new SKU. Please be aware that the change of the SKU will take again up to 45 minutes:
