Connecting on-premises networks to Azure VPN Gateway
TypeScriptTo connect an on-premises network to Azure, you’ll typically use a VPN Gateway to establish a secure communication channel. Azure VPN Gateway is a type of virtual network gateway that sends encrypted traffic across a public connection.
You'll generally need to define the following resources in Azure to set up a VPN Gateway:
-
Virtual Network (VNet): This is the network within Azure that your on-premises network will connect to.
-
VPN Gateway (VirtualNetworkGateway): This is the resource that provides the VPN connectivity.
-
Local Network Gateway: This represents your on-premises VPN device and network.
-
VPN Connection (VirtualNetworkGatewayConnection): This is the connection between the VPN Gateway and the Local Network Gateway.
-
Public IP Address: This is required for the VPN Gateway so that it can be reached from the on-premises network.
Here is a Pulumi program written in TypeScript that creates these Azure resources and sets up a VPN Gateway to connect an on-premises network to Azure:
import * as azure_native from "@pulumi/azure-native"; const resourceGroupName = new azure_native.resources.ResourceGroup("myResourceGroup"); const virtualNetwork = new azure_native.network.VirtualNetwork("myVirtualNetwork", { resourceGroupName: resourceGroupName.name, addressSpace: { addressPrefixes: ["10.1.0.0/16"], }, subnets: [{ name: "GatewaySubnet", addressPrefix: "10.1.0.0/24", }], }); const gatewayPublicIP = new azure_native.network.PublicIPAddress("myGatewayPublicIP", { resourceGroupName: resourceGroupName.name, publicIPAllocationMethod: azure_native.network.IPAllocationMethod.Dynamic, }); const vpnGateway = new azure_native.network.VirtualNetworkGateway("myVpnGateway", { resourceGroupName: resourceGroupName.name, location: resourceGroupName.location, ipConfigurations: [{ name: "vnetGatewayConfig", publicIPAddress: { id: gatewayPublicIP.id, }, subnet: { id: virtualNetwork.subnets[0].id, }, }], vpnType: azure_native.network.VpnType.RouteBased, gatewayType: azure_native.network.VirtualNetworkGatewayType.Vpn, enableBgp: false, sku: { name: "VpnGw1", tier: "VpnGw1", }, }); const localNetworkGateway = new azure_native.network.LocalNetworkGateway("myLocalNetworkGateway", { resourceGroupName: resourceGroupName.name, localNetworkAddressSpace: { addressPrefixes: ["192.168.0.0/24"], // This should be replaced with your on-premises network address space }, gatewayIpAddress: "40.76.12.34", // This should be replaced with your on-premises VPN device's public IP }); const vpnConnection = new azure_native.network.VirtualNetworkGatewayConnection("myVpnConnection", { resourceGroupName: resourceGroupName.name, virtualNetworkGateway1: { id: vpnGateway.id, }, localNetworkGateway2: { id: localNetworkGateway.id, }, connectionType: azure_native.network.VirtualNetworkGatewayConnectionType.IPsec, connectionProtocol: "IKEv2", sharedKey: "MySecretKey", // Replace with your own shared key }); export const vpnGatewayPublicIP = gatewayPublicIP.ipAddress;
Let me explain the program block by block:
- Import the
azure-native
module which contains all the classes needed to create Azure resources. - Create a new resource group to contain all your resources.
- Provision a virtual network (VNet) with a
GatewaySubnet
. A subnet named 'GatewaySubnet' is required for Azure to recognize it as the subnet for the VPN Gateway. - Create a public IP resource which will be used by the VPN Gateway.
- Set up the VPN Gateway with a route-based VPN type, and associate it with the subnet and public IP created earlier.
- Create a local network gateway representing the on-premises VPN device and network.
- Establish a VPN connection resource between the Azure VPN Gateway and the on-premises network gateway.
- Export the public IP of the Azure VPN Gateway for ease of access.
Replace placeholders with actual IP address ranges and public IPs corresponding to your on-premises network and VPN device.
To apply this Pulumi program:
- Save this code to a file named
index.ts
. - Ensure you're authenticated with Azure CLI and have selected the right subscription.
- Run
pulumi up
in the directory containing yourindex.ts
to create the resources.
This will create the necessary Azure resources to establish the VPN connection. Remember to update the placeholder values with those that correspond to your on-premises network settings before running the command.
-