Azure site 2 site VPN encryption options

Back in december Microsoft announced some news relating to Azure virtual network gateways. The most significant change was probably the high performance gateway which will let you push 200 Mbps through a Azure site 2 site VPN and 1000 Mbps if you’re using ExpressRoute. Besides this they also announced 2 new encryption options on the VPN tunnels, No Encryption and PFS, but not many has picked up on this. The intended use for No Encryption is when you’re connecting multiple Azure VNet’s – the traffic will flow through Microsoft networks and is by default encrypted, so you could potentially get better throughput here.

Back then the PowerShell command to change your gateway wasn’t available yet, but it is now. You will have to use the following command: Set-AzureVNetGatewayIPsecParameters

There’s not much info on the command yet:

[powershell]
Get-Help Set-AzureVNetGatewayIPsecParameters -Full

NAME
Set-AzureVNetGatewayIPsecParameters

SYNTAX
Set-AzureVNetGatewayIPsecParameters [-VNetName] <string> [-LocalNetworkSiteName] <string> [[-EncryptionType] <string>] [[-PfsGroup] <string>] [[-SADataSizeKilobytes] <int>]
[[-SALifetimeSeconds] <int>] [<CommonParameters>]

PARAMETERS
-EncryptionType <string>
The type of encryption that will be used for the connection between the virtual network gateway and the local network. Valid values are RequireEncryption and NoEncryption.

Required? false
Position? 2
Accept pipeline input? false
Parameter set name (All)
Aliases None
Dynamic? false

-LocalNetworkSiteName <string>
The local network site name.

Required? true
Position? 1
Accept pipeline input? false
Parameter set name (All)
Aliases None
Dynamic? false

-PfsGroup <string>
The PFS gruop that will be used for the connection between the virtual network gateway and the local network. Valid values are RequireEncryption and NoEncryption.

Required? false
Position? 3
Accept pipeline input? false
Parameter set name (All)
Aliases None
Dynamic? false

-SADataSizeKilobytes <int>
The SA Data Size Kilobytes value is used to determine how many kilobytes of traffic can be sent before the SA for theconnection will be renegotiated.

Required? false
Position? 4
Accept pipeline input? false
Parameter set name (All)
Aliases None
Dynamic? false

-SALifetimeSeconds <int>
The SA Lifetime Seconds value is used to determine how long (in seconds) this connection’s SA will be valid before a new SA will be negotiated.

Required? false
Position? 5
Accept pipeline input? false
Parameter set name (All)
Aliases None
Dynamic? false

-VNetName <string>
The virtual network name.

Required? true
Position? 0
Accept pipeline input? false
Parameter set name (All)
Aliases None
Dynamic? false

<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).

INPUTS
None

OUTPUTS
Microsoft.WindowsAzure.Management.Network.Models.GatewayGetOperationStatusResponse

ALIASES
None

REMARKS
None
[/powershell]

Hopefully this will be fixed soon – including the spelling and stuff.

Anyways, the command to change your encryption to “No Encryption” is:

[powershell]
Set-AzureVNetGatewayIPsecParameters -VNetName EuropeNorth -EncryptionType NoEncryption -LocalNetworkSiteName Copenhagen[/powershell]

Replace VNetName with your Azure VNet name and LocalNetworkSiteName with your local network name.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s