Deploying VPN gateways and connections, using Azure Resource Manager – Part 2

I recently blogged about deploying Azure VPN gateways with Azure Resource Manager templates. After that post, I’ve been asked if it’s only possible through templates, and no, that is not the only way to do it. You can also use PowerShell Smile

In this post, I’ll guide you through deploying a network and VPN gateway, and setting up a connection via PowerShell.

First we will need a bunch of information. Which location will we deploy to? What address spaces and subnets do we want to create? What is our local gateway IP address? What shared key should be used? Go ahead and fill in your own information for all these variables:

[powershell]$location = "West Europe"
$name = "demo"
$rgname = "demo-rg"
$addressPrefix = ""
$subnetPrefix = ""
$gwSubnetPrefix = ""
$localGwIP = ""
$localSubnets = @("","")
$sharedKey = -join(97..122|%{[char]$_}|Get-Random -C 20)
$tags = @{Name="env";Value=$name}

$rgname is the name of the resource group I want to deploy everything to. If you don’t have a resource group, use New-AzureResourceGroup to create one. It is not important which region you place the resource group in, as resource groups can span regions. Virtual Networks however, can not span regions.

I use the $name variable to name and also tag all the resources I deploy. By tagging the resources I can filter them on my bills and see exactly what the cost of them was.

First up, we need to create the subnet configurations based on the subnets we defined in our variables. I always put the gateway subnet in the end of my address space, which in this case is As you can see below, my gateway subnet is not using the $name variable I specified. That’s because it has to be named GatewaySubnet:

$gwSubnet = New-AzureVirtualNetworkSubnetConfig -Name ‘GatewaySubnet’ -AddressPrefix $gwSubnetPrefix
$subnet1 = New-AzureVirtualNetworkSubnetConfig -Name ($name + "-subnet") -AddressPrefix $subnetPrefix

Next, request a public IP address which will be used:

$gwIP = New-AzurePublicIpAddress -Name ($name + "-gwip") -ResourceGroupName $rgname -Location $location -AllocationMethod Dynamic -Tag $tags

Next, create the network and specify your subnet configurations:

$vnet = New-AzureVirtualNetwork -Name ($name + "-vnet") -ResourceGroupName $rgname -Location $location -AddressPrefix $addressPrefix -Subnet $gwSubnet, $subnet1 -Tag $tags[/powershell]

Now we will create the VPN gateway configuration where we bind the subnet and public IP address to the gateway. Unfortunately we have to use the subnet ID which is not available in the subnet configuration we created first, so we have to get that by using Get-AzureVirtualNetworkGatewayIpConfig:

$gwConfig = New-AzureVirtualNetworkGatewayIpConfig -Name ($name + "-gwconfig") -SubnetId (Get-AzureVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name GatewaySubnet).Id -PublicIpAddressId $gwIP.Id[/powershell]

When that’s done, we can create the actual gateway. This will take some time, sometimes up to 40 minutes, so be patient. I will be using a Route Based (earlier known as Dynamic Routing) gateway for this deployment:

$gw = New-AzureVirtualNetworkGateway -Name ($name + "-gw") -ResourceGroupName $rgname -Location $location -IpConfigurations $gwConfig -GatewayType VPN -VpnType RouteBased -Tag $tags[/powershell]

When the gateway is created, we can go ahead and add connections to it. I’ll start by adding a configuration for my local network, which includes the public IP of my VPN device, and the subnets I have locally:

$localGw = New-AzureLocalNetworkGateway -Name ($name + "-local") -ResourceGroupName $rgname -Location $location -GatewayIpAddress $localGwIP -AddressPrefix $localSubnets -Tag $tags[/powershell]

Last, we can tell the VPN gateway that we want to use the local gateway we configured in the last step. I use a randomly generated string as my shared key:

New-AzureVirtualNetworkGatewayConnection -Name ($name + "-conn") -ResourceGroupName $rgname -Location $location -VirtualNetworkGateway1 $gw -LocalNetworkGateway2 $localGw -ConnectionType IPsec -RoutingWeight 10 -SharedKey $sharedKey -Tag $tags[/powershell]


  1. These commands are incorrect for using Azure Resource Manager, these are the classic commands. The correct commands all look like *-AzureRm*, so your blog title is misleading.


    1. Hi Corey. The commands were correct for the old Azure PowerShell module. You are correct though, new modules were released where all ARM cmdlets use *AzureRM* instead of *Azure*. I’ll update the post to show that.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s