Azure: Create a Segmented Network with PowerShell CmdLets

If you are starting to evaluate Microsoft’s Azure for your next project, you most likely have discovered the Azure PowerShell CmdLets project on GitHub. These greatly simplify setting up your Azure-hosted environment. Here’s an example PowerShell script that leverages those Azure cmdlets to build out a “3 zone” virtual network with a point-to-site VPN. The three zones are the subnets “front end”, “app layer”, and “back end”. The gateway subnet and client address pools are used for the point-to-site VPN. You could then associate a set of Network Security Group rules to each subnet to restrict your traffic to known application requirements.

# The information we need to create the resource group and network
$ResourceGroup = "MyResourceGroup"
$VirtualNetworkName  = "MyVirtualNetwork"
$FrontEndSubnetName = "FrontEnd"
$AppSubnetName = "App"
$BackEndSubnetName = "BackEnd"
$GatewaySubnetName = "GatewaySubnet"
$VirtualNetworkPrefix = "10.0.0.0/16"
$FrontEndSubnetPrefix = "10.0.1.0/24"
$AppSubnetPrefix = "10.0.10.0/24"
$BackEndSubnetPrefix = "10.0.100.0/24"
$GatewaySubnetPrefix = "10.0.200.0/24"
$VPNClientAddressPool = "192.168.1.0/24"
$Location = "East US"
$DNSServer = "8.8.8.8"
$GatewayName = "Gateway"
$GatewayIPName = "GatewayIP"
$GatewayIPConfigurationName = "GatewayIPConfiguration"
$Point2SiteRootCertificateName = "MyRootCertificate.cer"
$Point2SiteRootCertificatePublicKeyBase64Encoded = "--- add certificate details here ---"
 
# Create the Resource Group (Use Get if it already exists)
New-AzureRmResourceGroup -Name $ResourceGroup -Location $Location
 
# Create the Subnets
$FrontEndSubnet = New-AzureRmVirtualNetworkSubnetConfig -Name $FrontEndSubnetName -AddressPrefix $FrontEndSubnetPrefix
$AppSubnet = New-AzureRmVirtualNetworkSubnetConfig -Name $AppSubnetName -AddressPrefix $AppSubnetPrefix
$BackEndSubnet = New-AzureRmVirtualNetworkSubnetConfig -Name $BackEndSubnetName -AddressPrefix $BackEndSubnetPrefix
$GatewaySubnet = New-AzureRmVirtualNetworkSubnetConfig -Name $GatewaySubnetName -AddressPrefix $GatewaySubnetPrefix
 
# Create the Virtual Network
New-AzureRmVirtualNetwork -Name $VirtualNetworkName -ResourceGroupName $ResourceGroup -Location $Location -AddressPrefix $VirtualNetworkPrefix -Subnet $FrontEndSubnet, $AppSubnet, $BackEndSubnet, $GatewaySubnet -DnsServer $DNSServer
 
$VirtualNetwork = Get-AzureRmVirtualNetwork -Name $VirtualNetworkName -ResourceGroupName $ResourceGroup
$GatewaySubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name $GatewaySubnetName -VirtualNetwork $VirtualNetwork
 
# Add a Public IP for Access using the Root Certificate provided
$PublicIP = New-AzureRmPublicIpAddress -Name $GatewayIPName -ResourceGroupName $ResourceGroup -Location $Location -AllocationMethod Dynamic
$PublicIPConfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GatewayIPConfigurationName -Subnet $GatewaySubnet -PublicIpAddress $PublicIP
$Point2SiteRootCertificate = New-AzureRmVpnClientRootCertificate -Name $Point2SiteRootCertificateName -PublicCertData $Point2SiteRootCertificatePublicKeyBase64Encoded
 
New-AzureRmVirtualNetworkGateway -Name $GatewayName -ResourceGroupName $ResourceGroup -Location $Location -IpConfigurations $PublicIPConfig -GatewayType Vpn -VpnType RouteBased -EnableBgp $false -GatewaySku Standard -VpnClientAddressPool $VPNClientAddressPool -VpnClientRootCertificates $Point2SiteRootCertificate

Hope this helps!

This entry was posted in Azure, PowerShell. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *