Saving your production workload on Azure using Azure Resource Locks

Think of a scenario where you spend hours or maybe days to setup an environment required for a software. This can be couple of VM’s with required resources and parameters. Now consider a scenario someone in your organization who have access to same Azure subscription or even you who accidently ran a PS command and delete that resource group accidently….OUCH!

To prevent some of the above scenarios we have RBAC (Role Based Access Control) and limit who can access resources but it will never eliminate all the possible scenarios. This is where Azure Resource Locks come into the picture. This nighty feature also shines if your organization have proper cloud management policies are in place.

Good thing is Microsoft Azure Team has introduce this feature everywhere in the Azure portal – you can apply at Subscription, Resource Group, and Resource level and there is a hierarchy. If you apply is on the subscription level every resource is protected from this policy. Or better you may only want to apply this to production Resource Groups and exclude rest, yep it’s possible thanks to Azure policies concept.

For deep dive into this feature please referrer to official Microsoft documentation. You can reach there from here.

Of let’s dive in my friends Smile

The Azure locks come in two flavors. Read-Only and Delete. Read-Only option will not allow you to perform and changes to the resources when applied. This is also really useful when you don’t want any changes carried out to the resources. Eg: Changing VM size or adding disks….etc

Whereas on the Delete option you’re prevented from deleting the resources in a resource group. If Read-Only option not combine then you’re allowed to carry out the changes to the resources.  

Note: Only Owner and User Access Administrator roles can create or delete management locks

Ok I mentioned resource lock option is everywhere on Azure portal. Reason being is Azure team allows you to go into object level and provide this feature. That being said let me share few screenshots to prove the point.


Picture 1: Above picture shows Lock option available for a vNet.


Picture 2: Above picture shows Lock option available for a virtual disk


Picture 3: Above pictures shows the Lock option available for Resource Group

Ok I assume you’re satisfied from my point Smile Now let’s dig down to this feature.

On this scenario we’re a Resource Group called “DemoRG001” which hosts one important VM for a organization and it’s associated resources. After creating this RG we want to make sure to protect the RG and it’s objects from accidental damages from internal team members who are supposed to look after the Azure subscription.

As we saw in the first part of this article, Azure locks can be defined by two types: Read-Only and Delete. Using Azure Portal, click on Resource Groups, and then click on the desired resource group, in our case DemoRG001, and then click on locks.


In the new window that is display provide a name for the Lock name section and Lock type and also Notes which can be useful for later review



Note: If you’re a PS junkie (who shouldn’t be Smile) below is the command to create the required outcome.

New-AzResourceLock -LockName <lockName> -LockLevel CanNotDelete -ResourceGroupName

Eg: New-AzResourceLock –LockName LCKRG001 -LockLevel CanNotDelete -ResourceGroupName

Now we’re setup preventing delete option to the resource group. With this feature activated let’s try to delete one of the resource inside the Resource group and observe the outcome.

I’ve tried to delete the vNet and the outcome is as follows,


To verify above from PS try Get-AzResourceLock

Error message highlighting the reason as “operation because following scope are locked”

You can try doing this across and object inside the Resource group and the result will be the same.

Audit the actions

If we think carefully about the above scenario we can take into consideration about logs, alerts and security. Think carefully by wearing the security person’s hat. We would like to see who tried to access the resource group and especially try to do malicious activity. Since Activity log capture every activity we can monitor what really happened by observing the logs.



Azure Resource Lock is a nifty feature and very useful for production environment. Combined this with RBAC will be great combination for granular level control of the resources as well as for security.

Now I know demonstration values more so here goes the video for you Smile

Any questions lads?

How to encrypt disks on Azure VM’s

“Information protection” no wonder this word has been making big buzz around the world regardless of the business size. We have seen major cyber attacks, malware attacks which even cripple the Enterprise companies finically and reputation wise. So in this article I’m looking at one area of prevention solution offered by Microsoft team long time back. Now it’s extended to Microsoft Azure VM’s as well. Disk encryption is not a new term, we always had heard under Information Security practices consultants highlight how vital to back the data and keep them offshore. Same time they request this data to be encrypted in case fall into wrong hand.

But have you thought about how to protect running VM’s in your data-center or on Azure? Actually there are couple of ways you can approach or that. I recommend all of them in phase method based on your budget and time.

Hardware Security Module (HSM)
Virtual machine disk encryption
Virtual machine backup
Azure Site Recovery
Security policy management and reporting

List can be going on over the time with new addons Smile. In this article I’ll describe how we can protect virtual machines using disk encryption technology. If you’re a HYPER-V fan then read about Shielded VM’s as an additional information.

Ok back to the main topic. This technology is referred as Azure Disk encryption which leverage Microsoft Bitlocker disk encryption. (I do hope now it makes sense to you all). Azure supports encrypting Windows VM’s using Bitlocker technology as well as Linux VM’s using  dm-crypt feature which provides volume encryption for the OS and the data disks. All the disk encryption keys and secrets saved on Azure Vault on existing subscription. The data (or in our case VHD files) resides safely on the Azure storage. Read about Azure Key Vault technology here.

Disk encryption activity can be approached from several methods,

Picture credits to the Azure team Smile

1. In case if you decided to upload a encrypted VM from your HYPER-V environment to Azure make sure to upload the VHD to storage account and copy the encryption key material to your key vault. Then, provide the encryption configuration to enable encryption on a new IaaS VM.
2. If you create the Azure VM from Azure marketplace template then just provide the encryption configuration to enable encryption on the IaaS VM.
3. In case if you’ve already created VM on subscription leveraging the Azure marketplace still you can follow the same steps thanks to Azure Security Center.

So let’s assume you already created the Azure VM using the marketplace and started using that for your requirement. Later stage you found out though Azure Security Center you’ve not followed the industry bet practices and it’s highlighting the potential security risk you’re exposed to. One scenario is disks are not encrypted!


As you can see I’ve 3 Azure hosted VM’s and they are having potential security issues and not enabling disk encryption is one of them. On this article I’ll focus on one VM (VM01) which is running server 2012 R2 enabling the disk encryption.

First things first you need to get Azure PowerShell modules setup to your desktop / laptop. You can download them from the Azure download page.


After that you’ll need to get a PowerShell script to do the job. You can get that script from here. Copy the script and save it with any name you prefer. Make sure it’s extension as PS1.

Now you need to open the script using PowerShell ISE.


When you run the script you need to provide following information (orderly manner)

Resource Group Name – This is the RG name where you’ve hosted your VMs

Key Vault Name – Place where your keys will be saved and protected. During the execution of the script it’ll ask for a Key vault. If you didn’t have one create just proceed and it will create a key vault automatically.

Location – Where you Resource Group location. In my scenario it would be “southeastasia”
Tip: notice there are no space between the name. This is very important to remember.

Azure Active Directory Application Name – This is for the Azure Active Directory application that will be used to write secrets to the Key Vault. If you haven’t created one script will create one for you.

Now you’re aware the information you need to provide. Let’s proceed with the execution of the script under PowerShell ISE


If you get above screen that mean phase 1 activity is completed Smile 

Now it’s time to get ready to target a VM and encrypt the disks. For this part you need to tell PowerShell which VM you’re targeting. In the PowerShell type below command

$vmName = “<VM name>”

Replace <VM Name> with your VM hosted in that resource group. In my case it’s $vmName = “VM01”

Now in the above PowerShell script line 185 highlight the command to encrypt the disks. Copy that and run it on the PowerShell window. Alternatively you can copy the command mentioned below.

Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $resourceGroupName -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId -VolumeType All

If things go smoothly you’ll get below message on your PowerShell window,

This process will take around 10-15 min time to complete. On above screenshot you can see the command execution and result completion is successful.

After that you can return the VM properties and check the disk status. you can see below both OS and Data disks has been encrypted.


So any given time you add more VM’s to that resource group all you have to do is target the VM name and run the command line given above.

Note: Disk encryption on Azure is a really good option but need to be weighted carefully. If you want to backup the encrypted VM’s then encrypting need to be completed using KEK method. For more in-depth of Azure IaaS disk encryption refer to this article.


During the Microsoft Ignite event new “Operations Management Suite” which is the new name for Azure Operational Insights announced. What´s new with this cloud based solution other than the name change is the fact that this no longer just contains log analytics and the things we’ve seen before. It is now also now capable to manage your Azure backup jobs, Azure Site Recovery and Automation. When it comes to onboarding, it´s the exact same process as there was to onboard Azure Operational Insights (and System Center Advisor before that) and there are still two ways to connect the servers to the solution.

The first method is to directly attach the server to Operations Management Suite (OMS) using the Microsoft Monitoring Agent and there is also the possibility to connect your SCOM management group to OMS as well.

As mentioned above the new stuff would be you can manage,

Azure backup
Azure Site Recovery

If you look at the product history you’ll find this would grow to a similar solution like SCOM where you’ll be able to manage on-prem servers as well.

In order to onboard you go to web site and register your account. Process is as much easier than configuring SCOM on-prem Winking smile 


Once onboarded you can go through the wizard and add your Azure subscription and start connecting the components. For the VM’s you can install the agent. One thing I like about OMS is the rich dashboard just like previous version. It’s easier to navigate and get required information.


Another thing that´s gotten a new name are the Intelligence Packs known from the Azure Operational Insights days. They are now called Solutions instead and besides from the ones that came along from OpInsights.



Apart from that Microsoft has confirmed this solution has be extend to monitor VM’s hosted AWS, VMWare, OpenStack and also monitoring Linux VMs. This given the clean vision how broader Microsoft is looking and OMS.

Data exchange within Azure VM’s with Veeam FastSCP

Are you a IT Pro or a Developer who work with Azure VM’s frequently? Have you gone through the pain of finding best way to transfer files between Azure VM’s up and down? There are numerous methods you can do this but I found Veeam’s FastSCP (Secure Copy Protocol) is much easier to use. This is still in the Beta stage but I found it’s quote useful. Though I found out sometimes folder refresh is not very efficient but I guess it will be fixed soon. You can grab the beta software for testing from here.

Step 1: Downlaod the software and install and go to FastSCP console

Step 2: Make sure you already have a Azure VM created prior. Go to Azure portal and copy the Azure cloud service url

Step 3: Go to Veeam FastSCP console and click “Add Virtual machine” and provide the url you’ve copied along with VM login credentials,



Step 4: Start playing around Smile You can create folders from FastSCP console to the Azure VM and start uploading and downloading files easily. If there is any bugs you better call Veeam guys Smile


Bug: When I try to create a colder I found out even though I click the button called “Create Folder” it doesn’t appear in the FastSCP console. Best method is to click that button once and refresh the console and then you’ll find the folder you’ve created.

System Center Universe #APAC


If you’re a organization who is using System Center or planning to user System Center, Cloud and Virtualization technology then this is an event you shouldn’t miss. All the industry gurus and experts will be on one location to share their experience with you. What’s more you’ll get a chance to meet them in-person and share your ideas and get expert advise free of charge.

System Center Universe is a global event carried out in various part of the world. APAC region event will be help on March 5-6. Look forward to see most of you during that time.

Protecting VMware and Physical Workloads with Azure Site Recovery

In my previous blogs I’ve highlighted how Microsoft Azure Site Recovery technology keep on improving everyday. Overall Microsoft Azure keep on adding new features frequently and keeping the phase with that is somewhat difficult as well Smile

Azure Site Recovery is such area Microsoft has been keep on improving to provide Disaster Recovery solutions to customers across the business segments. With the acquisition of the Image Scout who specialize in the disaster recovery solutions Microsoft expand their portfolio of DR options. Now ASR can provide support to protect VMware sites and physical machines as well. Current option are as follows,

1. VMware Site A to VMware Site B orchestrated DR failover via ASR
2. Protecting Physical machines from Site A to Site B orchestrated DR failover via ASR
3. Migrating VMware and Physical servers to Azure using Microsoft Migration Accelerator (Which use Image technology)

Microsoft leveraging Image technology as it is without much modification at this stage. Main components and function model of Image Scout is as follows,

  • Configuration Server – VM running at the secondary site that is responsible for maintaining replication policies, replication status, and health reports.
  • Master Target – VM running at the secondary site that acts as the repository for all replicated data and change journals.
  • Mobility Service – Light-weight software component that captures data changes being generated on the protected workloads continuously, in real-time and directly from memory, for replication purposes.
  • Process Server – Gateway residing at the primary site that handles all compute and IO intensive aspects of replication.

Base on the VM’s, physical machines capacity you need to size the PS (Process Server) & MT (Master Target) servers accordingly. PS server will be holding all the data which is need to be replicated to the Azure side.It can be deployed on a physical or a virtual machine running Windows Server 2012 R2. It is responsible for receiving data changes from the primary workloads, performing compression, encryption, caching and bandwidth management, before replicating to a secondary location for DR purposes. This approach off-loads all compute and IO intensive tasks involved in continuous replication to the Process Server, thereby eliminating nearly all overheads on the protected workloads.

In general, Process Server sizing depends on the daily change rate across all protected workloads. Sufficient compute is needed to perform tasks such as inline compression and encryption. You also need to ensure that you provision sufficient cache storage in the event of a network bottleneck or outage between primary and secondary sites. The table below provides a good guideline to follow, especially when implementing ASR with the InMage replication channel, or Migration Accelerator the first time.


Replication of the data will occur over IP network. This can be via Site to Site VPN between onsite and Azure or via the public internet. Inbound ports include 9080 or 9443 for data transfer from source and target entities; and outbound ports include 80 or 443 to the Configuration Server to provide real-time updates on replication status and health.

n summary, sizing and placement aspects of provisioning a Process Server for ASR with the InMage replication channel depend on a couple of factors such as number of protected workloads, and daily change rate. In future you’ll find more exciting news from ASR team on their improvement for the Disaster Recovery with combination of Image Scout Smile

Affordable Disaster Recovery Solution for every organization

January 2015

Last month I had the opportunity to present above topic during local ITPro community event. With the recent announcement if Azure Site Recovery enhancement it is very clear Disaster Recovery is no longer only Enterprise level only solution. Now this is available even for SMB customers with very low price tag.

Some of the key questions are raised on multi hypervisor support. It is no surprise Microsoft has not left those customers alone. With the acquisition of Image Scout solution we now can offer DR solution for VMware, Citrix & Physical servers as well. Very soon Microsoft will focus on providing VMware to Azure site recovery solutions as well.

Microsoft Azure Virtual Machine Optimization Assessment Tool

The Microsoft Azure Virtual Machine Optimization Assessment tool will automatically inspect your Virtual Machines running in Microsoft Azure. Optimize your investment in Azure with the prioritized recommendations provided.

According to Microsoft this software can be run from your local computer as well targeted the Azure. Detail information are as follows according to Microsoft web site,

“The Microsoft Azure Virtual Machine Optimization Assessment provides prioritized recommendations across six focus area to optimize your experience while running in Microsoft Azure. After a short questionnaire, automated data collection and analysis, a custom report is generated which provides you the information required to implement and understand the recommendations. Your report includes an executive summary and key recommendations which provide a high level view across the focus areas to help you manage and prioritize optimizing your environment. Viewing the detailed recommendations provides action areas within each focus area along with expert guidance and tailored to your environment. “

Download consist of application and brief Readme guide document. In the initial release this tool can assess AD, SQL and SharePoint. Hope this will be a growing list in the future.

You can download the tool from here.

Affordable Azure DR for everyone

Disaster recovery is something we pray never to happen but unavoidable in certain situations. Every business organization regardless of their size need to plan for a disaster recovery plan to protect their key business assets. In this articles we’re look into how Azure Disaster Recovery (Cloud based DR)  can be used to protect critical business applications systems.

With recent updates there are several methods we can use Azure Site Recovery (ASR) to protect our on premise systems,

1. On-premises Hyper-V site to Azure protection with Hyper-V replication — Orchestrate replication, failover, and recovery from an on-premises site with one or more Hyper-V servers but without System Center VMM. Virtual machine data is replicated from a source Hyper-V host server to Azure.

2. On-premises VMM site to on-premises VMM site protection with Hyper-V replication — Orchestrate replication, failover, and recovery between on-premises VMM sites. Virtual machine data is replicated from a source Hyper-V host server to a target host server.

3. On-premises VMM site to on-premises VMM site protection with SAN replication — Orchestrates end-to-end replication, failover, and recovery using storage array-based replication between SAN devices that host virtual machine data in source and target on-premises sites.

4. On-premises VMM site to Azure protection — Orchestrate replication, failover, and recovery between an on-premises VMM site and Azure. Replicated virtual machine data is stored in Azure storage.

5. On-premises VMWare site to on-premises VMWare site with InMage — InMage Scout is a recent Microsoft acquisition that provides real-time replication between on-premises VMWare sites. Right now InMage is available as a separate product that’s obtained via a subscription to the Azure Site Recovery service.

Option 1 will be covered on this article. Most of the SMB business cannot afford to have SCVMM software but till need DR solution. Apart from that we didn’t forget our VMware fan base who need affordable DR solution. With the acquisition of the Inmage software company now Microsoft protect VMware environments as well.

To enable HYPER-V host to protect VM’s on Azure cloud we need to do few more steps earlier. High level steps are as follows,

Step 1: Create a vault—Create an Azure Site Recovery vault.

Step 2: Create a Hyper-V site—Create a Hyper-V site as a logical container for all the Hyper-V servers that contain virtual machines you want to protect.

Step 3: Prepare Hyper-V servers—Generate a registration key and download the Provider setup file. You run the file on each Hyper-V server in the site and select the key to register the server in the vault.

Step 4: Prepare resources—Create an Azure storage account to store replicated virtual machines.

Step 5: Create and configure protection groups—Create a protection group and apply protection settings to it. The protection settings will be applied to every virtual machine you add to the group.

Step 6: Enable protection for virtual machines—Enable protection for virtual machines by adding them to a protection group.

Step 7: Test the deployment—Run a test failover for a virtual machine.

Step 1 – Create a vault,
Sign in to the Azure Management Portal –> Expand Data Services, expand Recovery Services, and click Site Recovery Vault –> Click Create New and then click Quick Create –>In Name field enter a friendly name to identify the vault (in my case matrixvault) –>In Region select the geographic region for the vault –> Click Create vault

Step 2: Create a Hyper-V site,
In the Recovery Services page, click the vault to open the Quick Start page–>In the dropdown list, select Between an on-premises Hyper-V site and Azure –> In Create a Hyper-V Site click Create Hyper-V site. Specify a site name and save.



Step 3: Prepare Hyper-V servers,
In Prepare Hyper-V servers, click Download a registration key file –> On the Download Registration Key page, click Download next to the site –> Click Download the Provider to obtain the latest version


image image

image image


In the last picture you can see two files has been installed. Their function is as follows,

Azure Site Recovery Provider—Handles communication and orchestration between the Hyper-V server and the Azure Site Recovery portal.
Azure Recovery Services Agent—Handles data transport between virtual machines running on the source Hyper-V server and Azure storage.


On the Vault Settings page, click Browse to select the key file. Specify the Azure Site Recovery subscription, the vault name, and the Hyper-V site to which the Hyper-V server belongs.





Step 4: Prepare resources – You need to have a storage account in Azure if not you can go ahead and create a one. Make sure the storage account having geo-replication enabled.
I also make sure there will be a dedicated virtual network created as well.


Step 5: Create and configure protection groups
Protection groups group the virtual machines togerhter and apply same protection settings. You apply protection settings to a protection group, and those settings are applied to all virtual machines that you add to the group.



Step 6: Enable protection for virtual machines

Now its time to select which VM’s you need to protect from your HYPER-V host.


image  image

ASR will start checking VM compatibility to be exported to the Azure side.


Now lets jump into the HYPER-V MMC console and check the VM replication status,

Depending on your internet connection speed VM replication time can be vary.

Step 7: Test the deployment
Now it’s time to test the VM failover to Azure side. To do that we need to we need to run a test failover for the protected virtual machine.
Protected Items –> Protection Groups –> protectiongroup_name –> Virtual Machines (select the virtual machine you want to fail over) –> and click Test Failover.



You can put the test VM into production virtual network in Azure or start the VM without a virtual network. In my case I’ll put into my production virtual network.

image image

Now series of actions will be carried out in orderly manner. Once that completed we will get our VM in Azure side active. In any case you’ll encounter any issues in this tasks you can get a detail report from the bottom of the Azure portal. This is useful for troubleshooting purpose.

Now VM creation is completed. We have to go and test the VM up and running properly. If things are ok once we confirm VM will be removed from the ASR since our ASR test is success.

image  image

image  image

Now ASR will remove the temporary test VM from the environment,


Some of our VM’s can be very large and replication via internet not feasible. In that situation you can courier the data to Microsoft Azure data center. Microsoft introduce a a service called as “Microsoft Azure Import/Export service” You can find more information about that here.

Azure VNet to VNet Connection

Extending your on-prem Private Cloud to Public Cloud is going to be highly anticipated on Year 2015. During such time I came across requirement of interconnecting two Azure subscriptions private networks. I assume by now most of you’ll are aware by leveraging Windows Azure platform you can extend your on-prem network to Azure by using Site to Site (S2S) VPN. If not you can get more information about that from here and if a picture makes it much more clear then it is as follows Smile

Now in my new challenge customer already having two Azure subscriptions. One subscription he is having database virtual machines and another Azure subscription he is having applications VMs. Now how is the earth he face such scenario by not having all the VM’s in same subscription? Well that is along story which will not bring any good for this article Smile

His requirement is to interconnect two Azure subscription via VPN connectivity. Again the picture story is as follows,

Azure vnet to vnet

Few months back this is not possible but again Microsoft keep on improving their services frequently. Once of that surprise is allowing Azure vNet to  vNet VPN connection.

What can I do with VNet to VNet connectivity?

Cross region geo-redundancy and geo-presence

  • You can set up your own geo-replication or synchronization with secure connectivity without going over internet-facing endpoints.
  • With Azure Load Balancer and Microsoft or third party clustering technology, you can setup highly available workload with geo-redundancy across multiple Azure regions. One important example is to setup SQL Always On with Availability Groups spreading across multiple Azure regions.

Regional multi-tier applications with strong isolation boundary

  • Within the same region, you can setup multi-tier applications with multiple virtual networks connected together with strong isolation and secure inter-tier communication.

Cross subscription, inter-organization communication in Azure

  • If you have multiple Azure subscriptions, you can now connect workloads from different subscriptions together securely between virtual networks.
  • For enterprises or service providers, it is now possible to enable cross organization communication with secure VPN technology within Azure.

So now it’s time to get our hands dirty and find out how to test this right Smile In my step-by-step guide below I’m demonstrating this by using my two Azure subscriptions.

Before that some considerations you need to be aware of,

Requirements and considerations

  • VNet to VNet supports connecting Azure Virtual Networks. It does not support connecting virtual machines or cloud services NOT in a virtual network.
  • VNet to VNet requires Azure VPN gateways with dynamic routing VPNs – Azure static routing VPNs are not supported. Connecting multiple Azure virtual networks together does NOT require any on premises VPN gateways, unless cross premises connectivity is required.
  • Virtual network connectivity can be used simultaneously with multi-site VPNs, with a maximum of 10 VPN tunnels for a virtual network VPN gateway connecting to ether other virtual networks or on premises sites.
  • The address spaces of the virtual networks and on premises local network sites MUST NOT overlap. Overlapping address spaces will cause the creation of virtual networks or uploading netcfg configuration files to fail.
  • The virtual networks can be in the same or different subscriptions.
  • The virtual networks can be in the same or different Azure regions (locations).
  • Redundant tunnels between a pair of virtual networks are not supported.
  • A cloud service or a load balancing endpoint CANNOT span across virtual networks even though they are connected together.
  • All VPN tunnels of the virtual network, including P2S VPNs, share the available bandwidth on the Azure VPN gateway and the same VPN gateway uptime SLA in Azure.

Before starting the steps I like to share with you all the steps high level,

  1. Plan your IP address ranges
  2. Create your virtual networks
  3. Add local networks
  4. Create the dynamic routing gateways for each VNet.
  5. Connect the VPN gateways

1. Plan your IP address ranges – Planning is the key on this part. If you ever plan to extend this setup to your on-prem private cloud then plan well ahead about your IP address ranges. Don’t allow them to be duplicate. Same goes among the Azure subscriptions as well. So in our scenario we’ll create two Virtual network between two Azure subscriptions as VNET1 & VNET2.

rom the perspective of VNet1, VNet2 is just another VPN connection that’s defined in the Azure platform. And from VNet2, VNet1 is just another VPN connection. They’ll both be identifying each other as a local network site. Keep in mind that you must make sure that none of your VNet ranges or local network ranges overlap in any way.

Below I’ve shown an example of how to define your VNets. Use the ranges below as a guideline only. Write down the ranges that you’ll be using for your virtual networks. You’ll need this information for later steps.

Table 1

2. Create your virtual networks – Following the above table we’ll go ahead and create VNET1 = and region as SoutEast Asia,

Log into the Azure Management portal and in the lower left-hand corner of the screen click “New” click “Network Services” and then “Virtual Network”. Click “Custom Create” to begin the wizard,



You don’t have to select DNS server or do any configuration on this page. But if you’re planning to have name resolution between your virtual networks then you’ll need to configure your own DNS servers.


As pre planned I’ve change the IP address range for Go ahead and complete the wizard. Now carry out the same task on your other subscription. Only changes are VNET1 will be VNET2 and IP address range is

3. Add local networks – Now go back to the VNET1 in Azure portal. Click “Local Networks” You’ll find there is not local network exists. Go ahead and create one with the range of Carry out same on the other Azure subscription (VNET2) with the value of



The VPN device IP address you provide in the above is not matter right now. Once we obtain the correct VPN IP address we’ll be entering that.


Note: Keep on eye about the naming convention and the IP address range I provided. Follow the same steps on the other Azure subscription as well. (Vales will be different)
Now on the first Azure subscription click VNET1. Click “Configure” Click “Connect to the local network” under Site-to-Site-connectivity section.

make sure “Gateway” has been added,

Click “Save” on the bottom of the screen.

4. Create the dynamic routing gateways for each VNet – Now we have configured the VNET now it’s time to configure the VNET Gateways,
go back to the dashboard of the VNET1. Bottom of the screen click “ Create Gateway” and select “Dynamic Routing”


Confirm the action. This will take around 10 –15 minutes time to complete. Carry out the same action on the other Azure subscription as well.

When the gateway status changes to Connecting, the IP address for each Gateway will be visible in the Dashboard. Write down the IP address that corresponds to each VNet, taking care not to mix them up. These are the IP addresses that will be used when you edit your placeholder IP addresses for the VPN Device in Local Networks.

5. Connect the VPN gateways  – When Gateway creation completed we can go ahead and setup IPsec/IKE pre-shared key (same key) in both side. This action has to be carried out in the PowerShell.
On the VNET1 side type the following PS command,

PS C:\> Set-AzureVNetGatewayKey -VNetName VNet1 -LocalNetworkSiteName VNet2 -SharedKey A1b2C3D4E6

on VNET2 side type the following PS command,

PS C:\> Set-AzureVNetGatewayKey -VNetName VNet2 -LocalNetworkSiteName VNet1 -SharedKey A1b2C3D4E6

Now give little bit of time and refresh the Azure portal page. You’ll find the VPN connection established.


Once that completed you can create two VM’s on each Azure subscription and try pining to each other. If your get the response you’ll know the connection has been established Smile