Background
When I first got my Azure Visual Studio credit, $120 seemed to go a long way. I could, have a Domain Controller running 24/7, and a site-to-site VPN running. With plenty left over for all the other things I needed to do.
In 2023 I was working with Azure Virtual Desktop (AVD) and needed to test a few scenarios, and at the time, an Active Directory Domain Services Domain Controller was a necessity. Having a site-to-site VPN allowed me to test RDP Short path that was being implemented by the client I was working with who had some very complex access requirements. I appreciated the basic SKU site-to-site VPN between my VDSL at home and Azure would offer no performance benefits at all, however, it proved concepts that I needed to be able to stand behind.
Eventually, both the Domain Controller and the VPN were removed, I had other things to work on and knew I would be able to recreate them as and when I needed.
The Challenge
Late last year, a need came up for me to create a new site-to-site VPN. This is when I found out the basic SKU could only be created if you had a basic public SKU IP. It gets very interesting from here.
- Site-to-site VPNs with a basic SKU can still be created
- They depend on a basic SKU IP address
- Basic SKU IP addresses are no longer available
Site-to-site VPNs are supported as long as you have something that is no longer available. Microsoft, put us out of our misery and retire the basic site-to-site VPN.
I started looking at the alternatives. This is where I started thinking, there’s no way my $120 is going to last this testing. The cheapest SKU would have swallowed my credit in a matter of days, and I didn’t fancy walking through creating a VPN every morning I needed to do some testing in the portal.
The Answer
A bit of googling later, I thought now was the time brush up on my PowerShell skills. What resulted was a script that created my VPN connection from the cloud shell and I just needed to execute it. So far so good. Then I introduced a bit more logic to create a DNS Private Resolver, so I could use my local DNS for my internal resources, and finally a NAT gateway.
This was my next head scratcher, the script took longer than 20 minutes to run, Cloud Shell has a 20 minute timeout, my script was failing at various stages.
Step in Azure Automation Accounts and a couple of runbooks. One to create my VPN, DNS Private Resolver and a NAT Gateway, and another to tear it down.
Now, when I need my VPN, I can kick off the script, make a cup of tea, and come back 30 minutes later and I’m ready to go.
Scripts and details of setting it up can be found on my GitHub.
What Next?
Disclaimer(s):
- Is it pretty? no.
- Could it be better? Yes, I’ll keep working on it.
- Did I use ChatGPT to help? Yes, don’t think it did all of it, there were some shocking hallucinations, and some of the code, although it works, I’m convinced it’s not great.
- You don’t use native modules in all cases, why? Automation Accounts, for whatever reason didn’t like some PowerShell modules. It works fine in the cloud shell, fails in the Automation Account. I just got it to work!
- Why are there variables in there that you declare, but don’t use? There was a lot of trial and error and I need to clean it up.