azure-arch-enterprise-bi-an.../scripts/DeployVPN.ps1

#Requires -RunAsAdministrator
#Requires -Modules AzureRM.Network
#Requires -Modules AzureRM.profile

# This script deploys a Azure Virtual Network, subnet and VPN gateway
# Use this script when connectivity from onpremises to Azure VNET is using point-to-site VPN connection
Param(
    [Parameter(Mandatory=$true)]
    [string]$SubscriptionName,
    
    # Under this resource group common resources like VPN gateway, Virtual network will be deployed.
    [Parameter(Mandatory=$true)]
    [string]$ResourceGroupName,
    
    # The name of Azure VNet resource.
    [Parameter(Mandatory=$true)]
    [string]$VNetName,
  
    [Parameter(Mandatory=$true)]
    [string]$Location,
    
    # The name of the Azure VNet Gateway resource.
    [Parameter(Mandatory=$true)]
    [string]$VNetGatewayName,
    
    [Parameter(Mandatory=$false)]
    [string]$AddressPrefix = "10.254.0.0/16",
    
    [Parameter(Mandatory=$false)]
    [string]$GatewaySubnetPrefix = "10.254.1.0/24",
    
    [Parameter(Mandatory=$false)]
    [string]$OnpremiseVPNClientSubnetPrefix = "192.168.200.0/24",
    
    [Parameter(Mandatory=$false)]
    [string]$RootCertificateName = "VPN-RootCert-$($VNetName)",
    
    [Parameter(Mandatory=$false)]
    [string]$ChildCertificateName = "VPN-ChildCert-$($VNetName)"
)

# Import the common functions
$scriptPath = $MyInvocation.MyCommand.Path
$scriptDir = Split-Path $scriptPath
Import-Module (Join-Path $scriptDir Common.psm1) -Force

# Select subscription
Select-AzureRmSubscription -SubscriptionName $SubscriptionName
$subscription = Get-AzureRmSubscription -SubscriptionName $SubscriptionName
$SubscriptionId = $subscription.Subscription.SubscriptionId

# Create the resource group if needed
New-ResourceGroupIfNotExists $ResourceGroupName -Location $Location

# Deploy VNET, Gateway Subnet and VPN gateway
$templateParamsVpnGateway = @{
    gatewayName=$VNetGatewayName
    virtualNetworkName=$VNetName
    edwAzureVNetAddressPrefix=$AddressPrefix
    vpnGatewaySubnetPrefix=$GatewaySubnetPrefix
}

Write-Host -ForegroundColor Yellow "VPN Gateway deployment could take upto 45 minutes"

$templateFilePath = Join-Path (Join-Path (Split-Path -Parent $scriptDir) 'armTemplates') 'vpn-gateway.json'
$vpnGwDeployment = New-AzureRmResourceGroupDeployment -Name VpnGateway `
    -ResourceGroupName $ResourceGroupName `
    -TemplateFile $templateFilePath `
    -TemplateParameterObject $templateParamsVpnGateway `
    -Verbose

Write-Host "Generating certificates for VPN gateway"

# Generate a self signed root certificate
$vpnRootCert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
    -Subject "CN=$($RootCertificateName)" -KeyExportPolicy Exportable `
    -HashAlgorithm sha256 -KeyLength 2048 `
    -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

# Add the self signed root certificate to the trusted root certificates store
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store(
    [System.Security.Cryptography.X509Certificates.StoreName]::Root,
    "currentuser"
)
$store.open("MaxAllowed") 
$store.add($vpnRootCert) 
$store.close()

# Generate a client certificate
New-SelfSignedCertificate -Type Custom -KeySpec Signature `
    -Subject "CN=$($ChildCertificateName)" -KeyExportPolicy Exportable `
    -HashAlgorithm sha256 -KeyLength 2048 `
    -CertStoreLocation "Cert:\CurrentUser\My" `
    -Signer $vpnRootCert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

# Get root certificate public key data to be used by VPN gateway
$certBase64 = [system.convert]::ToBase64String($vpnRootCert.RawData)
$rootCert = New-AzureRmVpnClientRootCertificate -Name $RootCertificateName -PublicCertData $certBase64

$gateway = Get-AzureRmVirtualNetworkGateway -Name $VNetGatewayName -ResourceGroupName $ResourceGroupName

Write-Host "Updating VPN gateway with certificates"

Set-AzureRmVirtualNetworkGateway -VirtualNetworkGateway $gateway `
    -VpnClientAddressPool $OnpremiseVPNClientSubnetPrefix `
    -VpnClientRootCertificates $rootCert
Add all prereq required files 2017-10-29 03:09:45 +03:00			`#Requires -RunAsAdministrator`
			`#Requires -Modules AzureRM.Network`
			`#Requires -Modules AzureRM.profile`

			`# This script deploys a Azure Virtual Network, subnet and VPN gateway`
			`# Use this script when connectivity from onpremises to Azure VNET is using point-to-site VPN connection`
			`Param(`
			`[Parameter(Mandatory=$true)]`
			`[string]$SubscriptionName,`

			`# Under this resource group common resources like VPN gateway, Virtual network will be deployed.`
			`[Parameter(Mandatory=$true)]`
			`[string]$ResourceGroupName,`

			`# The name of Azure VNet resource.`
			`[Parameter(Mandatory=$true)]`
			`[string]$VNetName,`

			`[Parameter(Mandatory=$true)]`
			`[string]$Location,`

			`# The name of the Azure VNet Gateway resource.`
			`[Parameter(Mandatory=$true)]`
			`[string]$VNetGatewayName,`

			`[Parameter(Mandatory=$false)]`
			`[string]$AddressPrefix = "10.254.0.0/16",`

			`[Parameter(Mandatory=$false)]`
			`[string]$GatewaySubnetPrefix = "10.254.1.0/24",`

			`[Parameter(Mandatory=$false)]`
			`[string]$OnpremiseVPNClientSubnetPrefix = "192.168.200.0/24",`

			`[Parameter(Mandatory=$false)]`
			`[string]$RootCertificateName = "VPN-RootCert-$($VNetName)",`

			`[Parameter(Mandatory=$false)]`
			`[string]$ChildCertificateName = "VPN-ChildCert-$($VNetName)"`
			`)`

			`# Import the common functions`
			`$scriptPath = $MyInvocation.MyCommand.Path`
			`$scriptDir = Split-Path $scriptPath`
			`Import-Module (Join-Path $scriptDir Common.psm1) -Force`

			`# Select subscription`
			`Select-AzureRmSubscription -SubscriptionName $SubscriptionName`
			`$subscription = Get-AzureRmSubscription -SubscriptionName $SubscriptionName`
			`$SubscriptionId = $subscription.Subscription.SubscriptionId`

			`# Create the resource group if needed`
			`New-ResourceGroupIfNotExists $ResourceGroupName -Location $Location`

			`# Deploy VNET, Gateway Subnet and VPN gateway`
			`$templateParamsVpnGateway = @{`
			`gatewayName=$VNetGatewayName`
			`virtualNetworkName=$VNetName`
			`edwAzureVNetAddressPrefix=$AddressPrefix`
			`vpnGatewaySubnetPrefix=$GatewaySubnetPrefix`
			`}`

			`Write-Host -ForegroundColor Yellow "VPN Gateway deployment could take upto 45 minutes"`

			`$templateFilePath = Join-Path (Join-Path (Split-Path -Parent $scriptDir) 'armTemplates') 'vpn-gateway.json'`
			$vpnGwDeployment = New-AzureRmResourceGroupDeployment -Name VpnGateway `
			-ResourceGroupName $ResourceGroupName `
			-TemplateFile $templateFilePath `
			-TemplateParameterObject $templateParamsVpnGateway `
			`-Verbose`

			`Write-Host "Generating certificates for VPN gateway"`

			`# Generate a self signed root certificate`
			$vpnRootCert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
			-Subject "CN=$($RootCertificateName)" -KeyExportPolicy Exportable `
			-HashAlgorithm sha256 -KeyLength 2048 `
			`-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign`

			`# Add the self signed root certificate to the trusted root certificates store`
			`$store = New-Object System.Security.Cryptography.X509Certificates.X509Store(`
			`[System.Security.Cryptography.X509Certificates.StoreName]::Root,`
			`"currentuser"`
			`)`
			`$store.open("MaxAllowed")`
			`$store.add($vpnRootCert)`
			`$store.close()`

			`# Generate a client certificate`
			New-SelfSignedCertificate -Type Custom -KeySpec Signature `
			-Subject "CN=$($ChildCertificateName)" -KeyExportPolicy Exportable `
			-HashAlgorithm sha256 -KeyLength 2048 `
			-CertStoreLocation "Cert:\CurrentUser\My" `
			`-Signer $vpnRootCert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")`

			`# Get root certificate public key data to be used by VPN gateway`
			`$certBase64 = [system.convert]::ToBase64String($vpnRootCert.RawData)`
			`$rootCert = New-AzureRmVpnClientRootCertificate -Name $RootCertificateName -PublicCertData $certBase64`

			`$gateway = Get-AzureRmVirtualNetworkGateway -Name $VNetGatewayName -ResourceGroupName $ResourceGroupName`

			`Write-Host "Updating VPN gateway with certificates"`

			Set-AzureRmVirtualNetworkGateway -VirtualNetworkGateway $gateway `
			-VpnClientAddressPool $OnpremiseVPNClientSubnetPrefix `
			`-VpnClientRootCertificates $rootCert`