Implement and manage virtual networking and VPN Ipsec/IKv2 with Mikrotik (All files are located above.)
Instead of manually creating all the resources, you have the option to upload a template.json file using the following command on Azure CLI:
It is necessary to create the Resource Group first 😊
az group create -l "MyLocation" -n "resource-group-name"and then
az deployment group create --resource-group "resource-group-name" --template-file "path-to-template\template.json"or enter in https://portal.azure.com/#create/Microsoft.Template and deploy the file via GUI Azure portal interface.
Instead of manually create all configurations on the Mikrotik, you have the option to upload a IPsec-Config.rsc file using the following command on terminal:
import file=IPsec-Config.rsc- Azure Virtual Networks
- Azure VPN Gateway
- Network Security Groups (NSGs)
- Azure Bastion
- Azure Private Link
- Azure DNS
- Azure Load Balancer
- Configure your On-premises VPN Client, in this case (Mikrotik ROS7)
The following steps are necessary to set up an Azure Virtual Network (VNet) with the features mentioned above:
o You can use the Azure CLI or the Azure Portal web interface. Here’s how you can do it using the Azure CLI:
az logino In the Azure Portal, go to Virtual networks and click the + Add button.
- Name: Choose a unique name for your VNet.
- Region: Select the Azure region where you want to create the VNet.
- Address space (CIDR block): Define the IP address range for your VNet (e.g., 10.0.0.0/16).
- Subnet ranges: Create subnets within the VNet for different purposes (e.g., WebApp, Database, Admin).
az network vnet create --name "MyVNet" --resource-group "MyResourceGroup" --location eastus --address-prefixes 10.0.0.0/16 --subnet-name "WebAppSubnet" --subnet-prefixes 10.0.1.0/24o Use the Azure Portal or Azure CLI to create an Azure VPN Gateway. o Define the necessary settings, including the on-premises VPN device settings (IP address, shared key, etc.).
az network vnet-gateway create --name "MyVpnGateway" --resource-group MyResourceGroup --vnet "MyVNet" --public-ip-address "MyPublicIP" --gateway-type Vpn --vpn-type RouteBased --sku VpnGw2o For example, deploy a web server VM in the WebApp subnet, a database server in the Database subnet, and an admin server in the Admin subnet.
az vm create --resource-group "MyResourceGroup" --name WebServer --image UbuntuLTS --admin-username "azureuser" --generate-ssh-keys --vnet-name "MyVNet" --subnet "WebAppSubnet"o Define inbound and outbound rules to allow only necessary traffic. For instance, allow HTTP/HTTPS traffic to the WebApp subnet and restrict other protocols.
az network nsg create --resource-group "MyResourceGroup" --name "WebAppNSG"and then
az network nsg rule create --resource-group "MyResourceGroup" --nsg-name "WebAppNSG" --name AllowHTTP --priority 100 --source-address-prefixes '*' --destination-port-ranges 80 --access Allow --protocol Tcpaz network bastion create --name "MyBastion" --public-ip-address "MyPublicIP" --resource-group "MyResourceGroup" --vnet-name "MyVNet"o Azure Bastion provides secure RDP and SSH access to VMs without exposing them to the public internet. Ensure you have an SSH key for added security.
az backup vault create --resource-group "MyResourceGroup" --name "MyRecoveryVault" --location "MyLocation"o Configure backup policies for VMs within your VNet. This ensures secure backups and reliable data recovery even if production servers are compromised.
az backup protection enable-for-vm --resource-group "MyResourceGroup" --vault-name "MyRecoveryVault" --vm "MyVM" --policy-name DefaultPolicy