Fixed hubspoke gateway

PowerShellCrack · PowerShellCrack · commit b0f082365fa9 · 2022-02-24T10:02:34.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Change log for AzureSite2SiteVPNLab
 
+
+## 1.4.1 - February 24, 2022
+
+- Added Gateway transit and Remote gateway's settings for peering; fixes communications from onprem to spoke vnet
+- Added VM additional parmas for site 1 and 2. Fixed OSType error and domain join creds issue.
+-
+
 ## 1.4.1 - February 18, 2022
 
 - Fixed VnetSpoke subnet address on 3B-1 and 2 scripts; was calling an array not a single subnet. Future developments will support multiple subnets
diff --git a/Step 3B-1. Build Azure Advanced S2S - Region 1.ps1 b/Step 3B-1. Build Azure Advanced S2S - Region 1.ps1
@@ -16,10 +16,19 @@
         7. attach public ip to gateway
         8. Create the VPN gateway
         9. Create the local network gateway
-        10. Create the VPN connection
-        11. Build VyOS VPN Configuration
-        12. Applies VyOS configurations
-        13. Check VPN connection
+        10. Update gateway transit in peering
+        11. Create the VPN connection
+        12. Build VyOS VPN Configuration
+        13. Applies VyOS configurations
+        14. Check VPN connection
+
+
+        TODO:
+
+        - Clean routes in vyos before adding
+        - Add Routetable in azure back to onprem
+
+#
 #>
 $ErrorActionPreference = "Stop"
 #Requires -Modules Az.Accounts,Az.Resources,Az.Network
@@ -301,7 +310,6 @@ Else{
 }
 #endregion
 
-
 #region 8. Setup LNG connection
 $LNGBGPParams=@{}
 If($UseBGP){
@@ -343,6 +351,36 @@ Else{
 #endregion
 
 
+#https://docs.microsoft.com/en-us/powershell/module/azurerm.network/set-azurermvirtualnetworkpeering?view=azurermps-6.13.0
+Write-Host ("Enabling Gateway transit setting for vnet [{0}]..." -f $AzureAdvConfigSiteA.VnetPeerNameAB) -ForegroundColor White -NoNewline
+Try{
+    $HubvNetPeering = Get-AzVirtualNetworkPeering -VirtualNetworkName $vNetA.Name -ResourceGroupName $AzureAdvConfigSiteA.ResourceGroupName -Name $AzureAdvConfigSiteA.VnetPeerNameAB
+    # Change AllowGatewayTransit property
+    $HubvNetPeering.AllowGatewayTransit = $True
+    # Update the virtual network peering
+    Set-AzVirtualNetworkPeering -VirtualNetworkPeering $HubvNetPeering | Out-Null
+    Write-Host "Done" -ForegroundColor Green
+}
+Catch{
+    Write-Host ("Failed: {0}" -f $_.Exception.message) -ForegroundColor Black -BackgroundColor Red
+}
+
+
+Write-Host ("Enabling Remote Gateway and Traffic forwarding settings for vnet [{0}]..." -f $AzureAdvConfigSiteA.VnetPeerNameBA) -ForegroundColor White -NoNewline
+Try{
+    $SpokevNetPeering = Get-AzVirtualNetworkPeering -VirtualNetworkName $vNetB.name -ResourceGroupName $AzureAdvConfigSiteA.ResourceGroupName -Name $AzureAdvConfigSiteA.VnetPeerNameBA
+    # Change the UseRemoteGateways property
+    $SpokevNetPeering.UseRemoteGateways = $True
+    # Change value of AllowForwardedTraffic property
+    $SpokevNetPeering.AllowForwardedTraffic = $True
+    # Update the virtual network peering
+    Set-AzVirtualNetworkPeering -VirtualNetworkPeering $SpokevNetPeering | Out-Null
+    Write-Host "Done" -ForegroundColor Green
+}
+Catch{
+    Write-Host ("Failed: {0}" -f $_.Exception.message) -ForegroundColor Black -BackgroundColor Red
+}
+
 #region 9. Create the VPN connection
 $currentGwConnection = Get-AzVirtualNetworkGatewayConnection -Name $AzureAdvConfigSiteA.ConnectionName `
             -ResourceGroupName $AzureAdvConfigSiteA.ResourceGroupName -ErrorAction SilentlyContinue
@@ -419,7 +457,8 @@ If($VyOSConfig.ResetVPNConfigs){
     $VyOSFinal += @"
 #delete current configurations
 delete vpn ipsec
-delete protocols bgp
+delete protocols
+delete nat
 `n
 "@
 }
@@ -516,6 +555,17 @@ set nat source rule $($RuleID) source address '$($VyOSConfig.LocalCIDRPrefix)'
 "@
 }
 
+#If reset is true, all NAT configs will be delete; need to re-add this one
+If($VyOSConfig.EnableNAT -and $VyOSConfig.ResetVPNConfigs){
+    $VyOSLanCmd += @"
+
+#Enable NAT Configuration
+set nat source rule 100 outbound-interface eth0
+set nat source rule 100 source address '$($VyOSConfig.LocalCIDRPrefix)'
+set nat source rule 100 translation address masquerade
+"@
+}
+
 If($VyOSConfig.ResetVPNConfigs){
     $VyOSFinal += @"
 `n
diff --git a/Step 3B-2. Build Azure Advanced S2S - Region 2.ps1 b/Step 3B-2. Build Azure Advanced S2S - Region 2.ps1
@@ -289,6 +289,37 @@ Else{
 #endregion
 
 
+#https://docs.microsoft.com/en-us/powershell/module/azurerm.network/set-azurermvirtualnetworkpeering?view=azurermps-6.13.0
+Write-Host ("Enabling Gateway transit setting for vnet [{0}]..." -f $AzureAdvConfigSiteB.VnetPeerNameAB) -ForegroundColor White -NoNewline
+Try{
+    $HubvNetPeering = Get-AzVirtualNetworkPeering -VirtualNetworkName $vNetA.Name -ResourceGroupName $AzureAdvConfigSiteB.ResourceGroupName -Name $AzureAdvConfigSiteB.VnetPeerNameAB
+    # Change AllowGatewayTransit property
+    $HubvNetPeering.AllowGatewayTransit = $True
+    # Update the virtual network peering
+    Set-AzVirtualNetworkPeering -VirtualNetworkPeering $HubvNetPeering | Out-Null
+    Write-Host "Done" -ForegroundColor Green
+}
+Catch{
+    Write-Host ("Failed: {0}" -f $_.Exception.message) -ForegroundColor Black -BackgroundColor Red
+}
+
+
+Write-Host ("Enabling Remote Gateway and Traffic forwarding settings for vnet [{0}]..." -f $AzureAdvConfigSiteB.VnetPeerNameBA) -ForegroundColor White -NoNewline
+Try{
+    $SpokevNetPeering = Get-AzVirtualNetworkPeering -VirtualNetworkName $vNetB.name -ResourceGroupName $AzureAdvConfigSiteB.ResourceGroupName -Name $AzureAdvConfigSiteB.VnetPeerNameBA
+    # Change the UseRemoteGateways property
+    $SpokevNetPeering.UseRemoteGateways = $True
+    # Change value of AllowForwardedTraffic property
+    $SpokevNetPeering.AllowForwardedTraffic = $True
+    # Update the virtual network peering
+    Set-AzVirtualNetworkPeering -VirtualNetworkPeering $SpokevNetPeering | Out-Null
+    Write-Host "Done" -ForegroundColor Green
+}
+Catch{
+    Write-Host ("Failed: {0}" -f $_.Exception.message) -ForegroundColor Black -BackgroundColor Red
+}
+
+
 #region 9. Create the VPN connection
 $currentGwConnection = Get-AzVirtualNetworkGatewayConnection -Name $AzureAdvConfigSiteB.ConnectionName `
             -ResourceGroupName $AzureAdvConfigSiteB.ResourceGroupName -ErrorAction SilentlyContinue
@@ -328,9 +359,12 @@ Elseif( $null -eq $currentGwConnection)
 Else{
     Write-Host ("Gateway is not connected! ") -ForegroundColor Red -NoNewline
     If($VyOSConfig['ResetVPNConfigs'] -eq $false){
+        Write-Host "==========================================" -ForegroundColor Black -BackgroundColor Red
+        Write-Host " WARNING THIS WILL BREAK REGION 1 CONFIGS " -ForegroundColor Black -BackgroundColor Red
+        Write-Host "==========================================" -ForegroundColor Black -BackgroundColor Red
         $ReconfigureVpn = Read-host "Would you like to re-run the router configurations? [Y or N]"
     }
-    If( ($ReconfigureVpn -eq 'Y') -or ($VyOSConfig['ResetVPNConfigs'] -eq $true) )
+    If( ($ReconfigureVpn -eq 'Y') )
     {
         Write-Host ("Attempting to update vyos router vpn configurations to use Azure's public IP [{0}]..." -f $azpip.IpAddress) -ForegroundColor Yellow
         $Global:RegionBSharedPSK = Get-AzVirtualNetworkGatewayConnectionSharedKey -Name $AzureAdvConfigSiteB.ConnectionName -ResourceGroupName $AzureAdvConfigSiteB.ResourceGroupName
@@ -364,8 +398,9 @@ configure
 If($VyOSConfig.ResetVPNConfigs){
     $VyOSFinal += @"
 #delete current configurations
-delete vpn ipsec
-delete protocols bgp
+delete vpn
+delete protocols
+delete nat
 `n
 "@
 }
@@ -461,6 +496,17 @@ set nat source rule $($RuleID) source address '$($VyOSConfig.LocalCIDRPrefix)'
 "@
 }
 
+#If reset is true, all NAT configs will be delete; need to re-add this one
+If($VyOSConfig.EnableNAT -and $VyOSConfig.ResetVPNConfigs){
+    $VyOSLanCmd += @"
+
+#Enable NAT Configuration
+set nat source rule 100 outbound-interface eth0
+set nat source rule 100 source address '$($VyOSConfig.LocalCIDRPrefix)'
+set nat source rule 100 translation address masquerade
+"@
+}
+
 $VyOSFinal += @"
 
 commit
diff --git a/Step 3B-3. Connect Azure Advanced S2S Regions.ps1 b/Step 3B-3. Connect Azure Advanced S2S Regions.ps1
@@ -65,6 +65,8 @@ Catch{
     Break
 }
 
+
+
 # check BGP ip address
 If($UseBGP){
     $gateway1.BgpSettingsText
diff --git a/Step 4A-1. Build Azure VM.ps1 b/Step 4A-1. Build Azure VM.ps1
@@ -54,13 +54,13 @@
 
     .EXAMPLE
 
-    & '.\Step 4A-1. Build Azure VM.ps1' -VMName DTOLAB-WK21 -OSType Workstation -JoinDomain -Domain CONTOSO.local -Credentials (Get-Credential)
+    & '.\Step 4A-1. Build Azure VM.ps1' -VMName CONTOSO-WK1 -OSType Workstation -JoinDomain -Domain CONTOSO.local -DomainJoinCreds (Get-Credential)
 
     RESULT: Builds a Windows 10 VM named CONTOSO-WK1 and attempts to join it to domain CONTOSO.local using credentials
 
     .EXAMPLE
 
-    & '.\Step 4A-1. Build Azure VM.ps1' -VMName DTOLAB-WK21 -OSType Workstation -JoinDomain -Domain CONTOSO.local -Credentials (Get-Credential) -OU "OU=Workstations,OU=Region1,DC=CONTOSO,DC=LOCAL"
+    & '.\Step 4A-1. Build Azure VM.ps1' -VMName CONTOSO-WK1 -OSType Workstation -JoinDomain -Domain CONTOSO.local -DomainJoinCreds (Get-Credential) -OU "OU=Workstations,OU=Region1,DC=CONTOSO,DC=LOCAL"
 
     RESULT: Builds a Windows 10 VM named CONTOSO-WK1 and attempts to join it to domain CONTOSO.local in Region 1 workstation OU using credentials
 
@@ -71,7 +71,7 @@ Param(
     [string]$VMName,
 
     [ValidateSet('Workstation', 'Server')]
-    [string]$OSType,
+    [string]$OSType = 'Server',
 
     [Parameter(ParameterSetName = 'JoinDomain')]
     [switch]$SecureVM,
@@ -87,7 +87,7 @@ Param(
     [string]$OU,
 
     [Parameter(Mandatory = $true,ParameterSetName = 'JoinDomain')]
-    [SecureString]$Credentials
+    [System.Management.Automation.PSCredential]$DomainJoinCreds
 )
 
 $ErrorActionPreference = "Stop"
@@ -272,30 +272,29 @@ $VMConfig = Set-AzVMOperatingSystem -VM $VMConfig -Windows -ComputerName $AzureS
 $VMConfig = Add-AzVMNetworkInterface -VM $VMConfig -Id $NIC.Id
 
 #Set VM operating system parameters
-Switch($OSType){
-
-    'Workstation' {
-        $VMConfig = Set-AzVMSourceImage -VM $VMConfig `
-            -PublisherName 'MicrosoftWindowsDesktop' `
-            -Offer 'Windows-10' `
-            -Skus 'rs5-enterprise' `
-            -Version latest
-    }
-    'Server'      {
-        $VMConfig = Set-AzVMSourceImage -VM $VMConfig `
-            -PublisherName 'MicrosoftWindowsServer' `
-            -Offer 'WindowsServer' `
-            -Skus '2016-Datacenter' `
-            -Version latest
-    }
-    default {
-        $VMConfig = Set-AzVMSourceImage -VM $VMConfig `
-            -PublisherName 'MicrosoftWindowsServer' `
-            -Offer 'WindowsServer' `
-            -Skus '2016-Datacenter' `
-            -Version latest
+If($OSType){
+    Switch($OSType){
+
+        'Workstation' {
+            $VMConfig = Set-AzVMSourceImage -VM $VMConfig `
+                -PublisherName 'MicrosoftWindowsDesktop' `
+                -Offer 'Windows-10' `
+                -Skus 'rs5-enterprise' `
+                -Version latest
+        }
+        'Server'      {
+            $VMConfig = Set-AzVMSourceImage -VM $VMConfig `
+                -PublisherName 'MicrosoftWindowsServer' `
+                -Offer 'WindowsServer' `
+                -Skus '2016-Datacenter' `
+                -Version latest
+        }
     }
 }
+Else{
+    $VMConfig = Set-AzVMSourceImage -VM $VMConfig -PublisherName 'MicrosoftWindowsServer' -Offer 'WindowsServer' -Skus '2016-Datacenter' -Version latest
+}
+
 
 
 
@@ -347,7 +346,6 @@ If($SecureVM){
         }
         Catch{
             Write-Host ("Failed: {0}" -f $_.Exception.message) -ForegroundColor Black -BackgroundColor Red
-            Break
         }
     }
     Else{
@@ -371,58 +369,21 @@ If($SecureVM){
     # Advisor Recommendation (Medium): Windows Defender Exploit Guard should be enabled on machines
     # Advisor Recommendation (Low): Azure Backup should be enabled for virtual machines
 }
-#region Reset VM password (Not working)
-<#
-#Re-reset password. Sometimes password set during deployment does not work
-$VM = Get-AzVM -ResourceGroupName $AzureSimpleConfig.ResourceGroupName -Name $AzureSimpleVM.Name
-
-Get-AzVM -ResourceGroupName $AzureSimpleConfig.ResourceGroupName -VMName $AzureSimpleVM.Name -Status
-#must grab the VM Computer Type handler
-$typeParams = @{
- 'PublisherName' = 'Microsoft.Compute'
- 'Type' = 'VMAccessAgent'
- 'Location' = $AzureSimpleConfig.LocationName
-}
-$typeHandlerVersion = (Get-AzVMExtensionImage @typeParams | Sort-Object Version -Descending | Select-Object -first 1).Version
-
-#remove the access extension
-Remove-AzVMAccessExtension -ResourceGroupName $AzureSimpleConfig.ResourceGroupName -VMName $AzureSimpleVM.Name -Name 'enablevmaccess' -Force
-
-#build params
-$extensionParams = @{
-    Credential = $Credential
-    VMName = $AzureSimpleVM.Name
-    ResourceGroupName = $AzureSimpleConfig.ResourceGroupName
-    Name = 'enablevmaccess'
-    Location = $AzureSimpleConfig.LocationName
-    TypeHandlerVersion = $typeHandlerVersion
-}
-#add enablevmaccess back with new creds
-Set-AzVMAccessExtension @extensionParams
-#Set-AzVMAccessExtension -Credential $Credential -ResourceGroupName $AzureSimpleConfig.ResourceGroupName -VMName $AzureSimpleVM.Name `
-            -Name 'enablevmaccess' -TypeHandlerVersion $typeHandlerVersion -Location $AzureSimpleConfig.LocationName
-Update-AzVM -ResourceGroupName $AzureSimpleConfig.ResourceGroupName -VM $VM
-Restart-AzVM -ResourceGroupName $AzureSimpleConfig.ResourceGroupName -Name $AzureSimpleVM.Name
-
-#Reset the Remote Desktop Services configuration
-#Set-AzVMAccessExtension -ResourceGroupName $AzureSimpleConfig.ResourceGroupName -VMName $AzureSimpleVM.Name -Name "VMRDPAccess" `
-            -Location $AzureSimpleConfig.LocationName -typeHandlerVersion "2.0" -ForceRerun:$true
-#>
-#endregion
+
 
 If($JoinDomain){
     #https://docs.microsoft.com/en-us/powershell/module/az.compute/set-azvmaddomainextension?view=azps-7.1.0
     If($OU){
         $DomainParams = @{
             DomainName=$Domain
-            Credential=$credential
+            Credential=$DomainJoinCreds
             JoinOption=0x00000001
             OUPath=$OU
         }
     }Else{
         $DomainParams = @{
             DomainName=$Domain
-            Credential=$credential
+            Credential=$DomainJoinCreds
             JoinOption=0x00000001
         }
     }
@@ -437,8 +398,8 @@ If($JoinDomain){
 
 }
 
-
-Write-Host ("Done creating virtual machine [{0}]" -f $AzureSimpleVM.Name) -ForegroundColor Green
-Write-Host "=================================================" -ForegroundColor Green
+Write-Host "=================================================" -ForegroundColor Black -BackgroundColor Green
+Write-Host (" Done creating virtual machine [{0}]" -f $AzureSimpleVM.Name) -ForegroundColor Black -BackgroundColor Green
+Write-Host "=================================================" -ForegroundColor Black -BackgroundColor Green
 
 Stop-Transcript
diff --git a/Step 4B-1. Build Azure VM - Region 1.ps1 b/Step 4B-1. Build Azure VM - Region 1.ps1
diff --git a/Step 4B-2. Build Azure VM - Region 2.ps1 b/Step 4B-2. Build Azure VM - Region 2.ps1

Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,8 @@ Catch{`
`65`	`65`	`Break`
`66`	`66`	`}`
`67`	`67`
	`68`	`+`
	`69`	`+`
`68`	`70`	`# check BGP ip address`
`69`	`71`	`If($UseBGP){`
`70`	`72`	`$gateway1.BgpSettingsText`