# AZ - 700 Lab 2

# M02-Unit 3 Create and configure a virtual network gateway

## Scenario

You will configure a VPN gateway to securely connect **CoreServicesVnet** (East US) and **ManufacturingVnet** (North Europe) using VNet-to-VNet VPN.

* Task 1: Create CoreServicesVnet and ManufacturingVnet
    
* Task 2: Create CoreServicesVM
    
* Task 3: Create ManufacturingVM
    
* Task 4: Connect to the VMs using RDP
    
* Task 5: Test the connection between the VMs
    
* Task 6: Create CoreServicesVnet Gateway
    
* Task 7: Create ManufacturingVnet Gateway
    
* Task 8: Connect CoreServicesVnet to ManufacturingVnet
    
* Task 9: Connect ManufacturingVnet to CoreServicesVnet
    
* Task 10: Verify that the connections connect
    
* Task 11: Test the connection between the VMs
    

For more info click on the image below:

[![Diagram of virtual network gateway.](https://github.com/MicrosoftLearning/AZ-700-Designing-and-Implementing-Microsoft-Azure-Networking-Solutions/raw/master/Instructions/media/3-exercise-create-configure-local-network-gateway.png align="left")](https://github.com/MicrosoftLearning/AZ-700-Designing-and-Implementing-Microsoft-Azure-Networking-Solutions/blob/master/Instructions/Exercises/M02-Unit%203%20Create%20and%20configure%20a%20virtual%20network%20gateway.md)

### Task 1: Create CoreServicesVnet and ManufacturingVnet

1. Open **Cloud Shell** in the Azure portal and select **PowerShell**.
    
2. Upload: `azuredeploy.json` and `azuredeploy.parameters.json`
    
3. Run:
    

```powershell
$RGName = "ContosoResourceGroup"
New-AzResourceGroup -Name $RGName -Location "eastus"
New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateFile azuredeploy.json -TemplateParameterFile azuredeploy.parameters.json
```

---

### Task 2 & 3: Create CoreServicesVM and ManufacturingVM

1. Upload:`CoreServicesVMazuredeploy.json` and `ManufacturingVMazuredeploy.json`
    
2. Run (for each):
    

```powershell
New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateFile <template>.json -TemplateParameterFile <parameters>.json
```

e.g. for manufacturingvm:

```powershell
$RGName = "ContosoResourceGroup" 
New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateFile ManufacturingVMazuredeploy.json -TemplateParameterFile ManufacturingVMazuredeploy.parameters.json
```

### Task 4: Connect to VMs Using RDP

1. In Azure Portal, go to **Virtual Machines**.
    
2. Select each VM, click **Connect &gt; RDP**, download and open the file.
    
3. Log in with:
    
    * Username: TestUser
        
    * Password: (used during deployment)
        
4. Accept privacy settings and select **Yes** on network prompt.
    
5. On **CoreServicesVM**, run:
    
    ```powershell
    ipconfig
    ```
    
    * Note the IPv4 address.
        

### Task 5: Test Initial Connection (Should Fail)

1. On **ManufacturingVM**, run:
    
    ```powershell
    Test-NetConnection <CoreServicesVM_IP> -Port 3389
    ```
    
    * Connection should fail.
        

![Test-NetConnection failed.](https://raw.githubusercontent.com/MicrosoftLearning/AZ-700-Designing-and-Implementing-Microsoft-Azure-Networking-Solutions/master/Instructions/media/test-netconnection-fail.png align="left")

### Task 6: Create CoreServicesVnet Gateway

1. Go to **Virtual Network Gateways** &gt; **\+ Create**.
    
2. Use the following settings:
    
    * Name: CoreServicesVnetGateway
        
    * Region: East US
        
    * Gateway type: VPN
        
    * SKU: VpnGw1
        
    * Generation: 1
        
    * Virtual Network: CoreServicesVnet
        
    * Subnet: GatewaySubnet (10.20.0.0/27)
        
    * Public IP: Create new → Name: CoreServicesVnetGateway-ip (disable active-active mode)
        

---

### Task 7: Create ManufacturingVnet Gateway

1. In ManufacturingVnet, go to **Subnets** &gt; **\+ Subnet**.
    
    * Purpose: GatewaySubnet
        
    * Size: /27
        

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1746132886108/bd9f2587-9a82-46e2-9203-1e3c8e22c83b.png align="center")

2. Then create the gateway:
    
    * Name: ManufacturingVnetGateway
        
    * Region: North Europe (to be able to select manufacturing vnet)
        
    * Same settings as above
        
    * Public IP name: ManufacturingVnetGateway-ip (disable active-active)
        

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1746133198375/0b9a8df1-5a21-4351-87ad-37217317e2df.png align="center")

### Task 8: Connect CoreServicesVnet to ManufacturingVnet

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1746133583071/06ff6f44-3589-48f7-94fb-a397addc8f45.png align="center")

1. Go to **CoreServicesVnetGateway** &gt; **Connections** &gt; **\+ Add**.
    
2. Use these settings:
    
    * Name: CoreServicesGW-to-ManufacturingGW
        
    * Connection type: VNet-to-VNet
        
    * First vnet Gateway: CoreServicesVnetGateway
        
    * Second Vnet Gateway: ManufacturingVnetGateway
        
    * Shared key: abc123
        
    * Protocol: IKEv2
        
    * Region: East US
        

### Task 9: Connect ManufacturingVnet to CoreServicesVnet

1. Go to **ManufacturingVnetGateway** &gt; **Connections** &gt; **\+ Add**.
    
2. Use:
    
    * Name: ManufacturingGW-to-CoreServicesGW
        
    * Connection type: VNet-to-VNet
        
    * First Vnet Gateway: ManufacturingVnetGateway
        
    * Second Gateway: CoreServicesVnetGateway
        
    * Shared key: abc123
        
    * Region: North Europe
        

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1746137331427/ed9e53cc-532e-4111-9de0-be07cd13662e.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1746137427093/3a817fd9-f417-477c-8406-9376b9f1e78b.png align="center")

### Task 10: Verify VPN Connection

1. Go to **Connections** in Azure portal.
    
2. Refresh until both connections show **Connected**.
    

![VPN Gateway connections successfully created.](https://raw.githubusercontent.com/MicrosoftLearning/AZ-700-Designing-and-Implementing-Microsoft-Azure-Networking-Solutions/master/Instructions/media/connections-status-connected.png align="left")

### Task 11: Test Final Connection

1. On **ManufacturingVM**, run:
    
    ```powershell
    Test-NetConnection <CoreServicesVM_IP> -Port 3389
    ```
    
    * Connection should succeed.
        

![Test-NetConnection succeeded.](https://raw.githubusercontent.com/MicrosoftLearning/AZ-700-Designing-and-Implementing-Microsoft-Azure-Networking-Solutions/master/Instructions/media/test-connection-succeeded.png align="left")

## Clean Up Resources

To delete the resources, run:

```powershell
Remove-AzResourceGroup -Name 'ContosoResourceGroup' -Force -AsJob
```

## Extend Your Learning

Try these prompts in Microsoft Copilot:

1. What are the types of Azure VPN gateways? Azure supports **three main types** of VPN gateway configurations:
    

| **Type** | **Purpose** |
| --- | --- |
| **Site-to-Site (S2S)** | Connects on-premises network to an Azure VNet using IPsec/IKE tunnel. |
| **Point-to-Site (P2S)** | Allows individual clients (e.g., remote workers) to connect to Azure. |
| **VNet-to-VNet** | Connects two or more Azure VNets together securely. |

You can mix S2S, P2S, and VNet-to-VNet on the same gateway (with compatible SKUs).

2. How do VPN gateway SKUs differ? Azure VPN Gateway SKUs differ by **performance, features, and pricing**. Key differences include:
    

| **SKU** | **Max Throughput** | **Max S2S Tunnels** | **P2S Support** | **BGP** | **Active-Active** | **Zone-Redundant** |
| --- | --- | --- | --- | --- | --- | --- |
| Basic | ~100 Mbps | 10 | No | No | No | No |
| VpnGw1 | ~650 Mbps | 30 | Yes | Yes | Yes | No |
| VpnGw2 | ~1 Gbps | 30 | Yes | Yes | Yes | No |
| VpnGw3 | ~1.25 Gbps | 30 | Yes | Yes | Yes | Yes |
| VpnGw4/5 | 5–10 Gbps+ | 100+ | Yes | Yes | Yes | Yes |
| ErGw1–3 | Used for **ExpressRoute**, not VPN connections. |  |  |  |  |  |

**Tip:** Choose based on **bandwidth needs**, **tunnel count**, and **features** like BGP or zone redundancy.

3. What are the costs for Azure VPN gateways?Azure VPN Gateway pricing depends on:
    
    * **SKU selected** (Basic, VpnGw1, etc.)
        
    * **Data transfer** (ingress is free; egress has cost)
        
    * **Time-based billing** (hourly rate)
        
    * **Optional features** (e.g., zone redundancy)
        
    
    #### **Example (as of 2024 – subject to change):**
    
    | **SKU** | **Approx. Cost/Hour** |
    | --- | --- |
    | Basic | ~$0.04/hr |
    | VpnGw1 | ~$0.09/hr |
    | VpnGw2 | ~$0.20/hr |
    | VpnGw3 | ~$0.35/hr |
    | VpnGw5 | ~$1.25/hr |
    

## Key Takeaways

* Azure VPN Gateway provides secure cross-region or hybrid connectivity using IPsec/IKE.
    
* VNet-to-VNet connections require gateways in each VNet and shared keys for IPsec tunnels.
    
* Bidirectional configuration is necessary.
    
* Different SKUs provide different performance levels and costs.
    

---

# **M02 - Unit 7: Create a Virtual WAN Using Azure Portal**

## **Scenario**

In this exercise, you’ll create a **Virtual WAN** for Contoso, including a **hub** and a **VNet connection**. click on the image below for more inforamtion:

[![Diagram of virtual network WAN architecture.](https://github.com/MicrosoftLearning/AZ-700-Designing-and-Implementing-Microsoft-Azure-Networking-Solutions/raw/master/Instructions/media/7-exercise-create-virtual-wan-by-using-azure-portal.png align="left")](https://github.com/MicrosoftLearning/AZ-700-Designing-and-Implementing-Microsoft-Azure-Networking-Solutions/blob/master/Instructions/Exercises/M02-Unit%207%20Create%20a%20Virtual%20WAN%20by%20using%20Azure%20Portal.md)

## **Tasks**

* Task 1: Create a Virtual WAN
    
* Task 2: Create a hub by using Azure Portal
    
* Task 3: Connect a VNet to the Virtual Hub
    

### **Task 1: Create a Virtual WAN**

![Search for Virtual WAN in Azure Portal.](https://raw.githubusercontent.com/MicrosoftLearning/AZ-700-Designing-and-Implementing-Microsoft-Azure-Networking-Solutions/master/Instructions/media/search-for-virtual-wan.png align="left")

1. Go to the **Azure Portal**.
    
2. Search for **Virtual WANs** and select **\+ Create**.
    
3. On the **Basics** tab, fill in:
    
    * **Subscription**: (Use existing)
        
    * **Resource Group**: ContosoResourceGroup
        
    * **Location**: Any region (WAN is global, but region needed for resource placement)
        
    * **Name**: ContosoVirtualWAN
        
    * **Type**: Standard
        
4. Select **Review + Create**, then **Create**.
    

### **Task 2: Create a Virtual Hub**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1746138629410/d46441d6-699b-494e-b2c5-4cd937ade859.png align="center")

1. Open the **ContosoVirtualWAN** you created.
    
2. Under **Connectivity**, select **Hubs** &gt; **\+ New Hub**.
    
3. On the **Basics** tab:
    
    * **Region**: West US
        
    * **Name**: ContosoVirtualWANHub-WestUS
        
    * **Hub private address space**: 10.60.0.0/24
        
    * **Capacity**: 2 Routing infrastructure units
        
    * Leave routing preference as default.
        
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1746138744281/e35cd72f-eecd-4ac0-b4b9-ea73f532c3a7.png align="center")
    
4. Go to the **Site-to-site** tab:
    
    * **Create Site-to-site VPN Gateway**: Yes
        
    * **Gateway scale units**: 2
        
    * Leave AS number and routing preference as default.
        
5. Click **Review + Create**, then **Create**.
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1746138773421/046e2db0-26bd-4ada-a05f-858438ae5749.png align="center")

> Note: VPN gateway creation can take up to 30 minutes.

### **Task 3: Connect a VNet to the Virtual Hub**

1. Go to the **ContosoVirtualWAN** &gt; **Virtual network connections** &gt; **\+ Add connection**.
    
2. Fill in:
    
    * **Connection name**: ContosoVirtualWAN-to-ResearchVNet
        
    * **Hub**: ContosoVirtualWANHub-WestUS
        
    * **Subscription**: (No change)
        
    * **Resource Group**: ContosoResourceGroup
        
    * **Virtual network**: ResearchVNet
        
    * **Propagate to none**: Yes
        
    * **Associate Route Table**: Default
        
3. Select **Create**.
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1746141222719/4a53c361-af15-419a-a855-6a9ab3c3106d.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1746141268603/422bd961-1cc8-48a0-a560-5349464d96ec.png align="center")

## **Clean Up Resources**

In **Cloud Shell**, run:

```powershell
Remove-AzResourceGroup -Name 'ContosoResourceGroup' -Force -AsJob
```

## **Extend Your Learning with Copilot**

Try these questions at [copilot.microsoft.com](https://copilot.microsoft.com):

1. What type of network architecture does Azure VWAN use?Azure Virtual WAN uses a **hub-and-spoke architecture**.
    
    * The **hub** is a Microsoft-managed virtual network that acts as a central point for connectivity.
        
    * **Spokes** include VNets, branch offices (via site-to-site VPN), remote users (via point-to-site VPN), and ExpressRoute circuits.
        
    * Traffic between spokes flows through the hub using Microsoft’s **global backbone**, enabling optimized, scalable, and secure routing.
        
2. What are the differences between Azure VWAN Basic and Standard?
    

| **Feature** | **Basic** | **Standard** |
| --- | --- | --- |
| Site-to-Site VPN | ✅ Yes | ✅ Yes |
| Point-to-Site VPN | ❌ No | ✅ Yes |
| ExpressRoute support | ❌ No | ✅ Yes |
| VNet-to-VNet via Hub | ❌ No | ✅ Yes |
| Inter-region hub connectivity | ❌ No | ✅ Yes |
| Custom routing (route tables) | ❌ No | ✅ Yes |

* **Use Basic** for simple S2S VPN-only deployments.
    
* **Use Standard** for full enterprise, hybrid, or global network integration.
    

3. Can I create an Azure VWAN using scripting tools?Yes. Azure VWAN supports deployment via:
    

* **Azure CLI**
    

```powershell
az network vwan create --name ContosoVirtualWAN --resource-group ContosoResourceGroup --location eastus --type Standard
```

* **Azure PowerShell**
    

```powershell
New-AzVirtualWan -ResourceGroupName "ContosoResourceGroup" -Name "ContosoVirtualWAN" -Location "East US" ` -Type "Standard"
```

## **Key Takeaways**

* **Azure Virtual WAN** simplifies global connectivity using a **hub-and-spoke** architecture.
    
* **Use cases** include: Site-to-Site, Point-to-Site, and ExpressRoute.
    
* **Basic VWAN** supports only Site-to-Site VPN.
    
* **Standard VWAN** supports all scenarios, including enhanced routing, hubs, and multiple VPN types.