Merge pull request #185624 from reasuquo/newdoc

denrea · web-flow · commit 9992facabd19 · 2022-01-20T15:47:45.000-08:00
newarticle
diff --git a/articles/virtual-wan/TOC.yml b/articles/virtual-wan/TOC.yml
@@ -128,7 +128,11 @@
     - name: Configure custom IPsec policy
       href: virtual-wan-custom-ipsec-portal.md
     - name: Configure NAT rules
-      href: nat-rules-vpn-gateway.md
+      items:
+      - name: Azure portal
+        href: nat-rules-vpn-gateway.md
+      - name: Azure PowerShell
+        href: nat-rules-vpn-gateway-powershell.md
   - name: User VPN (point-to-site)
     items:
     - name: Create User VPN
diff --git a/articles/virtual-wan/nat-rules-vpn-gateway-powershell.md b/articles/virtual-wan/nat-rules-vpn-gateway-powershell.md
@@ -0,0 +1,113 @@
+---
+title: 'Configure VPN NAT rules for your gateway using PowerShell'
+titleSuffix: Azure Virtual WAN
+description: Learn how to configure NAT rules for your VWAN VPN gateway using PowerShell.
+services: virtual-wan
+author: reasuquo
+ms.service: virtual-wan
+ms.topic: how-to
+ms.date: 01/20/2022
+ms.author: reasuquo
+
+---
+
+# Configure NAT Rules for your Virtual WAN VPN gateway using PowerShell
+
+You can configure your Virtual WAN VPN gateway with static one-to-one NAT rules. A NAT rule provides a mechanism to set up one-to-one translation of IP addresses. NAT can be used to interconnect two IP networks that have incompatible or overlapping IP addresses. A typical scenario is branches with overlapping IPs that want to access Azure VNet resources.
+
+This configuration uses a flow table to route traffic from an external (host) IP Address to an internal IP address associated with an endpoint inside a virtual network (virtual machine, computer, container, etc.). In order to use NAT, VPN devices need to use any-to-any (wildcard) traffic selectors. Policy Based (narrow) traffic selectors are not supported in conjunction with NAT configuration.
+
+## Prerequisites
+
+* Verify that you have an Azure subscription. If you don't already have an Azure subscription, you can activate your [MSDN subscriber benefits](https://azure.microsoft.com/pricing/member-offers/msdn-benefits-details) or sign up for a [free account](https://azure.microsoft.com/pricing/free-trial).
+* This tutorial will create a NAT rule on a VpnGateway which will be associated with a VpnSiteConnection, so this assumes you have an existing VpnGateway connection to two branches with overlapping address spaces.
+
+### Azure PowerShell
+
+[!INCLUDE [PowerShell](../../includes/vpn-gateway-cloud-shell-powershell-about.md)]
+
+## <a name="signin"></a>Sign in
+
+[!INCLUDE [sign in](../../includes/vpn-gateway-cloud-shell-ps-login.md)]
+
+## <a name="rules"></a>Configure NAT rules
+
+You can configure and view NAT rules on your VPN gateway settings at any time using Azure PowerShell
+
+   :::image type="content" source="./media/nat-rules-vpn-gateway/edit-rules.png" alt-text="Screenshot showing how to edit rules."lightbox="./media/nat-rules-vpn-gateway/edit-rules.png":::
+
+1. Declare the variables for the existing resources
+
+   ```azurepowershell-interactive
+   $resourceGroup = Get-AzResourceGroup -ResourceGroupName "testRG" 
+   $virtualWan = Get-AzVirtualWan -ResourceGroupName "testRG" -Name "myVirtualWAN"
+   $virtualHub = Get-AzVirtualHub -ResourceGroupName "testRG" -Name "westushub"
+   $vpnGateway = Get-AzVpnGateway -ResourceGroupName "testRG" -Name "testvpngw"
+   ```
+
+1. Create the new NAT rule to ensure the Site-to-site VPN gateway is able to distinguish between the two branches with overlapping address spaces.
+
+    You can set the parameters for the following values:
+
+   * **Name:** A unique name for your NAT rule.
+   * **Type:** Static or Dynamic. Static one-to-one NAT establishes a one-to-one relationship between an internal address and an external address. The subnet size for both internal and external mapping must be the same for static.
+   * **Mode:** IngressSnat or EgressSnat.  
+      * IngressSnat mode (also known as Ingress Source NAT) is applicable to traffic entering the Azure hub’s Site-to-site VPN gateway. 
+      * EgressSnat mode (also known as Egress Source NAT) is applicable to traffic leaving the Azure hub’s Site-to-site VPN gateway. 
+   * **InternalMapping:** An address prefix range of source IPs on the inside network that will be mapped to a set of external IPs. In other words, your pre-NAT address prefix range.
+   * **ExternalMapping:** An address prefix range of destination IPs on the outside network that source IPs will be mapped to. In other words, your post-NAT address prefix range.
+   * **Link Connection:** Connection resource that virtually connects a VPN site to the Azure Virtual WAN Hub's Site-to-site VPN gateway.
+    
+    ### Syntax
+
+    ```
+    New-AzVpnGatewayNatRule 
+    -ResourceGroupName <String> 
+    -ParentResourceName <String> 
+    -Name <String>
+    [-Type <String>] 
+    [-Mode <String>] 
+    -InternalMapping <String[]> 
+    -ExternalMapping <String[]>
+    [-InternalPortRange <String[]>] 
+    [-ExternalPortRange <String[]>] 
+    [-IpConfigurationId <String>] 
+    [-AsJob]
+    [-DefaultProfile <IAzureContextContainer>] 
+    [-WhatIf] 
+    [-Confirm] [<CommonParameters>]
+    ```
+    
+    ```azurepowershell-interactive
+   $natrule = New-AzVpnGatewayNatRule -ResourceGroupName "testRG" -ParentResourceName "testvpngw" -Name "testNatRule" -InternalMapping "10.0.0.0/24" -ExternalMapping "1.2.3.4/32" -IpConfigurationId "Instance0" -Type Dynamic -Mode EgressSnat 
+   ```
+
+1. Declare the variable to create a new object for the new NAT rule
+
+   ```azurepowershell-interactive
+   $newruleobject = New-Object Microsoft.Azure.Commands.Network.Models.PSResourceId
+   $newruleobject.Id = $natrule.Id
+   ```
+
+1. Declare the variable to get the existing VPN connection
+
+   ```azurepowershell-interactive
+   $conn = Get-AzVpnConnection -Name "Connection-VPNsite1" -ResourceGroupName "testRG" -ParentResourceName "testvpngw"
+   ```
+
+1. Set the appropriate index for the NAT rule in the VPN connection
+
+   ```azurepowershell-interactive
+   $conn.VpnLinkConnections
+   $conn.VpnLinkConnections[0].EgressNatRules = $newruleobject
+   ```
+
+1. Finally, update the existing VPN connection with the new NAT rule
+
+   ```azurepowershell-interactive
+   Update-AzVpnConnection -Name "Connection-VPNsite1" -ResourceGroupName "testRG" -ParentResourceName "testvpngw" -VpnSiteLinkConnection $conn.VpnLinkConnections
+   ```
+
+## Next steps
+
+For more information about Site-to-site configurations, see [Configure a Virtual WAN Site-to-site connection](virtual-wan-site-to-site-portal.md).
diff --git a/articles/virtual-wan/site-to-site-powershell.md b/articles/virtual-wan/site-to-site-powershell.md
@@ -12,7 +12,7 @@ ms.author: reasuquo
 ms.custom: devx-track-azurepowershell
 
 ---
-# Create a site-to-site connection to Azure Virtual WAN using PowerShell
+# Create a Site-to-Site connection to Azure Virtual WAN using PowerShell
 
 This article shows you how to use Virtual WAN to connect to your resources in Azure over an IPsec/IKE (IKEv1 and IKEv2) VPN connection via PowerShell. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. For more information about Virtual WAN, see the [Virtual WAN Overview](virtual-wan-about.md).
 
@@ -37,31 +37,31 @@ This article shows you how to use Virtual WAN to connect to your resources in Az
 
 ## <a name="openvwan"></a>Create a virtual WAN
 
-Before you can create a virtual WAN, you have to create a resource group to host the virtual WAN or use an existing resource group. Create a resource group with [New-AzResourceGroup](/powershell/module/az.Resources/New-azResourceGroup). This example creates a new resource group named **testRG** in the **West US** location: 
+Before you can create a virtual wan, you have to create a resource group to host the virtual wan or use an existing resource group. Create a resource group with [New-AzResourceGroup](/powershell/module/az.Resources/New-azResourceGroup). This example creates a new resource group named **testRG** in the **West US** location: 
 
 Create a resource group:
 
 ```azurepowershell-interactive 
 New-AzResourceGroup -Location "West US" -Name "testRG" 
 ``` 
 
-Create the virtual WAN:
+Create the virtual wan:
 
 ```azurepowershell-interactive
 $virtualWan = New-AzVirtualWan -ResourceGroupName testRG -Name myVirtualWAN -Location "West US"
 ```
 
-### To create the virtual WAN in an already existing resource group
+### To create the virtual wan in an already existing resource group
 
-Use the steps in this section if you need to create the virtual WAN in an already existing resource group.
+Use the steps in this section if you need to create the virtual wan in an already existing resource group.
 
-1. Set the variables for the existing resource group.
+1. Set the variables for the existing resource group
 
    ```azurepowershell-interactive
    $resourceGroup = Get-AzResourceGroup -ResourceGroupName "testRG" 
    ```
 
-2. Create the virtual WAN.
+2. Create the virtual wan.
 
    ```azurepowershell-interactive
    $virtualWan = New-AzVirtualWan -ResourceGroupName testRG -Name myVirtualWAN -Location "West US"
@@ -83,7 +83,7 @@ In this section, you create a site-to-site VPN gateway that will be in the same
 New-AzVpnGateway -ResourceGroupName "testRG" -Name "testvpngw" -VirtualHubId $virtualHub.Id -VpnGatewayScaleUnit 2
 ``` 
 
-Once your VPN gateway is created, you can view it using the following example. 
+Once your VPNgateway is created, you can view it using the following example. 
 
 ```azurepowershell-interactive
 Get-AzVpnGateway -ResourceGroupName "testRG" -Name "testvpngw"
@@ -93,7 +93,7 @@ Get-AzVpnGateway -ResourceGroupName "testRG" -Name "testvpngw"
 
 In this section, you create sites that correspond to your physical locations and the connections. These sites contain your on-premises VPN device endpoints, you can create up to 1000 sites per virtual hub in a virtual WAN. If you have multiple hubs, you can create 1000 per each of those hubs.
 
-Set the variable for the VPN gateway and for the IP address space that is located on your on-premises site, traffic destined for this address space is routed to your local site. This is required when BGP is not enabled for the site:
+Set the variable for the vpnGateway and for the IP address space that is located on your on-premises site, traffic destined for this address space is routed to your local site. This is required when BGP is not enabled for the site:
 
 ```azurepowershell-interactive 
 $vpnGateway = Get-AzVpnGateway -ResourceGroupName "testRG" -Name "testvpngw"
@@ -116,7 +116,7 @@ Create the vpnSite and reference the variables of the vpnSiteLinks just created:
 $vpnSite = New-AzVpnSite -ResourceGroupName "testRG" -Name "testVpnSite" -Location "West US" -VirtualWan $virtualWan -AddressSpace $vpnSiteAddressSpaces -DeviceModel "SomeDevice" -DeviceVendor "SomeDeviceVendor" -VpnSiteLink @($vpnSiteLink1, $vpnSiteLink2)
 ```
 
-Next is the VPN Site Link connection which is composed of 2 Active-Active tunnels from a branch/Site known as VPNSite to the scalable gateway:
+Next is the Vpn Site Link connection which is composed of 2 Active-Active tunnels from a branch/Site known as VPNSite to the scalable gateway:
 
 ```azurepowershell-interactive
 $vpnSiteLinkConnection1 = New-AzVpnSiteLinkConnection -Name "testLinkConnection1" -VpnSiteLink $vpnSite.VpnSiteLinks[0] -ConnectionBandwidth 100
@@ -135,6 +135,58 @@ New-AzVpnConnection -ResourceGroupName $vpnGateway.ResourceGroupName -ParentReso
 
 When you no longer need the resources that you created, delete them. Some of the Virtual WAN resources must be deleted in a certain order due to dependencies. Deleting can take about 30 minutes to complete.
 
+1. Declare the variables 
+
+    ```azurepowershell-interactive
+    $resourceGroup = Get-AzResourceGroup -ResourceGroupName "testRG" 
+    $virtualWan = Get-AzVirtualWan -ResourceGroupName "testRG" -Name "myVirtualWAN"
+    $virtualHub = Get-AzVirtualHub -ResourceGroupName "testRG" -Name "westushub"
+    $vpnGateway = Get-AzVpnGateway -ResourceGroupName "testRG" -Name "testvpngw"
+    ```
+
+1. Delete all gateway entities following the below order for the VPN gateway. This can take 30 minutes to complete.
+
+    Delete the VPN Gateway connection to the VPN Sites.
+    
+     ```azurepowershell-interactive
+        Remove-AzVpnConnection -ResourceGroupName $vpnGateway.ResourceGroupName -ParentResourceName $vpnGateway.Name -Name "testConnection"
+     ```
+
+    Delete the VPN Gateway. 
+    Note that deleting a VPN Gateway will also remove all VPN Express Route Connections associated with it.
+    
+     ```azurepowershell-interactive
+        Remove-AzVpnGateway -ResourceGroupName "testRG" -Name "testvpngw"
+     ```
+
+1. You can delete the Resource Group to delete all the other resources in the resource group, including the hubs, sites and the virtual WAN.
+
+    ```azurepowershell-interactive
+    Remove-AzResourceGroup -Name "testRG"
+    ```
+
+1. Or you can choose to delete each of the resources in the Resource Group
+
+    Delete the VPN site
+    
+    ```azurepowershell-interactive
+    Remove-AzVpnSite -ResourceGroupName "testRG" -Name "testVpnSite"
+    ```
+    
+    Delete the Virtual Hub
+    
+    ```azurepowershell-interactive
+    Remove-AzVirtualHub -ResourceGroupName "testRG" -Name "westushub"
+    ```
+    
+    Delete the Virtual WAN
+    
+    ```azurepowershell-interactive
+    Remove-AzVirtualWan -Name "MyVirtualWan" -ResourceGroupName "testRG"
+    ```
+
+
+
 ## Next steps
 
 Next, to learn more about Virtual WAN, see:
