Azure Automation rubook to update Site-to-Site VPN with dynamic local public IP address

While testing some Azure configurations, i though i would try to setup a site-to-site VPN from Azure to my home network. I’m running a mini PC with Sophos UTM v.9.6, with a home use license which enables all features, but is limited to 50 IP addresses, which has been sufficient so far. Sophos has a nice guide for setting up IPSec VPN to Azure in this Knowledge Base article. The only problem was, that my current ISP changes the public IP address allocated to my connection more less every 24 hours. And since there is was no way i was going to keep changing the IP address of the Local Network Gateway in Azure manually, i looked in to how to automate it.

Welcome to Azure Automation (Account)! Once i created the Automation Account and had a look around, i found that the most suitable service might be the Runbooks.

Azure Automation runbook gallery

Furthermore, i noticed there is a gallery of runbooks already available. Did a quick search for the word dynamic, and as soon as I’ve seen the second result on the list, i knew i’m on a good track. It was a runbook by Didier van Hoye, aka WorkingHardInIt. Didier is well worth a follow on Twitter, and he also has a nice post about how he worked his way to his runbook solution.

I went ahead and imported the runbook, and to make sure it’s still working as it should, i tried to run through the commands using the Cloud Shell. The first hurdle i cam across was from the very start – trying to connect to subscription. Not surprisingly, since the original runbook was published a few years back, and Didier’s article still references the classic portal. The runbook from gallery is using the Add-AzureAccount command, but i ended replacing it with using the Automation Account’s Run As account.

Azure Automation Run As account

After the account has been sorted, i was getting to the main part of the job. Once again, most likely due to limitations of the classic Azure model, to change the gateway IP the properties of the Vnet had to be changed, which had its challenges. Followed by a quick search and trial/error, i found it to be much easier to simply use the Get-AzureRmLocalNetworkGateway and Set-AzureRmLocalNetworkGateway commands. Soon i had all the commands tested, and it looked like it might just work. I saved and published the runbook, tried to run it and …… It Failed!!! Luckily the message was self explanatory, and told me that it’s missing the PS module for the local network gateway commands. I jumped to the Shared Resources – Modules section, and added the required AzureRM.Network modules from the gallery.

Azure Automation modules

Ran the runbook again, and this time it finished without any errors, even though it reported it has done nothing, as the IP address was the same.

Azure Automation Job success

I eagerly awaited the next morning to see what will happen with the automation task, and whether the site to site VPN will remain online. I checked the automation jobs next morning, and hey presto – the script did what it was supposed to. In addition, the the VPN re-established the connection successfully as well, which i could confirm from both the Azure local network gateway and the Sophos admin console as well.

Azure Local Network Gateway Connection status
Sophos UTM admin console – IPSec VPN status

For anyone interested, you can download the runbook PowerShell script here.

In category: Microsoft Azure
Tagged with: , ,