How does New-AzIpsecTrafficSelectorPolicy exactly work for route-based VPN in Azure?

%3CLINGO-SUB%20id%3D%22lingo-sub-1315596%22%20slang%3D%22en-US%22%3EHow%20does%20New-AzIpsecTrafficSelectorPolicy%20exactly%20work%20for%20route-based%20VPN%20in%20Azure%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1315596%22%20slang%3D%22en-US%22%3E%3CDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EHi%20all%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EWe've%20got%20a%20route-based%20VPN.%20A%20customer%20of%20us%20has%20a%20policy-based%20VPN.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EYou%20can%20now%20configure%20your%20Route-based%20VPN%20to%20also%20accept%20Policy-based%3A%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fbs-latn-ba%2Fazure%2Fvpn-gateway%2Fvpn-gateway-connect-multiple-policybased-rm-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fbs-latn-ba%2Fazure%2Fvpn-gateway%2Fvpn-gateway-connect-multiple-policybased-rm-ps%3C%2FA%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EIn%20the%20example%20they%20only%20use%20one%20-switch%20though%3A%3C%2FSPAN%3E%3C%2FDIV%3E%3CPRE%3ENew-AzVirtualNetworkGatewayConnection%20-Name%20%24Connection16%20-ResourceGroupName%20%24RG1%20-VirtualNetworkGateway1%20%24vnet1gw%20-LocalNetworkGateway2%20%24lng6%20-Location%20%24Location1%20-ConnectionType%20IPsec%20-UsePolicyBasedTrafficSelectors%20%24True%20-IpsecPolicies%20%24ipsecpolicy6%20-SharedKey%20'AzureA1b2C3'%3C%2FPRE%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3E-UsePolicyBasedTrafficSelectors%20%24true%2C%20this%20will%20send%20all%20your%20subnets%20over%20the%20VPN%20to%20tunnel.%20Including%20peerings%20etc.%20this%20is%20not%20what%20we%20want%2C%20so%20I%20tried%20it%20with%3A%20New-AzIpsecTrafficSelectorPolicy%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EUnfortunately%20there%20is%20barely%20to%20none%20information%20about%20New-AzIpsecTrafficSelectorPolicy%3A%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Faz.network%2Fnew-azipsectrafficselectorpolicy%3Fview%3Dazps-3.7.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Faz.network%2Fnew-azipsectrafficselectorpolicy%3Fview%3Dazps-3.7.0%3C%2FA%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EWhen%20I%20implement%20it%20like%20this%3A%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CPRE%3E%3CSPAN%3E%24IPTSP%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3ENew-AzIpsecTrafficSelectorPolicy%26nbsp%3B-LocalAddressRange%26nbsp%3B(%2210.20.1.0%2F24%22%2C%26nbsp%3B%2210.20.0.0%2F24%22)%26nbsp%3B%20-RemoteAddressRange%26nbsp%3B('10.235.197.0%2F27'%2C'10.235.197.32%2F27'%2C'10.235.199.0%2F27'%2C'10.235.199.32%2F27')%3C%2FSPAN%3E%3C%2FPRE%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EIt%20will%20send%20all%20remote%20addresses%20at%20once%20over%20the%20tunnel.%20Is%20this%20the%20way%20to%20go%20then%3F%3A%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CPRE%3E%3CSPAN%3E%24IPTSP%26nbsp%3B%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3ENew-AzIpsecTrafficSelectorPolicy%26nbsp%3B-LocalAddressRange%26nbsp%3B(%2210.20.1.0%2F24%22%2C%2210.20.1.0%2F24%22%2C%2210.20.1.0%2F24%22%2C%2210.20.1.0%2F24%22%2C%26nbsp%3B%2210.20.0.0%2F24%22%2C%26nbsp%3B%2210.20.0.0%2F24%22%2C%26nbsp%3B%2210.20.0.0%2F24%22%2C%26nbsp%3B%2210.20.0.0%2F24%22)%26nbsp%3B%20-RemoteAddressRange%26nbsp%3B('10.235.197.0%2F27'%2C'10.235.197.32%2F27'%2C'10.235.199.0%2F27'%2C'10.235.199.32%2F27'%2C'10.235.197.0%2F27'%2C'10.235.197.32%2F27'%2C'10.235.199.0%2F27'%2C'10.235.199.32%2F27')%3C%2FSPAN%3E%3C%2FPRE%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EIs%20someone%20more%20familiar%20with%20this%20cmdlet%20that%20can%20help%20me%3F%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1315596%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor
Hi all,
 
We've got a route-based VPN. A customer of us has a policy-based VPN.
You can now configure your Route-based VPN to also accept Policy-based:
In the example they only use one -switch though:
New-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng6 -Location $Location1 -ConnectionType IPsec -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy6 -SharedKey 'AzureA1b2C3'
 
-UsePolicyBasedTrafficSelectors $true, this will send all your subnets over the VPN to tunnel. Including peerings etc. this is not what we want, so I tried it with: New-AzIpsecTrafficSelectorPolicy
 
Unfortunately there is barely to none information about New-AzIpsecTrafficSelectorPolicy:
When I implement it like this:
 
$IPTSP = New-AzIpsecTrafficSelectorPolicy -LocalAddressRange ("10.20.1.0/24", "10.20.0.0/24")  -RemoteAddressRange ('10.235.197.0/27','10.235.197.32/27','10.235.199.0/27','10.235.199.32/27')
It will send all remote addresses at once over the tunnel. Is this the way to go then?:
$IPTSP = New-AzIpsecTrafficSelectorPolicy -LocalAddressRange ("10.20.1.0/24","10.20.1.0/24","10.20.1.0/24","10.20.1.0/24", "10.20.0.0/24", "10.20.0.0/24", "10.20.0.0/24", "10.20.0.0/24")  -RemoteAddressRange ('10.235.197.0/27','10.235.197.32/27','10.235.199.0/27','10.235.199.32/27','10.235.197.0/27','10.235.197.32/27','10.235.199.0/27','10.235.199.32/27')
Is someone more familiar with this cmdlet that can help me?
0 Replies