Reset VPN Gateway with Azure Automation


At a customer, we had some incidents regarding the VPN Gateway. If the internet lines had a hiccup we had the problem with connection. Resetting the VPN Gateway restored the connection, but it was a manual proces. We needed an automatic solution.

First thing i did was finding out if it was possible to reset the VPN Gateway via PowerShell. The Microsoft documentation can be found here. The next thing that came to mind was if it was possible to do it via an Azure Runbook. It turned out that someone already had blogged about it: https://www.thomas-zuehlke.de/2019/12/reset-vpn-gateway-with-runbook/.

The blogpost was not an how to guide but I managed to create the runbook and creating the schedule I needed. her are the steps that I’ve taken:

#1 – Create an Automation Account, give it a name, a resource group and select Yes as you need the account to have Run As permissions.

#2 – The script mentioned that AZ.Account, Az.Network and Az.Monitor required are. These modules are not default present, so we need to make sure that those modules are present. Select Modules on the left side of the page and then Browse gallery. Within the gallery search for Az.Account and import it. The other two modules depend on this modules so make sure that this module has been imported before trying to import the other two modules.

#3 – Create the Runbook. After importing the needed PowerShell modules it’s time to create the PowerShell Runbook. Select Runbooks on the left side of the page and then select Create a runbook. Provide a name for the runbook, select PowerShell as the runbook type and select create. Next thing to do is to past the PowerShell script and select save. I’ve changed the write-output text, because this made more sense to me.

#Requires -Module Az.Account
#Requires -Module Az.Network
#Requires -Module Az.Monitor

[OutputType([String])]

param (
    [Parameter(Mandatory=$false)] 
    [String]  $AzureConnectionAssetName = "AzureRunAsConnection",

    [Parameter(Mandatory=$true)] 
    [String] $ResourceGroupName,

    [Parameter(Mandatory=$true)] 
    [String] $VpnGwName

)

Write-Output "Trying to check Status VPN Gateway..."

try {
    # Connect to Azure using service principal auth
    $ServicePrincipalConnection = Get-AutomationConnection -Name $AzureConnectionAssetName
    Get-AutomationConnection -Name $AzureConnectionAssetName         
    Write-Output $ServicePrincipalConnection
    Write-Output "Logging in to Azure..."
    #$Null = Add-AzAccount -ServicePrincipal -TenantId $ServicePrincipalConnection.TenantId -ApplicationId $ServicePrincipalConnection.ApplicationId -CertificateThumbprint $ServicePrincipalConnection.CertificateThumbprint
    $Null = Connect-AzAccount -ServicePrincipal -TenantId $ServicePrincipalConnection.TenantId -ApplicationId $ServicePrincipalConnection.ApplicationId -CertificateThumbprint $ServicePrincipalConnection.CertificateThumbprint
    Write-Output "Logged in to Azure..."
}catch {
    if(!$ServicePrincipalConnection) {
        throw "Connection $AzureConnectionAssetName not found."
    } else {
        throw $_.Exception
    }
}

$subid = $ServicePrincipalConnection.SubscriptionId
$resourceid = "/subscriptions/$subid/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/virtualNetworkGateways/$VpnGwName";
#Write-Output $resourceid
Write-Output "Getting Logs for $resourceid"
$logs = Get-AzLog -ResourceId $resourceid -StartTime (Get-Date).AddMinutes(-5)
$status = $logs[0].Status.value

if($logs.Count -ge 1 -and $logs[0].OperationName.value -eq "Microsoft.Network/virtualNetworkGateways/reset/action" -and $logs[0].Status.value -eq "Accepted")
{
    #Write-Output "Status VPN Gateway: $status"
    Write-Output "VPN Gateway is up and running..."    
}
else
{
    # no log entry since 5 minutes,
    # or last log entry was something else
    # or last log entry with reset was "failed" or "succeded"
    Write-Output "VPN Gateway is not running...."
    Write-Output "Trying to connect..."
    $gw = Get-AzVirtualNetworkGateway -Name $VpnGwName -ResourceGroupName $ResourceGroupName
    Write-Output "Reset VPN Gateway..."
    Reset-AzVirtualNetworkGateway -VirtualNetworkGateway $gw
}

Write-Output "...finished"

#4 – Test the runbook; It is possible to test the runbook in order to check if the runbook works, but bare in mind that the runbook will execute and can have impact on your environment! After selecting save select Test pane, this will execute the runbook one time.

#5 – Publish the runbook; After saving and/or testing the runbook it’s time to publish the runbook. Select Publish and Yes.

#6 – Create a schedule. It is possible to create a schedule for the runbook, but the minimal default schedule is one hour. If you need to schedule the runbook e.g. every 5, 15 or 30 minutes you have a problem. I wanted to run the runbook every 5 minutes. After I did some searches, most blogpost referred to the Azure Scheduler. Searching in the Azure Portal didn’t return the Azure Scheduler. After searching on Azure Scheduler I landed on the Microsoft page on Azure Scheduler, but as it turns out the Azure Scheduler will be retired and Microsoft states:

#7 – Create a Logic App. So if i want to use jobs, i need to create a Logic App. Let’s create a Logic App in order to create a schedule. Search in the Azure Portal for Logic Apps and select add. Provide a Resource Group and a Logic App name.

#8 – Logics Apps Designer; After the creation of the Logic App the Logic Apps designer screen wil appear. Select the Recurrence tile.

Set the Interval and Frequency. Add a new parameter Start time.

Next select New Step in order to add a new action. Search for job and select Create job.

Next step will be to fill Subscription, Resource Group, Automation Account and select Yes at Wait for Job.

Add new parameter: RunbookName, and select the name of the runbook to run. Fill the runbook parameters needed to execute the runbook.

Select Save to save the Logics App that will trigger the runbook.

That’s it, have fun!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.