Step-By-Step: Create a Site-to-Site VPN between your network and Azure
On September 29th, I posted an article on going back to basic with the Azure subscription. let’s kick it up a notch. Now that you have an Azure trial subscription , or an MSDN subscription that provides monthly Azure credits. you can extend your lab network to the cloud and start learning the ways you can leverage the cloud to benefit your enterprise.
Before you start.
- Download Windows Server 2012 or Windows Server 2012 R2 Preview
- Use the info in this post to setup your own lab
- consume the following MVA modules (they’re full of great info you can access at your convenience.)
Once you Lab network is setup. Follow the next steps to establish a site-to-site VPN between your environment and Azure. Essentially making the cloud part of your environment.
1- logon to the Azure Portal, and create a new virtual network. Click on the NETWORKS link in the left navigation pane and then click the +NEW button located on the bottom toolbar.
Select VIRTUAL NETWORK and CUSTOM CREATE.
2- In the Wizard that popup, give your network a meaningful name, select the region you want to use to deploy your network in, and create and name an affinity group name.
Affinity Groups are a way to tell the Fabric Controller that those two elements, Compute and Storage, should always be together and close to one another, and what this does is when the Fabric Controller is searching for the best suited Container to deploy those services will be looking for one where it can deploy both in the same Cluster, making them as close as possible, and reducing the latency, and increasing the performance.
So in summary, Affinity Groups provide us:
- Aggregation, since it aggregates our Compute and Storage services and provide the Fabric Controller the information needed for them to be kept in the same Data Center, and even more, in the same Cluster.
- Reducing the Latency, because by providing information to the Fabric Controller that they should be kept together, allow us to get a lot better latency when accessing the Storage from the Compute Nodes, which makes difference in a highly available environment.
- Lowering costs, as by using them we don’t have the possibility of getting one service in one Data Center and the other in another Data Center if for some reason we choose the wrong way, or even because we choose for both one of the “Anywhere” options in the
3- In the next screen you’ll need to list the DNS servers you want the machines in your new virtual to use for name resolution. In our case DC1 is the DC in our on premise lab. I’ve added an internet DNS just in case.
4- the next step is for you to identify your on premise network by giving it a name, defining the address space you are using, and the external IP address of the edge device you are using. in my case I'm using a Cisco ASA 5505 security appliance. (please note that since this is my private lab, not a canned demo environment, sooo…. I have blanked out the address and some identifiable information…. )
This information will be used by azure to configure the routing in your virtual network and across the gateway we will setup in the next few steps.
5- In the Virtual Network Address Space screen you get to design how you want you virtual network to be configured.
in my case I assigned a private Class A address 10.0.0.0 for very large networks which can hold as many as 16 million computers to my cloud network…. ( Think BIG I always say…)
And you need to carve and name that address space into usable subnets.
for my virtual network I used 10.10.1.0/24 as my infrastructure subnet (AZR-LAb-Infra) and created the 10.10.2.0/24 as a publicly accessible subnet (AZR-Lab-Public). ( in case I decide to add public services )
and finally you have to click the “Add gateway subnet” button and configure that subnet 10.10.3.0/8 in my case.
6- Now that we have defined both our virtual network architecture and on premise network, we can create the gateway that will join both of them together. In the Azure Portal, select NETWORKS in the left menu, then click the Virtual network you just finished creating. for me AZR-Lab
7- Once the virtual network info loads in the portal, click on CREATE GATEWAY. In my case since I'm using a Cisco ASA 5505 security appliance as my edge device I have to use Static Routing. Once the process starts, it will take a bit of time… take this opportunity to visit MVA.
8- Once you come back the gateway will be complete and your internet VPN end point address will be listed in the portal. ( again the address hab been redacted to protect the innocents… In this case… Me. )
9- After the gateway has been created, you can gather the necessary information to send to your network administrator to configure the VPN device.
- On the virtual network dashboard, copy the GATEWAY IP ADDRESS.
- Get the Shared Key. Click Manage KEY at the bottom of the screen, and then copy the SHARED KEY displayed in the dialog box. your key… Not mine.
- Download the VPN configuration file. On the dashboard, click DOWNLOAD. On the Download VPN Device Config Script dialog box, select the vendor, platform, and operating system for your company’s VPN device. Click the checkmark button and save the file. In order to create a site-to-site connection, you’ll need to either obtain and configure a VPN device, or use Routing and Remote Access Service (RRAS) on Windows Server 2012. Be aware that VPN device requirements vary depending on the type of connection that you want to create. you can find more info on compatible machines and\or services here.
Since I have a business grade edge device with my Cisco ASA 5505 appliance I will use it.
If you don’t see your VPN device in the drop-down list, see About VPN Devices for Virtual Network in the MSDN library for additional script templates.
10- After have all that you can begin to configure your VPN device. Copy the content of the configuration file you downloaded in the last step to the clipboard. Open the Cisco ASDM application to manage the edge device and in the Tools menu, select Command Line Interface.
11- After you select Multiple Line
12- Paste the content of the configuration file in the commands window and click the Send button to send the script top the appliance.
13- that is done the 2 networks will connect and setup the VPN tunnel. if the connection does not occur right away. Click the connect button in the portal at the bottom and initiate the connection. once it’s connected the portal will show the connected state.
Cue the time machine…. After I created a Virtual Machine on my Virtual network. I was able to ping it from one of my local Windows 8 lab machines.
We are done!!!
We have now extended a 4 machine lab in my home office to include a chunck of the cloud. it’s a piece of network we can leverage for a multitude of services. but these will have to be for other posts.