Implementing Microsoft Azure Site to Site VPN

Microsf Azure VPN Site to Site

Hi Guys,

Thank you for viewing my last post about Azure Calculations, needs and costs. I’ve received questions from some of you asking how to achieve some configurations.

So because I love to share information here we go with a simple step by step tutorial a basic approach for you to get familiar and connected to Azure.

Plan it!

Plan your deployment as I show you in my post Microsoft Azure analysis for a small company .

Get your on premises infrastructure ready

Setting up a site to site VPN over IPsec connection is not a rocket science but still having some specific topics you should understand before.

I bought a Draytek Vigor2910 with IPsec and AES capabilities. Price is about 20€ till 50€ -Used.

Get a static IP address from your ISP.

Configure your LAN to LAN settings.

Get a Azure Subscription

In order to get started you need an Azure Subscription, Microsoft Offer also a very friendly way to get involved into this new infrastructure and give you some »bonus« for a limited time. And believe me is fair enough to construct, understand and setup your small business environment.

Sign up for a subscription, introduce your credit card number and read about the expending limit and the Microsoft disclaimer that they won’t charge you anything! Yes! Don’t be afraid, just move ahead and get into the Azure Portal as soon as possible.

https://portal.azure.com

Setup the VPN Site to Site between Azure and on prem.

Login into your Azure Portal https://portal.azure.com/  and get familiar with your dashboard.

The red arrows show you the resources which we are going to use in this scenario. There is one more resource hidden in this left menu but don’t worry we will find it in the »+ New« button. That resource is the VPN Gateway.

Let’s enumerate the resources we actually need.

Networking resources

1.We do need a local network in the Azure Cloud, we call it Virtual Network. We’ll pickup and use one of these resources.

2.The virtual network will need a Virtual network Gateway in order to communicate out to and into this Virtual network.

3.And one more network resource is needed to identify the On premises network gateway and subnets. In this Azure side we call it Local Network Gateway.

First things first – Networking

Virtual Network step 1

Create the Virtual Azure Network. This virtual network I put it in a resource group because I like to have resources organized.

The Virtual network is 10.0.0.0/16 (huge I know but I don’t care, it’s just for testing)

Take a look into the Subnet, the default subnet is 10.0.0.0/24, we will need this info while creating the VPN tunnel.  Please choose your nearest datacenter location. In my case is West Europe.

And Click create.

After the Virtual Network is created let’s take a look into.

Go ahead now to create a Gateway subnet into this large Virtual network 10.0.0.0/16

And here we go…. pay attention about the subnet, it is 10.0.1.0/24!

Virtual network gateway step 2

Let’s create the roads to connect this Azure virtual network to the on premises network. As everywhere in the world, for a route or road you have to pay some taxes and fees to road your car. Here is the same thing; the Virtual Network Gateway will charge you some money per day. Be aware of that!  Leave it for one day and then check your billing. There is also a VPN-Gateway pricing calculator online, follow this Link: Microsoft Azure – VPN Gateway pricing

Approximately 22,59€ per month on a basic type and 100Mbps bandwidth.

Use a naming, that make sense and helps you understand what are you doing.

The gateway type which we are using here is the entry level one the cheaper and I can tell it still enough reliable and the performance is good in the Microsoft Azure side, 100mbps, at my testing place I only reach 2Mbps upload line… holly crappy. Yes.

SKU – choose basic.

Virtual Network here you must choose the virtual network you want to connect to this gateway. In our case is the VN-1 and that is the reason why we named this gateway VN-1-VPN-Gateway.

Select Policy based, Basic, Connect it to a virtual network, and create a public IP address.

Select VPN and in this case I’ll use the Policy-Based, because my device only supports this setting.

It is crucial to understand the VPN Site to site requisites regarding your Azure and on premises configuration. So let’s understand this network environment.

The table below shows the parameters for the first phase. In this particular case Using Policy Based IKEv1 and AES256.

Phase 2 IKEv1 and AES256 as well.

The official reference you’ll find it in this link.

Microsoft Docs – VPN Gateway and About VPN Devices

The Public IP address is that one which wills Microsoft Azure assign to your Gateway, it may take up to 45mins but in my case it never takes more than 20mins.  Here Again remember the naming. I used VN-1-VPN-Gateway-Public-IP

Choose subscription and location and create it ASAP!

To check the deployment progress just hit that bell.

In the meantime don’t just look into the monitor and wait, please perform some productive operation like for example, deploy a Virtual Machine or a SQL Database. But better to continue in the networking field, we now can deploy the next need.

Local Network Gateway step 3

At the beginning I expend some time trying to understand that the expression »Local Gateway« means the Gateway at the ON PREM side! So there set that Public IP address given by the ISP.  Set the local address space in this case is 192.168.33.0/24 and click on create.

Now connect the Local Network Gateway to your Azure Virtual Network gateway and set a PSK.

Now is time to check the Azure Public IP Address and take note in order to setup the VPN configuration in the on premises side.

Check that the VPN is calling to your on premises VPN. The status »Succeeded« is not Connected! Don’t misunderstand this.

And here we go connected with Azure LAN.

Deploying a Virtual Machine in Azure

Lets deploy a Windows Server 2016 virtual machine in our Azure cloud platform. This Server we will use it to host some applications and some other purposes we don’t know yet.

Basic settings for your Virtual Machine, VM name, user, password… etc.

Now it’s time to expend some money in a bunch of CPU’s, RAM and Disks. Let’s buy some. In this case I will take a cheaper and accurate for this environment.

After choosing the hardware, we move forward to setup some internal configuration of this virtual machine. Choose the virtual network where the virtual machine is connected to, select the subnet in which the VM resides, remember that Virtual Machines can not resides in Gateway Subnets!. In this case we are not using Network Security groups or firewall, because we are just implementing in order to test the basic settings.

Virtual Machine Public IP address, YES! Use it and create it at this step, because if the VPN site to site will not work this IP will help you to reach your VM by Remote Desktop Connection directly to RDP 3389.

In the dashboard check all resources, and click on you deployed Virtual machine.

Here is the summary before we approve the deployment. Also we can create from this point a template and download it for further automation while deploying Virtual machines in Azure.

Troubleshooting Azure VPN a good option is to reset the Gateway.

Resetting the Azure VPN gateway is helpful if you lose cross-premises VPN connectivity on one or more S2S VPN tunnels. In this situation, your on-premises VPN devices are all working correctly, but are not able to establish IPsec tunnels with the Azure VPN gateways.

Once the command is issued, the current active instance of the Azure VPN gateway is rebooted immediately. Resetting the gateway will cause a gap in VPN connectivity, and may limit future root cause analysis of the issue.

NOTE: REMEMBER THAT SHUTTING DOWN THE VM will not stop the billing, in order to stop it you must stop and deallocate it!

Configuration of IPsec on premises

It is extremely necessary to explain to the on premises router about the subnets in Microsoft Azure in order to allow him to route traffic to the Virtual Machine Subnet.

Use the highest IPsec Security method, ESP AES with authentication.  Set the Azure Virtual Network Public IP address and just connect.

 

Now we are able to connect directly to our virtual machines, databases and everything what Azure can host directly from our on premises environment.

Let’s check RDP!

First logon via Azure you will connect to RDP using the public IP. –Ok, it works.

Lets try to connect inside the IPsec Tunnel.

Works like a charm.

If you have any questions don’t hesitate to send me an e-mail.

Cheers,

Germán