Post on 16-Mar-2018
(C) 2012 Dean Suzuki, All Rights Reserved 1
Dean Suzuki Blog
Title: Setting Up A Site to Site VPN Between Microsoft Azure and the Corporate Network
Created: 6/17/2014
Description:
In this blog post, I record the process that I went through to:
Setup a site to site VPN from my on-premise lab network (simulating a corporate network) to
Microsoft Azure
Setup a VM in Azure
This scenario simulates a situation where a customer wants to extend their on-premise environment to
the Microsoft Azure cloud. A common example is where the customer wants to host machines in
Microsoft Azure but needs access to resources on their corporate network (e.g. Active Directory, or
Databases).
This scenario corresponds to Scenario 2 from this MSDN article.
Machine210.5.104.x
Microsoft AzureCorporate Network
Site To Site VPN
10.5.103.x
In this scenario, I am using on-premise Windows 2012 R2 Routing and Remote Access capability to serve
as the endpoint for the Site-to-Site VPN tunnel from Azure.
References:
http://msdn.microsoft.com/en-us/library/azure/jj156090.aspx ; Guidelines for Deploying
Windows Server Active Directory on Azure Virtual Machines
http://msdn.microsoft.com/en-us/library/dn631643.aspx ; Configure a Cloud-Only Virtual
Network in the Management Portal
http://azure.microsoft.com/en-us/documentation/articles/active-directory-new-forest-virtual-
machine/ ; Install a new Active Directory forest on an Azure virtual network
http://msdn.microsoft.com/library/dn636917.aspx ; Site-to-Site VPN in Azure Virtual Network
using Windows Server 2012 Routing and Remote Access Service (RRAS)
http://msdn.microsoft.com/library/azure/dn630228.aspx ; Setting Static IP Address in Azure
(C) 2012 Dean Suzuki, All Rights Reserved 2
Disclaimer:
Contents of this blog and article represent the opinions of Dean Suzuki, and do not reflect the
views of my employer. (C) 2012 Dean Suzuki, All Rights Reserved
(C) 2012 Dean Suzuki, All Rights Reserved 3
Table of Contents 1 Create Site to Site VPN from Azure to On-Premise Infrastructure ....................................................... 4
1.1 Confirm if On-Premise VPN Device Meets Requirements For Cross-Premise VPN ...................... 4
1.2 Obtain a Public IP for the VPN Device ........................................................................................... 4
1.3 Configure a Azure Virtual Network for Site-to-Site Connectivity ................................................. 4
1.4 Configure a Virtual Network Gateway .......................................................................................... 7
1.5 Configure VPN Device On-Premise using RRAS ............................................................................ 8
1.6 Run VPN Config Script ................................................................................................................... 9
1.7 Review Routing and Remote Access Configuration ...................................................................... 9
1.8 Set DNS on Azure Virtual Network .............................................................................................. 10
2 Prepare for VM’s in the Cloud ............................................................................................................ 11
2.1 Create an AD Site for Azure ........................................................................................................ 11
3 Create Machine in Azure on Corporate Network ............................................................................... 13
3.1 Create Virtual Machine ............................................................................................................... 13
3.2 Set Static IP Address for VM ....................................................................................................... 15
3.2.1 Download and Install Powershell for Azure ........................................................................ 15
3.2.2 Connect to your Azure subscription. .................................................................................. 16
3.2.3 Verify that Static IP Address is Available ............................................................................. 17
3.2.4 Update VM with Static IP Address ...................................................................................... 17
3.3 Setup Routes to Azure Cloud ...................................................................................................... 18
3.4 Check Connectivity from On-Premise to Cloud VM .................................................................... 18
3.5 Join Machine to On-Prem Corporate Domain ............................................................................ 19
3.6 Add a Data Disk to VM for AD Database ..................................................................................... 20
3.7 Install Active Directory ................................................................................................................ 22
3.7.1 Install Active Directory Domain Services Role (AD DS) ....................................................... 22
3.7.2 Promote the machine to a domain controller .................................................................... 26
4 Appendix: Using F5 as VPN Device ..................................................................................................... 27
(C) 2012 Dean Suzuki, All Rights Reserved 4
1 Create Site to Site VPN from Azure to On-Premise Infrastructure
In the previous blog post, I mentioned that you have a couple options when creating an Azure Virtual
Network. They are:
Create a Cloud-Only Network that will only exist in Azure
Create a network that will be connected through VPN with your on-premise corporate network.
In the previous blog, we created a cloud-only network.
In this post, we’ll create a Azure Virtual Network with Site-to-Site VPN connectivity back to my on-
premise lab network.
1.1 Confirm if On-Premise VPN Device Meets Requirements For Cross-Premise VPN Review this MSDN article (http://msdn.microsoft.com/en-us/library/jj156075.aspx)
Note that there are two types of VPN supported by Azure
Site to Site Connectivity: Used to connect two sites together over VPN.
Point to Site Connectivity: Used to connect a machine to a site over a VPN
Note that there are two types of gateways:
Static routing VPN gateways
Dynamic Routing VPN gateways
Static routing VPN gateways only support Site-to-Site Connectivity. If you want to support both Site-to-
Site and Point-to-Site connectivity, then need to use a Dynamic routing VPN gateway.
In my lab, I have a F5 BIG-IP which is a static routing VPN gateway. There is a config note listed that
describes how to set this up.
I also have a Windows 2012 R2 server which supports Routing and Remote Access and can do dynamic
routing.
1.2 Obtain a Public IP for the VPN Device Obtain an externally facing IPv4 IP for your VPN device. This IP address is required for a site-to-site
configuration and is used for your VPN device, which cannot be located behind a NAT.
1.3 Configure a Azure Virtual Network for Site-to-Site Connectivity Launch Azure Management Portal (https://manage.windowsazure.com)
Login with your credentials
(C) 2012 Dean Suzuki, All Rights Reserved 5
In the lower left-hand corner of the screen, click New. In the navigation pane, click Network Services,
and then click Virtual Network. Click Custom Create to begin the configuration wizard
Enter a name for the Virtual Network and select its Affinity Group. The affinity group is related to the
physical location where you want your resources (VMs) to reside. Even if you already have an affinity
group, it might not be associated with the region that you want your resources to reside in. If that’s the
case, select Create a new affinity group from the dropdown.
NOTE: What is an affinity group? “Windows Azure datacenters are physically very large and contain hundreds of thousands of servers. There is a significant difference in network latency between two servers in a single rack and two servers at opposite ends of a datacenter. Windows Azure therefore provides an affinity group feature to provide a higher degree of co-location within a datacenter than would otherwise be possible using random placement. Associated cloud and storage services should be placed within an affinity group to minimize network latency. This minimization is particularly important when a cloud service makes extensive use of storage services. Affinity groups allow you to group your Windows Azure services to optimize performance. All services within an affinity group will be located in the same data center. “ From (http://social.msdn.microsoft.com/Forums/en-US/cc2fbca1-0b5e-4e72-808c-b09066d54dc3/affinity-group?forum=windowsazuremanagement)
(C) 2012 Dean Suzuki, All Rights Reserved 6
On the next page, press Next. I’m going to add a DNS server later.
Check the “Configure a site-to-site VPN” checkbox.
On the next page, enter
a name for the on-premise network
the public IP address for the VPN device that Azure will connect to. It can’t be a NAT’d IP
address
the starting IP address and CIDR (Subnet mask) for the on-premise networks that will be
communicated with by the servers in Azure.
On the Virtual Network Address Spaces page, specify the address range that you want to use for your
virtual network. It’s especially important to select a range that does not overlap with any of the ranges
that are used for your on-premises network.
Also, I needed to specify a Gateway subnet. Please the “Add gateway subnet” button. Hit Check button
to continue.
(C) 2012 Dean Suzuki, All Rights Reserved 7
1.4 Configure a Virtual Network Gateway A virtual network gateway is required to create a secure cross-premises connection. After creating your
virtual network, use the following steps to configure the virtual network gateway and gather the
information you’ll need to configure your VPN device.
See http://msdn.microsoft.com/en-us/library/jj156210.aspx for more information.
1. On the Networks page, verify that the status column for your virtual network is Created.
2. In the Name column, click the name of your virtual network.
3. On the Dashboard page, notice that this VNet doesn’t have a gateway configured yet. You’ll see
this status as you go through the steps to configure your gateway.
4. At the bottom of the page, click Create Gateway.
5. Since I am using RRAS, I selected “Dynamic Routing”.
(C) 2012 Dean Suzuki, All Rights Reserved 8
6. Press Yes at the confirmation prompt
Gateway is being created.
Once it has been created, we will need to configure the VPN device on-premise.
1.5 Configure VPN Device On-Premise using RRAS I used http://msdn.microsoft.com/library/dn636917.aspx as a reference
On the machine that will be the VPN on-premise connection point, download the VPN configuration
script. The machine needs to have: two NICs, one NIC on the internal network, the second NIC on the
Internet with public IP address (Can’t be NAT’d), and be running Windows 2012 R2.
From the Azure Portal, click the hyperlink “Download VPN Device Configuration Script”.
(C) 2012 Dean Suzuki, All Rights Reserved 9
Select “Microsoft”, “RRAS”, and “Windows Server 2012”
Rename the file name extension of the downloaded file from a .cfg to a .ps1 file name extension to
indicate that it is a Windows PowerShell script.
1.6 Run VPN Config Script
Note that in order to run the VPN configuration script, the Windows PowerShell Execution policy on the
RRAS machine must be set to Unrestricted. To do so, start a Windows PowerShell console with
administrative permissions, and then run Set-ExecutionPolicy Unrestricted
Drag and drop the VPN Config Script into the Powershell Window and execute it.
You may receive some warnings.
1.7 Review Routing and Remote Access Configuration
Launch the Routing and Remote Access MMC
(C) 2012 Dean Suzuki, All Rights Reserved 10
Go to the “ServerName” > Network Interfaces and you should see the Site to Site VPN connection and
Azure Gateway object
In the Azure Portal, press “Connect” to initiate the VPN.
Yay! VPN is configured!
1.8 Set DNS on Azure Virtual Network Now that the Site to Site VPN is established, we will go back and set the DNS servers on the Azure Virtual
Network to use the on-premise DNS server.
Go to Azure Portal > Networks, select the Site to Site VPN network and press Configure.
(C) 2012 Dean Suzuki, All Rights Reserved 11
2 Prepare for VM’s in the Cloud Now, that the VPN is place, a common scenario is to place a domain controller from the corporate
Active Directory into Microsoft Azure.
This process is outlined at:
http://azure.microsoft.com/en-us/documentation/articles/virtual-networks-install-replica-active-
directory-domain-controller/
2.1 Create an AD Site for Azure A first step to put a Domain Controller or services in the cloud is to configure the Active Directory Sites
and Subnets to cover that network.
On the On-Premise DC, launch AD Sites and Services
Create a new Site for the Azure Cloud
Name the site and select “DefaultIPSiteLink” as the transport.
(C) 2012 Dean Suzuki, All Rights Reserved 12
Create the Subnet Object for the Azure Cloud Virtual Network
(C) 2012 Dean Suzuki, All Rights Reserved 13
3 Create Machine in Azure on Corporate Network
3.1 Create Virtual Machine Create a new VM in Azure
Choose the Virtual Network that we established the Site to Site VPN on.
(C) 2012 Dean Suzuki, All Rights Reserved 14
Wait for the VM to be created.
Log on to the new VM
Open a Command Prompt and run ipconfig /all
Notice that the DNS servers are set to what we configured earlier.
(C) 2012 Dean Suzuki, All Rights Reserved 15
3.2 Set Static IP Address for VM By default Azure VM’s are assigned dynamic ip addresses (DIP). The Dynamic IP addresses persist for
the life of the VM. However, the dynamic address is deallocated if the VM is shutdown. To prevent the
IP address from being deallocated, you can use Set-AzureStaticVNetIP to assign a static IP address.
3.2.1 Download and Install Powershell for Azure Read the following article for more background: http://azure.microsoft.com/en-
us/documentation/articles/install-configure-powershell/
Download and install the Azure Powershell module from:
http://go.microsoft.com/fwlink/p/?linkid=320376&clcid=0x409
(C) 2012 Dean Suzuki, All Rights Reserved 16
3.2.2 Connect to your Azure subscription. Review (http://azure.microsoft.com/en-us/documentation/articles/install-configure-powershell/) and
notice that there are two methods to connect to your Azure subscription. I am going with the
management certificate approach. From the article:
1. Sign in to the Azure Management Portal using the credentials for your Azure account.
2. Open the Azure PowerShell console, as instructed in How to: Install Azure PowerShell.
3. Type the following command:
Get-AzurePublishSettingsFile
1. When prompted, download and save the publishing profile and note the path and name of the
.publishsettings file. This information is required when you run the Import-AzurePublishSettingsFile cmdlet
to import the settings. The default location and file name format is:
C:\Users<UserProfile>\Download\[MySubscription-...]-downloadDate-credentials.publishsettings
(C:\deandata\ds_mtc\1-Private-Cloud-lab\Azure-Management-Certificate)
1. Type a command similar to the following, substituting your Windows account name and the path and file
name for the placholders:
Import-AzurePublishSettingsFile C:\Users<UserProfile>\Downloads<SubscriptionName>-
credentials.publishsettings
(C) 2012 Dean Suzuki, All Rights Reserved 17
Commands to check your Azure account
Get-azureaccount
Get-azuresubscription
Help azure ; lists all cmdlets in Azure Powerhell
3.2.3 Verify that Static IP Address is Available
Run command similar to: Test-AzureStaticVNetIP –VNetName TestVNet –
IPAddress 192.168.4.7
3.2.4 Update VM with Static IP Address
First, get information on the VM and confirm that this is the VM that we want to change the IP Address
of.
Get-azureVM –servicename dc1-s2s –name dc1-s2s
If we are sure that we want to change the IP address of this VM, run the following to update that VM
Get-AzureVM -ServiceName StaticDemo -Name VM2 | Set-AzureStaticVNetIP -
IPAddress 192.168.4.7 | Update-AzureVM
(C) 2012 Dean Suzuki, All Rights Reserved 18
After the VM restarts, I checked for the new IP address.
Note: You can connect to the VM via RDP by selecting the VM in the portal and at the bottom, there is a
Connect button.
3.3 Setup Routes to Azure Cloud In my lab, I’m using a Windows 2012 R2 RRAS server as my VPN gateway to Azure.
So, I’ll need to tell my domain controllers how to route packets to get to the Azure network.
Note: In a production environment, the routers would need to be updated with the routes to get to
Azure.
3.4 Check Connectivity from On-Premise to Cloud VM Enable Ping through the firewall on the VMs
Open the “Windows Firewall with Advanced Security” MMC
Go to Inbound rules and Enable the rule for “File and Printer Sharing (Echo Request – ICMPv4-IN)”
Now, initiate a ping from a machine on-premise to the Cloud VM
(C) 2012 Dean Suzuki, All Rights Reserved 19
3.5 Join Machine to On-Prem Corporate Domain
On the Azure VM that was created, join the machine to the corporate domain (e.g. irvlab.mtcdemos.net)
If the VPN, DNS, and routing are all working, then the VM should join the corporate domain.
Reboot the machine and login with a domain account from your corporate domain.
(C) 2012 Dean Suzuki, All Rights Reserved 20
3.6 Add a Data Disk to VM for AD Database
By default, the Azure VM OS disk has write caching enabled. AD Best Practices recommends disabling
write caching to ensure that AD database changes are committed to the disk before proceeding.
In Azure, another disk option, the data disk, is available. Data disk drives do not cache writes by default.
Data disk drives that are attached to a VM use write-through caching. Write-through caching makes sure
the write is committed to durable Azure storage before the transaction is complete from the perspective
of the VM’s operating system. It provides durability, at the expense of slightly slower writes.
Please note that at this time, Azure Data disks are constrained to 1 TB in size.
1. Select the VM in the Azure Management Portal
2. Press the Attach button and select “Attach empty disk” on the pop-up menu
3. Specify a size (e.g. 2GB) and make sure that the Host Cache Preference is set to None.
(C) 2012 Dean Suzuki, All Rights Reserved 21
4. Initialize the disk
From (http://azure.microsoft.com/en-us/documentation/articles/active-directory-new-forest-virtual-machine/)
1. Log on to the VM and format the additional disk.
1. Click Connect to log on to the VM, click Open to create an RDP session, and click Connect again.
2. Change the credentials to the new user name and password you specified.
3. In Server Manager, click Tools > Computer Management.
4. Click Disk Management and click Ok to initialize the new disk.
5. Right-click the disk name and click New Simple Volume. Complete wizard to format the new drive.
(C) 2012 Dean Suzuki, All Rights Reserved 22
3.7 Install Active Directory
I used (http://technet.microsoft.com/library/jj574166.aspx) as a reference.
3.7.1 Install Active Directory Domain Services Role (AD DS) 1. Launch Server Manager
2. Select “Add roles and features”
3. Press Next
4. Press Next
(C) 2012 Dean Suzuki, All Rights Reserved 23
5. Press Next.
6. Select “Active Directory Domain Services”
(C) 2012 Dean Suzuki, All Rights Reserved 24
7. Click Add Features
8. Press Next.
9. Press Next.
(C) 2012 Dean Suzuki, All Rights Reserved 25
10. Press Next.
11. I checked to allow automatic restarts. Press Install.
(C) 2012 Dean Suzuki, All Rights Reserved 26
3.7.2 Promote the machine to a domain controller
1. Click the link “Promote this service to a domain controller”
(C) 2012 Dean Suzuki, All Rights Reserved 27
4 Appendix: Using F5 as VPN Device
Reviewed http://msdn.microsoft.com/en-us/library/jj156075.aspx and got referred to the F5 page
(https://devcentral.f5.com/articles/connecting-to-windows-azure-with-the-big-ip#.U40I9dhOU5s)
Downloaded and imported the F5 iApp
(C) 2012 Dean Suzuki, All Rights Reserved 28
Note, get the pre-shared key and the remote endpoint address from the Azure portal
The iApp didn’t work so I went the manual route.
Create the IKE Peer
Create IPSec Policy
(C) 2012 Dean Suzuki, All Rights Reserved 29
Create Traffic Selector
(C) 2012 Dean Suzuki, All Rights Reserved 30