(C) 2012 Dean Suzuki, All Rights Reserved 1

Dean Suzuki Blog

Title: Setting Up A Site to Site VPN Between Microsoft Azure and the Corporate Network

Created: 6/17/2014

Description:

In this blog post, I record the process that I went through to:

Setup a site to site VPN from my on-premise lab network (simulating a corporate network) to

Microsoft Azure

Setup a VM in Azure

This scenario simulates a situation where a customer wants to extend their on-premise environment to

the Microsoft Azure cloud. A common example is where the customer wants to host machines in

Microsoft Azure but needs access to resources on their corporate network (e.g. Active Directory, or

Databases).

This scenario corresponds to Scenario 2 from this MSDN article.

Machine210.5.104.x

Microsoft AzureCorporate Network

Site To Site VPN

10.5.103.x

In this scenario, I am using on-premise Windows 2012 R2 Routing and Remote Access capability to serve

as the endpoint for the Site-to-Site VPN tunnel from Azure.

References:

http://msdn.microsoft.com/en-us/library/azure/jj156090.aspx ; Guidelines for Deploying

Windows Server Active Directory on Azure Virtual Machines

http://msdn.microsoft.com/en-us/library/dn631643.aspx ; Configure a Cloud-Only Virtual

Network in the Management Portal

http://azure.microsoft.com/en-us/documentation/articles/active-directory-new-forest-virtual-

machine/ ; Install a new Active Directory forest on an Azure virtual network

http://msdn.microsoft.com/library/dn636917.aspx ; Site-to-Site VPN in Azure Virtual Network

using Windows Server 2012 Routing and Remote Access Service (RRAS)

http://msdn.microsoft.com/library/azure/dn630228.aspx ; Setting Static IP Address in Azure

(C) 2012 Dean Suzuki, All Rights Reserved 2

Disclaimer:

Contents of this blog and article represent the opinions of Dean Suzuki, and do not reflect the

views of my employer. (C) 2012 Dean Suzuki, All Rights Reserved

(C) 2012 Dean Suzuki, All Rights Reserved 3

Table of Contents 1 Create Site to Site VPN from Azure to On-Premise Infrastructure ....................................................... 4

1.1 Confirm if On-Premise VPN Device Meets Requirements For Cross-Premise VPN ...................... 4

1.2 Obtain a Public IP for the VPN Device ........................................................................................... 4

1.3 Configure a Azure Virtual Network for Site-to-Site Connectivity ................................................. 4

1.4 Configure a Virtual Network Gateway .......................................................................................... 7

1.5 Configure VPN Device On-Premise using RRAS ............................................................................ 8

1.6 Run VPN Config Script ................................................................................................................... 9

1.7 Review Routing and Remote Access Configuration ...................................................................... 9

1.8 Set DNS on Azure Virtual Network .............................................................................................. 10

2 Prepare for VM’s in the Cloud ............................................................................................................ 11

2.1 Create an AD Site for Azure ........................................................................................................ 11

3 Create Machine in Azure on Corporate Network ............................................................................... 13

3.1 Create Virtual Machine ............................................................................................................... 13

3.2 Set Static IP Address for VM ....................................................................................................... 15

3.2.1 Download and Install Powershell for Azure ........................................................................ 15

3.2.2 Connect to your Azure subscription. .................................................................................. 16

3.2.3 Verify that Static IP Address is Available ............................................................................. 17

3.2.4 Update VM with Static IP Address ...................................................................................... 17

3.3 Setup Routes to Azure Cloud ...................................................................................................... 18

3.4 Check Connectivity from On-Premise to Cloud VM .................................................................... 18

3.5 Join Machine to On-Prem Corporate Domain ............................................................................ 19

3.6 Add a Data Disk to VM for AD Database ..................................................................................... 20

3.7 Install Active Directory ................................................................................................................ 22

3.7.1 Install Active Directory Domain Services Role (AD DS) ....................................................... 22

3.7.2 Promote the machine to a domain controller .................................................................... 26

4 Appendix: Using F5 as VPN Device ..................................................................................................... 27

(C) 2012 Dean Suzuki, All Rights Reserved 4

1 Create Site to Site VPN from Azure to On-Premise Infrastructure

In the previous blog post, I mentioned that you have a couple options when creating an Azure Virtual

Network. They are:

Create a Cloud-Only Network that will only exist in Azure

Create a network that will be connected through VPN with your on-premise corporate network.

In the previous blog, we created a cloud-only network.

In this post, we’ll create a Azure Virtual Network with Site-to-Site VPN connectivity back to my on-

premise lab network.

1.1 Confirm if On-Premise VPN Device Meets Requirements For Cross-Premise VPN Review this MSDN article (http://msdn.microsoft.com/en-us/library/jj156075.aspx)

Note that there are two types of VPN supported by Azure

Site to Site Connectivity: Used to connect two sites together over VPN.

Point to Site Connectivity: Used to connect a machine to a site over a VPN

Note that there are two types of gateways:

Static routing VPN gateways

Dynamic Routing VPN gateways

Static routing VPN gateways only support Site-to-Site Connectivity. If you want to support both Site-to-

Site and Point-to-Site connectivity, then need to use a Dynamic routing VPN gateway.

In my lab, I have a F5 BIG-IP which is a static routing VPN gateway. There is a config note listed that

describes how to set this up.

I also have a Windows 2012 R2 server which supports Routing and Remote Access and can do dynamic

routing.

1.2 Obtain a Public IP for the VPN Device Obtain an externally facing IPv4 IP for your VPN device. This IP address is required for a site-to-site

configuration and is used for your VPN device, which cannot be located behind a NAT.

1.3 Configure a Azure Virtual Network for Site-to-Site Connectivity Launch Azure Management Portal (https://manage.windowsazure.com)

Login with your credentials

(C) 2012 Dean Suzuki, All Rights Reserved 5

In the lower left-hand corner of the screen, click New. In the navigation pane, click Network Services,

and then click Virtual Network. Click Custom Create to begin the configuration wizard

Enter a name for the Virtual Network and select its Affinity Group. The affinity group is related to the

physical location where you want your resources (VMs) to reside. Even if you already have an affinity

group, it might not be associated with the region that you want your resources to reside in. If that’s the

case, select Create a new affinity group from the dropdown.

NOTE: What is an affinity group? “Windows Azure datacenters are physically very large and contain hundreds of thousands of servers. There is a significant difference in network latency between two servers in a single rack and two servers at opposite ends of a datacenter. Windows Azure therefore provides an affinity group feature to provide a higher degree of co-location within a datacenter than would otherwise be possible using random placement. Associated cloud and storage services should be placed within an affinity group to minimize network latency. This minimization is particularly important when a cloud service makes extensive use of storage services. Affinity groups allow you to group your Windows Azure services to optimize performance. All services within an affinity group will be located in the same data center. “ From (http://social.msdn.microsoft.com/Forums/en-US/cc2fbca1-0b5e-4e72-808c-b09066d54dc3/affinity-group?forum=windowsazuremanagement)

(C) 2012 Dean Suzuki, All Rights Reserved 6

On the next page, press Next. I’m going to add a DNS server later.

Check the “Configure a site-to-site VPN” checkbox.

On the next page, enter

a name for the on-premise network

the public IP address for the VPN device that Azure will connect to. It can’t be a NAT’d IP

address

the starting IP address and CIDR (Subnet mask) for the on-premise networks that will be

communicated with by the servers in Azure.

On the Virtual Network Address Spaces page, specify the address range that you want to use for your

virtual network. It’s especially important to select a range that does not overlap with any of the ranges

that are used for your on-premises network.

Also, I needed to specify a Gateway subnet. Please the “Add gateway subnet” button. Hit Check button

to continue.

(C) 2012 Dean Suzuki, All Rights Reserved 7

1.4 Configure a Virtual Network Gateway A virtual network gateway is required to create a secure cross-premises connection. After creating your

virtual network, use the following steps to configure the virtual network gateway and gather the

information you’ll need to configure your VPN device.

See http://msdn.microsoft.com/en-us/library/jj156210.aspx for more information.

1. On the Networks page, verify that the status column for your virtual network is Created.

2. In the Name column, click the name of your virtual network.

3. On the Dashboard page, notice that this VNet doesn’t have a gateway configured yet. You’ll see

this status as you go through the steps to configure your gateway.

4. At the bottom of the page, click Create Gateway.

5. Since I am using RRAS, I selected “Dynamic Routing”.

(C) 2012 Dean Suzuki, All Rights Reserved 8

6. Press Yes at the confirmation prompt

Gateway is being created.

Once it has been created, we will need to configure the VPN device on-premise.

1.5 Configure VPN Device On-Premise using RRAS I used http://msdn.microsoft.com/library/dn636917.aspx as a reference

On the machine that will be the VPN on-premise connection point, download the VPN configuration

script. The machine needs to have: two NICs, one NIC on the internal network, the second NIC on the

Internet with public IP address (Can’t be NAT’d), and be running Windows 2012 R2.

From the Azure Portal, click the hyperlink “Download VPN Device Configuration Script”.

(C) 2012 Dean Suzuki, All Rights Reserved 9

Select “Microsoft”, “RRAS”, and “Windows Server 2012”

Rename the file name extension of the downloaded file from a .cfg to a .ps1 file name extension to

indicate that it is a Windows PowerShell script.

1.6 Run VPN Config Script

Note that in order to run the VPN configuration script, the Windows PowerShell Execution policy on the

RRAS machine must be set to Unrestricted. To do so, start a Windows PowerShell console with

administrative permissions, and then run Set-ExecutionPolicy Unrestricted

Drag and drop the VPN Config Script into the Powershell Window and execute it.

You may receive some warnings.

1.7 Review Routing and Remote Access Configuration

Launch the Routing and Remote Access MMC

(C) 2012 Dean Suzuki, All Rights Reserved 10

Go to the “ServerName” > Network Interfaces and you should see the Site to Site VPN connection and

Azure Gateway object

In the Azure Portal, press “Connect” to initiate the VPN.

Yay! VPN is configured!

1.8 Set DNS on Azure Virtual Network Now that the Site to Site VPN is established, we will go back and set the DNS servers on the Azure Virtual

Network to use the on-premise DNS server.

Go to Azure Portal > Networks, select the Site to Site VPN network and press Configure.

(C) 2012 Dean Suzuki, All Rights Reserved 11

2 Prepare for VM’s in the Cloud Now, that the VPN is place, a common scenario is to place a domain controller from the corporate

Active Directory into Microsoft Azure.

This process is outlined at:

http://azure.microsoft.com/en-us/documentation/articles/virtual-networks-install-replica-active-

directory-domain-controller/

2.1 Create an AD Site for Azure A first step to put a Domain Controller or services in the cloud is to configure the Active Directory Sites

and Subnets to cover that network.

On the On-Premise DC, launch AD Sites and Services

Create a new Site for the Azure Cloud

Name the site and select “DefaultIPSiteLink” as the transport.

(C) 2012 Dean Suzuki, All Rights Reserved 12

Create the Subnet Object for the Azure Cloud Virtual Network

(C) 2012 Dean Suzuki, All Rights Reserved 13

3 Create Machine in Azure on Corporate Network

3.1 Create Virtual Machine Create a new VM in Azure

Choose the Virtual Network that we established the Site to Site VPN on.

(C) 2012 Dean Suzuki, All Rights Reserved 14

Wait for the VM to be created.

Log on to the new VM

Open a Command Prompt and run ipconfig /all

Notice that the DNS servers are set to what we configured earlier.

(C) 2012 Dean Suzuki, All Rights Reserved 15

3.2 Set Static IP Address for VM By default Azure VM’s are assigned dynamic ip addresses (DIP). The Dynamic IP addresses persist for

the life of the VM. However, the dynamic address is deallocated if the VM is shutdown. To prevent the

IP address from being deallocated, you can use Set-AzureStaticVNetIP to assign a static IP address.

3.2.1 Download and Install Powershell for Azure Read the following article for more background: http://azure.microsoft.com/en-

us/documentation/articles/install-configure-powershell/

Download and install the Azure Powershell module from:

http://go.microsoft.com/fwlink/p/?linkid=320376&clcid=0x409

(C) 2012 Dean Suzuki, All Rights Reserved 16

3.2.2 Connect to your Azure subscription. Review (http://azure.microsoft.com/en-us/documentation/articles/install-configure-powershell/) and

notice that there are two methods to connect to your Azure subscription. I am going with the

management certificate approach. From the article:

1. Sign in to the Azure Management Portal using the credentials for your Azure account.

2. Open the Azure PowerShell console, as instructed in How to: Install Azure PowerShell.

3. Type the following command:

Get-AzurePublishSettingsFile

1. When prompted, download and save the publishing profile and note the path and name of the

.publishsettings file. This information is required when you run the Import-AzurePublishSettingsFile cmdlet

to import the settings. The default location and file name format is:

C:\Users<UserProfile>\Download\[MySubscription-...]-downloadDate-credentials.publishsettings

(C:\deandata\ds_mtc\1-Private-Cloud-lab\Azure-Management-Certificate)

1. Type a command similar to the following, substituting your Windows account name and the path and file

name for the placholders:

Import-AzurePublishSettingsFile C:\Users<UserProfile>\Downloads<SubscriptionName>-

credentials.publishsettings

(C) 2012 Dean Suzuki, All Rights Reserved 17

Commands to check your Azure account

Get-azureaccount

Get-azuresubscription

Help azure ; lists all cmdlets in Azure Powerhell

3.2.3 Verify that Static IP Address is Available

Run command similar to: Test-AzureStaticVNetIP –VNetName TestVNet –

IPAddress 192.168.4.7

3.2.4 Update VM with Static IP Address

First, get information on the VM and confirm that this is the VM that we want to change the IP Address

of.

Get-azureVM –servicename dc1-s2s –name dc1-s2s

If we are sure that we want to change the IP address of this VM, run the following to update that VM

Get-AzureVM -ServiceName StaticDemo -Name VM2 | Set-AzureStaticVNetIP -

IPAddress 192.168.4.7 | Update-AzureVM

(C) 2012 Dean Suzuki, All Rights Reserved 18

After the VM restarts, I checked for the new IP address.

Note: You can connect to the VM via RDP by selecting the VM in the portal and at the bottom, there is a

Connect button.

3.3 Setup Routes to Azure Cloud In my lab, I’m using a Windows 2012 R2 RRAS server as my VPN gateway to Azure.

So, I’ll need to tell my domain controllers how to route packets to get to the Azure network.

Note: In a production environment, the routers would need to be updated with the routes to get to

Azure.

3.4 Check Connectivity from On-Premise to Cloud VM Enable Ping through the firewall on the VMs

Open the “Windows Firewall with Advanced Security” MMC

Go to Inbound rules and Enable the rule for “File and Printer Sharing (Echo Request – ICMPv4-IN)”

Now, initiate a ping from a machine on-premise to the Cloud VM

(C) 2012 Dean Suzuki, All Rights Reserved 19

3.5 Join Machine to On-Prem Corporate Domain

On the Azure VM that was created, join the machine to the corporate domain (e.g. irvlab.mtcdemos.net)

If the VPN, DNS, and routing are all working, then the VM should join the corporate domain.

Reboot the machine and login with a domain account from your corporate domain.

(C) 2012 Dean Suzuki, All Rights Reserved 20

3.6 Add a Data Disk to VM for AD Database

By default, the Azure VM OS disk has write caching enabled. AD Best Practices recommends disabling

write caching to ensure that AD database changes are committed to the disk before proceeding.

In Azure, another disk option, the data disk, is available. Data disk drives do not cache writes by default.

Data disk drives that are attached to a VM use write-through caching. Write-through caching makes sure

the write is committed to durable Azure storage before the transaction is complete from the perspective

of the VM’s operating system. It provides durability, at the expense of slightly slower writes.

Please note that at this time, Azure Data disks are constrained to 1 TB in size.

1. Select the VM in the Azure Management Portal

2. Press the Attach button and select “Attach empty disk” on the pop-up menu

3. Specify a size (e.g. 2GB) and make sure that the Host Cache Preference is set to None.

(C) 2012 Dean Suzuki, All Rights Reserved 21

4. Initialize the disk

From (http://azure.microsoft.com/en-us/documentation/articles/active-directory-new-forest-virtual-machine/)

1. Log on to the VM and format the additional disk.

1. Click Connect to log on to the VM, click Open to create an RDP session, and click Connect again.

2. Change the credentials to the new user name and password you specified.

3. In Server Manager, click Tools > Computer Management.

4. Click Disk Management and click Ok to initialize the new disk.

5. Right-click the disk name and click New Simple Volume. Complete wizard to format the new drive.

(C) 2012 Dean Suzuki, All Rights Reserved 22

3.7 Install Active Directory

I used (http://technet.microsoft.com/library/jj574166.aspx) as a reference.

3.7.1 Install Active Directory Domain Services Role (AD DS) 1. Launch Server Manager

2. Select “Add roles and features”

3. Press Next

4. Press Next

(C) 2012 Dean Suzuki, All Rights Reserved 23

5. Press Next.

6. Select “Active Directory Domain Services”

(C) 2012 Dean Suzuki, All Rights Reserved 24

7. Click Add Features

8. Press Next.

9. Press Next.

(C) 2012 Dean Suzuki, All Rights Reserved 25

10. Press Next.

11. I checked to allow automatic restarts. Press Install.

(C) 2012 Dean Suzuki, All Rights Reserved 26

3.7.2 Promote the machine to a domain controller

1. Click the link “Promote this service to a domain controller”

(C) 2012 Dean Suzuki, All Rights Reserved 27

4 Appendix: Using F5 as VPN Device

Reviewed http://msdn.microsoft.com/en-us/library/jj156075.aspx and got referred to the F5 page

(https://devcentral.f5.com/articles/connecting-to-windows-azure-with-the-big-ip#.U40I9dhOU5s)

Downloaded and imported the F5 iApp

(C) 2012 Dean Suzuki, All Rights Reserved 28

Note, get the pre-shared key and the remote endpoint address from the Azure portal

The iApp didn’t work so I went the manual route.

Create the IKE Peer

Create IPSec Policy

(C) 2012 Dean Suzuki, All Rights Reserved 29

Create Traffic Selector

(C) 2012 Dean Suzuki, All Rights Reserved 30