To begin, I am setting up a Site-to-Site VPN (Virtual Private Network) between my home-lab and Azure. The same concept(s) can be applied to an On-Premises/Data-Center environment and enterprise grade firewalls/routers.
For starters you will need to know the IP of your home network, my IP is dynamic, so it is continuously changing. If you don’t know your public IP, go HERE to get that now. Also, I will be using the Azure Resource Manager portal, and not the classic portal, and lastly working with IPv4, not IPv6. Lastly, I am going to assume you already know a few things about Azure, Windows Server 2012R2 RRAS (Routing and Remote Access Service) and the basics of Networking.
This setup consists of 2 steps — Step 1, setting up and configuring Azure, and Step 2, setting up and configuring your Windows RRAS server. Let’s begin:
Setting up/Configuring Azure:
Step 1: Create a Resource Group
Step 2: Create a Virtual Network
Now we need to create a Virtual Network. This virtual network will provide IPs to machines assigned within this resource group. The IP spacing can be whatever you choose, however it is best to choose an address space different from your home-network. I have chosen a 188.8.131.52/24; my home network is a 10.10.10.0/24.The resource group will always the one you created back in Step 1.
Next I will add two subnets, one for the back-end and one for the gateway of my servers. Within your Virtual Network, select Subnets, and add as many subnets as needed.
Step 3: Create a Virtual Network Gateway
Next we will create the Virtual Network Gateway. The virtual network gateway will be responsible for sending and receiving data. Essentially the bridge between (gateway) Azure and your RRAS server/home-network.
I have kept the defaults, VPN as the Gateway type, and Route based for the VPN type. The resource group will always the one you created back in Step 1.
Depending on your environment and requirements, you will need to decide which VPN type is best for you.
- Route based, will support dynamic routing and support multiple VPN connections, using IKEv2.
- Policy based, will support static routing, supporting a single VPN connection, and will use IKEv1.
- The Virtual Network will be what we just created in Step 2,
- The Public IP address will be one of Azure’s Public IPs,
- Gateway type will be VPN,
- VPN type will be Route based.
Once you have entered all the properties successfully, it will take about an hour for Azure to create the Virtual Network Gateway. (Good time for lunch/a break)
Step 4: Create a Local Network Gateway
Now we need to create the local network gateway, this gateway will be configured with all of your on-premises network.
- IP address will be the IP address of your VPN endpoint, ie. Public Facing IP
- Address space will be the address space you are using on-premises, in my case my home network is on a 10.10.10.0/24 network. (If you have multiple address spaces on-premises, then add them all here (only add if you want a machine in that space to be Azure accessible))
Keep in mind, the address space here MUST NOT overlap with the address space in Azure (this is why my Azure Local Network was provided a 184.108.40.206/24 address space to differentiate)
The resource group will always the one you created back in Step 1.
Step 5: Create the VPN connection
Now that all the fun stuff is done, now we need to create the VPN connection. Within the Local Network Gateway we just created (Step 4) go within the Connections, and configure a VPN connection.
- You will need to specify the Virtual and Local LAN gateways we created in Step 3 and Step 4, for the Virtual Network Gateway and Local Network Gateway, respectively.
- The Shared key (PSK) will need to be a string that will be used between the VPN connection and your RRAS server to encrypt and authenticate. I used a password generator with 32 characters, and only used letters and numbers (no special characters). Make sure to save this key, because you will need it in the Windows RRAS setup to complete the Site-to-Site connection!
Great Step 1 – Azure done! After configuring the RRAS server, we will need to come back to Azure, and connect/confirm the VPN traffic is flowing.
Setting up/Configuring Windows RRAS:
Step 1: Install the RRAS Windows Role
Microsoft explains this pretty well and it is pretty straight-forward, so I won’t bother, see HERE.
Step 2: Configure and Enable Routing and Remote Access
Right click on the Network Interface, and select a New Demand-dial Interface
Call it something meaningful…
Continue through the wizard, choose VPN.
Use IKEv2 Encryption here for the VPN Type (as we chose back in Step 5 within the VPN Connection configuration for Azure; they must match…duh)
Here you need to specify the Azure Public IP:
If you don’t know your Azure Public IP, go to your Virtual LAN Gateway, and see within the Essentials properties:
Leave Route IP packets on this interface enabled….
Since we are providing a PSK, credentials here don’t matter.. I just entered, Azure and left the rest blank…
Now add the Static Route for your local network, as mentioned, my network is a 10.10.10.0/24; 255.255.255.0.
Once complete, right-click on the interface we just created, and go to the Security settings. By default “Use machine certificates” will be enabled, select the preshared key for authentication option, and now enter that PSK we used in Step 5 of Azure….
Hit OK, and now let’s try to connect…..
Step 3: Test Connection on Server
Give this a few minutes, I gave it about 5 minutes, and it finally connected to Azure.
Step 4: Establish/Test Connection on Azure VPN
Go back to Azure, and within your VPN connection, hit Connect. For me, this took some time. Initially it connects, then fails, and repeats for a few minutes. I’d say after 5 minutes or so, it finally connected and stayed connected! YAY!
After all that, we now have a VPN connection established between Azure and my home network. This is evident as we can see traffic going in and out via Azure’s Gateway! Sweet!!!