Usually when you think about extend your on-premise environment to azure, you will think how your local environment will connect with azure ! is it over Internet ?! if it’s over internet, is it secure communication ! simply the answer is NO ! you can connect you site to azure using a secure VPN, so let’s demonstrate in this article how to establish a VPN connection between on-premise environment and Azure.
Requirements in this demo:
1 – on-premise environment.
2 – Azure Subscription. You don’t have ! no worries you can get 200 $ for free, follow this article for registration: https://azure.microsoft.com/en-us/pricing/free-trial/
3- Supported Version of firewall, for list of supported devices follow this link:
Now, Let’s start 🙂
Login to the Azure portal using https://manage.windowsazure.com and enter your credential, once the login get success you will see the portal page like below:
Now we need to prepare the VPN from Azure Side and get VPN in azure ready to configure our local firewall.
from left pane choose Network and click New to create a virtual Network, also in the same wizard of creating the virtual network we can configure the VPN:
From the menu choose now Virtual Network and custom create:
Now the Network Wizard will start as below, choose any meaningful name and region that will host your VPN connection, keep in mind it’s recommended to choose the nearest region to your country to get better connection, then click on the arrow:
After choosing the Name and region, you need to specify the DNS servers ( Optional) and the type of VPN, so lets talk a little bit about these two options:
DNS Servers: once you create the Virtual Network and Establish the VPN, you will create a virtual machines in the Azure, and one option you need to select while you creating the virtual machine is to specify the virtual Network, when you choose the Virtual Network the DNS server for the VM will be the same you specified here, if you don’t specify a DNS server(s) the VM will take the DNS of Azure.
Types of VPN: Here you have two types of VPN, the first one is site to site VPN which means you need to connect your environment to Azure and this is what we will use here, the second option will be point to site connection, this type simple used to connect one point to azure for example connect one client to Azure VM using VPN connection. if you don’t choose any type only a virtual network will be created without VPN and you can configure the VPN later, but in this demo we will create the virtual network and VPN in same steps.
so let’s go back to the wizard, and in our case we will specify the DNS server to be our local DNS server and choose a site to site VPN, in my case the DNS server in my local enviroment have an IP of 192.0.0.1 Then click in the arrow 🙂
Now we reach the site to site connectivity configuration page, here you must specify two values:
Name: give any meaningful name for your local firewall or network device, this name will not use for real configuration.
VPN Device IP Address: enter the public IP of your firewall/Network device which will be used for VPN. Just for Demo I use unreal IP which is 10.10.10.10
Also you need to specify the IP address range which will be used in your local environment for the VPN, in other word if your server in your environment have a range of IP’s 192.168.10.0 to 192.168.10.200 then you need to specify the range 192.168.10.0/24 in this page, enter the subnet range then click in the arrow:
Last thing you need to specify in this wizard is the range of IP’s that will be used in the Virtual Network, in other word all VM’s will be used this virtual network will take an IP from the range specified here, after specify the IP’s range click on add gateway subnet, finally click on the check mark as shown below:
Wait until the creation of virtual Network completed:
Once the creation of virtual network completed, go to the network option from the left pane:
You will see that a new virtual network created, click on it to complete the remaining configuration:
once you click on the virtual network, you will see that the VPN still not connected and this is expected thing as shown below:
Now When you create a site-to-site VPN, you’ll specify either a static, or dynamic gateway. Select the gateway type that is supported by your router and for the type of IPSec parameters and configuration that you require. The tables below show the supported configurations for both static and dynamic VPNs. If you plan to use a site-to-site configuration concurrently with a point-to-site configuration, you’ll need to configure a dynamic routing VPN gateway.
- Static routing VPNs – Static routing VPNs are also referred to as policy-based VPNs. Policy-based VPNs encrypt and route packets through an interface based on a customer-defined policy. The policy is usually defined as an access list. Static routing VPNs require a static routing VPN gateway.
Note – Multi-Site VPN, VNet to VNet, and Point-to-Site are not supported with static routing VPN gateways.
- Dynamic routing VPNs – Dynamic routing VPNs are also referred to as route-based VPNs. Route-based VPNs depend on a tunnel interface specifically created for forwarding packets. Any packet arriving on the tunnel interface will be forwarded through the VPN connection. Dynamic routing VPNs require a dynamic routing VPN gateway.
Now in our case we will create a dynamic gateway, in the bottom of virtual network page click on the ( + ) and choose dynamic gateway as below, you will prompt to confirm the operation click Yes and wait several minutes ( This operation may take up to 45 min):
Once the gateway created successfully, Microsoft will give you the public IP of your Azure gateway and it will be shown in the network page as below:
Now you need to configure your local network device to establish the VPN, once the network device is ready, click on connect button in the bottom of the virtual Network device page as show below:
if everything is configured correctly the VPN connection must appear like below:
Also Keep in mind if you need any additional configuration required for your network device, you can download a VPN configuration script from the right of network page as shown below:
Now to prepare the Firewall for VPN connection, please follow our article.
In next article we will see how to create an azure cloud and virtual machines, and see how we will use the virtual network in the Virtual machines configurations, so stay tuned 🙂
Ahmad Yasin in a Microsoft Cloud Engineer and the publisher of
AzureDummies blog. He also hold many certificates in office 365
and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions
and MCSA office 365.