Connect Azure Virtual Networks to On-Premise Networks

Microsoft Azure provides a virtual networks solution to connect Virtual Machines for example. If you plan to implement a Hybrid Cloud for your IaaS solution, you should connect your On-Premise networks with Microsoft Azure Virtual Networks. In this topic we will see how to interconnect these networks.

When creating a Virtual Networks in Microsoft Azure, you can deploy a gateway. This gateway can manage two kinds of VPN connections:

  • Point-To-Site: this is a classic client to server connection as you use to connect to your network company when you travel;
  • Site-To-Site: this is a gateway to gateway connection that enables to interconnect networks from one site to the other site.

So to connect your On-Premise networks to Microsoft Azure Virtual Network, we will implement a Site-To-Site connection which is an IPSEC VPN. Site-To-Site can use also Express Route that enables to interconnect networks by using MPLS VPN. For further information about Express Route, you can read this topic.

Architecture Overview

To write this topic, I have used my home lab to connect to Microsoft Azure. My router is an Ubiquiti EdgeRouter lite. For your lab, I recommend you this hardware because this is really an awesome router and it’s cheap (almost 100€). You can do whatever can make a business Cisco router/Firewall by using the CLI. However network knowledge is required (this is not a “next next finish” router). To finish there is a strong community on Ubiquiti forum.

So I have implemented several VLAN in my lab for different needs. For example, I have the 10.10.0.0/24 network which is the LAN network and 10.10.1.0/24 which is my DMZ network. I will create the same networks in Microsoft Azure by changing the second byte (from 10 to 11). Then I will create a gateway in Microsoft Azure and I will configure my router to establish an IPSEC VPN connection.

Create Azure Virtual Networks

First of all, we have to create the Virtual Networks in Microsoft Azure. So connect to the portal and navigate to networks. Then click on Create a Virtual Network.

Then give a name to your Virtual Network and choose the location. I have called my Virtual Network PublicHomeCloud.

Next I specify DNS Servers. The DNS servers that I have set in the below screenshot are my Domain Controllers on my On-Premise networks. In this way, the virtual machines created in Azure can join my Active Directory. Then I select Configure a Site-To-Site VPN.

On the next screen, I give a name to identify the On-Premise networks (OnPremHomeCloud) and I specify the public IP of my On-Premise gateway. Then I declare my On-Premise networks.

Next I specify a virtual network address space and I declare my subnet. Don’t forget to click on add gateway subnet. When you click on the tick, the Virtual Network is creating.

Once the Virtual Network is created, you can create the gateway by clicking on Create Gateway. My router supports only static routing so I have chosen this one. If your router supports the dynamic routing you can choose this one. The gateway creation can take several times. On my side the gateway was created in almost 30 minutes.

Once the gateway is created, you should have something as below. Copy the gateway IP address and open Manage Key to copy the pre-shared key.

Router configuration

If you have a standard router as Cisco or Juniper, you can click on Download VPN Device Script to configure automatically (or almost) your On-Premise gateway. On my side, I have to configure manually the gateway. So I have used the below commands to configure my Ubiquiti Router (Source: Ubiquiti Forum).

set vpn ipsec disable-uniqreqids
set vpn ipsec esp-group esp-edgemax
set vpn ipsec esp-group esp-edgemax lifetime 3600
set vpn ipsec esp-group esp-edgemax pfs disable
set vpn ipsec esp-group esp-edgemax mode tunnel
set vpn ipsec esp-group esp-edgemax proposal 1
set vpn ipsec esp-group esp-edgemax proposal 1 encryption aes256
set vpn ipsec esp-group esp-edgemax proposal 1 hash sha1
set vpn ipsec esp-group esp-edgemax compression disable
set vpn ipsec ike-group ike-edgemax
set vpn ipsec ike-group ike-edgemax lifetime 28800
set vpn ipsec ike-group ike-edgemax proposal 1
set vpn ipsec ike-group ike-edgemax proposal 1 dh-group 2
set vpn ipsec ike-group ike-edgemax proposal 1 encryption aes256
set vpn ipsec ike-group ike-edgemax proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface <WAN Interface>
set vpn ipsec logging log-modes all
set vpn ipsec nat-traversal enable
set vpn ipsec site-to-site peer <azure gateway ip address>
set vpn ipsec site-to-site peer <azure gateway ip address> local-ip any
set vpn ipsec site-to-site peer <azure gateway ip address> authentication mode pre-shared-secret
set vpn ipsec site-to-site peer <azure gateway ip address> authentication pre-shared-secret <azure shared key>
set vpn ipsec site-to-site peer <azure gateway ip address> connection-type initiate
set vpn ipsec site-to-site peer <azure gateway ip address> default-esp-group esp-edgemax
set vpn ipsec site-to-site peer <azure gateway ip address> ike-group ike-edgemax
set vpn ipsec site-to-site peer <azure gateway ip address> tunnel 1
set vpn ipsec site-to-site peer <azure gateway ip address> tunnel 1 esp-group esp-edgemax
set vpn ipsec site-to-site peer <azure gateway ip address> tunnel 1 local subnet <subnet for lan>
set vpn ipsec site-to-site peer <azure gateway ip address> tunnel 1 remote subnet <subnet for azure virtual address space>
set vpn ipsec site-to-site peer <azure gateway ip address> tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer <azure gateway ip address> tunnel 1 allow-public-networks disable
Commit
Save

Once the configuration was applied, I have waited almost 5 minutes and I have run the below commands:

So the VPN is up. Next I come back to Microsoft Azure to verify the connection. If you have something as below, that means that the connection is established.

Below you can find screenshots that come from the new Microsoft Azure Portal

Test the connection

Next I create a Virtual Machine to test the connection. I call it VMTEST01. When I have created this VM I have chosen the Internal subnet in PublicHomeCloud.

So I open a RDP connection to VMTEST01 and I run a ping on a domain controller. Hey, it’s working J

Conclusion

In this topic we have seen how to connect the Microsoft Azure Virtual Networks to the On-Premise Networks. It is a great stuff for Hybrid Cloud scenarios. Now if you have deployed a Windows Azure Pack in your datacenter and you use network virtualization, your tenants can connect their virtual network with Microsoft Azure by using also a Site-To-Site connection!

About Romain Serre

Romain Serre works in Lyon as a Senior Consultant. He is focused on Microsoft Technology, especially on Hyper-V, System Center, Storage, networking and Cloud OS technology as Microsoft Azure or Azure Stack. He is a MVP and he is certified Microsoft Certified Solution Expert (MCSE Server Infrastructure & Private Cloud), on Hyper-V and on Microsoft Azure (Implementing a Microsoft Azure Solution).

2 comments

  1. Awesome write up. Much obliged 😉

  2. Super info it is surely. I’ve been awaiting for this content.

Leave a Reply

x

Check Also

RDS 2016 Farm: Configure File Servers for User Profile Disks

In the previous topics of this series, we have deployed the RDS Farm in Azure. ...

RDS 2016 Farm: Deploy RDS 2016 farm in Azure

This topic is part of a series about how to deploy a Windows Server 2016 ...

RDS 2016 Farm: Configure Domain Controllers

This topic is part of a series about how to deploy a Windows Server 2016 ...