Creating a Site-to-Site VPN between your Lab & Azure

Almost every project I am involved in demands a cloud component design element. Typically this will be with either the MS Azure of AWS public clouds however it is not uncommon for Google Cloud, Alibaba or Oracle cloud offerings requiring consideration. In order to stay current with these technologies it is necessary to practice or “LAB” these skills, and what better way to make a start than to connect your existing lab and a Azure subscription?

In this post I will will:

• Configure the necessary Azure networking components.
• Deploy an Azure VPN Gateway
• Deploy an Azure virtual machine
• Configure a Server 2016 Routing & remote Access Server (RRAS) server in my home Lab
• Demonstrate connectivity between the two environments.

Overview

A new Azure virtual network will be created with two subnets; the first (default) to be used by the Azure virtual machines & the second to be used by the “Gateway Subnet”. A Virtual machine will be created in the default subnet.

A Server 2016 RRAS server will be installed in my home lab & configured to connect to the public IP of the Azure VPN Gateway. To ensure both Home Lab & Azure can communicate; static routes will be introduced to ensure traffic is  routed correctly.

Prerequisites

• Created an Azure subscription
• Have a home lab with domain configured
• Have a new Server 2016 virtual machine deployed.
  • Configure 2 vNICs on the virtual machine
    • Internal
      • This should have a static address in your home lab address range. i.e. 172.16.1.56/24
      • No default gateway
    • External
      • This should have a static address in your home address range. i.e. 172.16.1.57/24
      • The default gateway should be set to your standard gateway (i.e. 172.16.1.1)
• You home router should be configured to allow VPN pass through.
  • Configure Ports UDP 500 & UDP4500 to forward through to your RRAS VM.

Process

Configure Azure Networking

1. From the Azure portal create a Resource group in which to place the Azure components. 
2. Create a new Virtual Network, use the following fields as a guide:
   1. Name: CVLab
   2. Address Space: 10.10.0.0/16
   3. Subscription: Your Subscription/Free Trial
   4. Resource Group: As created earlier.
   5. Location: As Desired
   6. Subnet
      1. Name: default
      2. Address Range: 10.10.10.0/24
   7. DDoS Protection: Standard
   8. Service Endpoints: Disabled
   9. Firewall: Disabled
3. Once the virtual network has deployed, create a Gateway subnet:
   
   Ensure the Gateway subnet is configured accordingly:
   1. Address Range: 10.10.11.0/29
   2. Route Table – None
   3. Services None
   4. Delegate subnet: None
4. Add a virtual network gateway. This will be used by your RRAS server as a VPN connection target.
   
   Configure as follows:
   1. Name: CVGateway
   2. Type: VPN
   3. VPN Type: Route Based
   4. Virtual Network: CVLab
   5. Public IP: Create New
      1. This is auto-generated and will be the endpoint targeted by your on-premises RRAS server.
   6. PublicIPName:CVPublicIP
   7. Subscription: Your Subscription/Free Trial
   8. Location: Same as where you created your vNet.
5. Create a local Network Gateway. This will be used to allow your Azure VMs to connect to your on-premises VMs
   
   Configure as follows:
   1. Name: CVLabGateway
   2. IP Address: The IP Address of your home internet connection
      1. NOTE: if you have a dynamic IP address, this IP will will need to be updated when that IP changes.
   3. Address space: Your Lab (on-premises) network. For me this is 172.16.1.0/24. You may add multiple address spaces here if appropriate.
   4. Subscription: Your Subscription/Free Trial
   5. ResourceGroup: Your Resource Group
   6. Location: Same as where you created your vNet.
6. Once the local gateway has finished deploying (can take a while), you can create a connection object.
   Configure as follows:
   1. Name: CVLabHomeCon
   2. Virtual Network Gateway: CVGateway
   3. PSK: Make one up, the longer and more complicated the better. This will be used by your RRAS Server.
   4. ResourceGroup : Your Resource Group

Configure RRAS

1. Install Routing & Remote Access on your Server 2016 VM
   1. From server manager, add Roles & Features
      
   2. Click next through until you reach Roles. Select Remote Access and click Next until you reach the Select Role Services page.
   3. Select Routing and DirectAccess and VPN (RAS). Click Add Features when prompted.
      
   4. Click Next until the confirm page, then click Install.
2. Once RRAS is installed, click Open the getting started wizard.
   
3. Select Deploy VPN Only
4. Right click the name of your sever in the RRAS console and select Configure and Enable Routing and Remote Access.
   
   
5. On the Configuration page, click Custom configuration.
6. Select VPN Access and LAN Routing. Click Next and Finish. If warned about the windows firewall click OK.
7. Click Start Service when prompted.
8. Create a new demand dial interface as shown below:
   
   1. Name: Azure On-Demand
   2. Connection Type: VPN
   3. Type: IKEv2
   4. Host Name: The public IP of your Azure Virtual Network Gateway:
      
   5. Protocols and Security:
      1. Route IP Packets on this interface
   6. Static Routes:
      1. Destination: 10.10.10.0
      2. Mask: 255.255.255.0
      3. Metric: 10
   7. Dial Out Credentials – just write “Nothing” in the Username and click next. We’ll be using the PSK created earlier.
9. Once the interface has been created, right click on the Azure On-Demand interface and choose properties.
10. Select Security and Use preshared key for authentication. Enter your PSK in the box.
    
    Click OK
11. Right Click your connection and choose Connect.

Configure Azure VM

1. Back in the Azure portal, deploy a new virtual machine. The size is upto you but ensure it has the following properties:
   1. Region: Same as where you deployed the previous components
   2. OS: Windows Server
   3. Public Inbound Ports: None
   4. Virtual Network: CVLab
   5. Subnet: default
   6. The other areas can be left as default or adjusted if necessary.
2. Wait for the VM to be deployed then proceed.
3. From the Networking tab on the new VM, create a new rule to allow traffic from your home lab network (i.e. 172.16.1.0/24). This can be for specific ports or a blanket rule between your home & azure environments. Ensure at least RDP (3389) is allowed. In the below example I have allowed all traffic from my local Lab subnet.
   

Configure Static Routes

In the current state, your RRAS server will be able to connect to your AzureVM as the route to use has been added by the RRAS config. The next step is to add routes to the other VMs (both Azure and local Lab) to allow communication between subnets. The route add commands would be written as follows:

For Local lab VMs
ROUTE ADD 10.10.10.0 mask 255.255.255.0 172.16.1.56 metric 2 -p
For Azure VMs
ROUTE ADD 172.16.1.0 mask 255.255.255.0 172.16.1.57 metric 2 -p

Ping (ICMP) is not allowed through the windows firewall by default, however RDP on the Azure VMs is. From your RRAS server, RDP to the private IP of your new Azure VM, if you get a connection that proves RRAS is working. You will need to add the appropriate static routes to the test VMs before you can repeat the same test outside of the RRAS VM.

Next Steps

If you would like to make this Azure VM (and others) part of your domain for an extended period, it would be advisable to get a few other things tidied up, for example:

• DNS Zones
• Centralising the static Routes
  • Via Group Policy
  • Via Physical/Virtual network hardware.
• Locking down the Azure ports using  network security groups.