共用方式為


Extend Your Network to Azure With Site-to-Site VPN Quick and Cheap

It had been a while since I originally worked with the Azure VPN options so I recently decided to dig back into it.  Like many of you, I have computers at home that are my "Lab" and I thought it would be great to be able to connect my home "Lab" network to Azure so that I could more easily move resources from my lab into the cloud.  Just to start, I wanted to be able to have a Domain Controller in Azure and have it connected to my Lab as well.  After doing some research and re-familiarizing myself, I figured out a good solution that doesn't cost a lot or take a lot of time.

I found several blogs or articles written on all sorts of methods of connecting to Azure.  I narrowed it down to a few that were similar to what I wanted to do.  What I found was that in order to get mine to work as I wanted, I needed to use certain pieces from different postings on the subject.  I will reference some of those sources in this post.  Here is my experience with this process and how I was able to make it work well.

First, here are the major data points we need to define before we get started:

On Prem Lab Network:
IP Subnet: 192.168.1.0 / 24 (255.255.255.0)
RRAS Server: 192.168.1.202

Azure:

Resource Group: My-Resource-Group
Virtual Network:
Address Space: 172.10.0.0 / 16 (255.255.0.0)
Subnet - "Backend": 172.10.1.0 / 24 (255.255.255.0)
Subnet - "GatewaySubnet": 172.10.0.0 / 24 (255.255.255.0)
Virtual Network Gateway:
Connection:
Local Network Gateway:
IP Address: 1.1.1.1 (Public IP of On Prem Lab)
Address Space: 192.168.1.0 / 24 (255.255.255.0)

Steps:

  1.  Create Azure Resource Group

    1. In the Azure Portal, Click on Resource Groups.  Then Click Add.
    2. Fill-In "Resource Group Name", Choose Your Subscription, Select Location, and Click Create.
  2. Create Virtual Network

    1. In the Azure Portal, Click on Virtual Networks.  Then Click Add.
    2. Fill-In Fields:
      1. Name: My-Virtual-LAN
      2. Address Space: 172.10.0.0 / 16 (255.255.0.0)
      3. Subnet Name: Backend
      4. Subnet Address Range: 172.10.1.0 / 24 (255.255.255.0)
      5. Resource Group: Use Existing > My-Resource-Group
      6. Location: (Same Location as Resource Group)
    3. Now Create the Subnets:
      1. Click on the New Virtual Network You Just Created.
      2. Now Click "Subnets" on the left side.
      3. Now on the right, click the "+ Gateway Subnet".
      4. Fill-In:
        1. Name: GatewaySubnet
        2. Address Range: 172.10.0.0 / 24 (255.255.255.0)
      5. Click Create.
  3. Create Virtual Network Gateway

    1. In the Azure Portal, Click on Virtual Network Gateway.  Then Click Add.
    2. Now Click Add.
    3. Fill-In Fields:
      1. Name: My-Virtual-Gateway
      2. Virtual Network: Will Be Network You Created in Previous Step.
      3. Public IP Address: Choose from list or Click Add IP.
      4. Gateway Type: VPN
      5. VPN Type: Route-Based
      6. Location: Same as Above.
      7. Click Create.  (May take a little while to finish.)
  4. Create Local Network Gateway

    1. In the Azure Portal, Click on Local Network Gateway.  Then Click Add.
    2. Fill-In Fields:
      1. Name: My-Local-Network-Gateway
      2. IP Address: Public IP of Your Home/Lab
      3. Address Space: 192.168.1.0 / 24 (255.255.255.0) (Your Home Network)
      4. Resource Group: Resource Group Created Earlier
      5. Location: Same Location
      6. Click Create.
  5. Create VPN Connection

    1. In Azure Portal, Click on your Local Network Gateway (My-Local-Network-Gateway)
    2. Click on Connections.
    3. Click Add.
    4. Fill-In Field:
      1. You will need to specify the Virtual and Local LAN gateways we created in Step 3 and Step 4, for the Virtual Network Gateway and Local Network Gateway, respectively.
      2. Shared Key: Using a random 32-bit key is important.  This can easily be generated with something like powershell or like this tool.  Generate a 32-bin key and put it in the Shared Key PSK field.  Also keep the key because you will need it later in this tutorial.
      3. Click Create.
  6. This completes the Azure Configuration. Next Begin RRAS Configuration.

  7. On any windows machine on your home/lab network, install the RRAS Role.

    1. Powershell: Install-windowsfeature -name directaccess-vpn -IncludeManagementTools
  8. Configure RRAS:

  9. The Routing and Remote Access Server Setup Wizard will appear.

    1. Welcome to the Routing and Remote Access Server Setup Wizard: Click Next
    2. Configuration: Select Secure connection between two private networks, click Next
    3. Demand-Dial Connections: Select Yes, click Next
    4. IP Address Assignment: Select Automatically, click Next
    5. Completing the Routing and Remote Access Server Setup Wizard: Click Finish

    The Demand-Dial Interface Wizard will appear.

    1. Welcome to the Demand-Dial Interface Wizard: Click Next
    2. Interface Name: Type in Azure S2S, click Next
    3. Connection Type: Select Connect using virtual private network (VPN) , click Next
    4. VPN Type: Select IKEv2, click Next
    5. Destination Address: Enter in the Public IP address of the Azure Virtual Network Gateway, click Next
    6. Protocols and Security: Check Route IP packets on this interface, click Next
    7. Static Routes for Remote Networks: Click Add
      • Static Route: Select Remote Network Support using IPv4:
        • Destination: 172.10.1.0
        • Network Mask: 255.255.255.0
        • Metric: 1
        • Click OK
      • Click Next
    8. Dial-Out Credentials: Type Azure for the User name, click Next
    9. Completing the Demand-Dial Interface Wizard: Click Finish

    In the Routing and Remote Access window select RRAS-Server -> Network Interfaces.  Right-click on Azure S2S and select Properties.

    Select the Security tab and under Authentication select Use preshared key for authentication. Type in the preshared key that was entered on the VPN Connection in Azure.  Click OK.

    Right-click on the Azure S2S network interface and click Connect.

    After it connects open up a command prompt and ping any IP on any VM in your new Azure Network 172.10.1.x.  You should get a response.

    Now any Azure VM that you put on 172.10.1.x will be able to communicate directly with your on-premise systems.

    In order for any on-premise systems to communicate with the Azure VMs you will need to setup a static route on your home router.  In this configuration, I created a static route on my router configured like this:

    1. Network: 172.10.0.0
    2. Netmask: 255.255.0.0
    3. Gateway: 192.168.1.202 (Internal IP of your RRAS Server)
    4. Metric: 1

 

These were the precise steps I took to getting my networks connected.  In particular, I used these 2 articles as references, so I thought I should include a link-back to them here.  In my situation, I combined some of both of these articles and a bit of my own spin on it.  I think this way worked best for me.  I you find this helpful.

 

References:

https://blogs.technet.microsoft.com/jletsch/2016/03/15/lets-configure-azure-site-to-site-vpn-with-rras-in-azure-resource-manager/

https://scomandothergeekystuff.com/2016/09/19/creating-a-site-to-site-vpn-with-azure-resource-manager-arm-and-windows-2012r2/