There is much focus from Microsoft on Azure right now, but Azure is reachable via Internet only. A typical company on the other hand, has all its resources on an internal LAN which is shielded from Internet for security reasons. So how can you connect the two and integrate Azure with your local network?
The first thing you discover when starting out with Azure is that you can actually reach your cloud resources pretty easily if the connection is initiated from your LAN. You can connect to your Azure SQL Server with SSMS from your laptop or you can connect to your Azure virtual server with RDP. But what happens if you want to run a server on Azure which initiates connections to your local resources? Then your LAN will treat the incoming connection as a hacker attempt and burn your packets in the firewall.
So you have to teach your firewall to be nice and allow incoming traffic from Azure. This can be done in different ways, either by opening up holes in the firewall or by creating a VPN tunnel.
I have chosen to focus on the VPN tunnel alternative, since it connects your LAN network to a virtual Azure network, as if the two where one. This makes it possible for resources on your LAN to talk to resources on Azure and the other way around. You can for example create an Azure virtual server which runs SSIS against your local SQL Server databases.
It also opens up the possibility to connect more than one network to Azure which could be useful if a customer has more than one LAN or if you have a bunch of customers on different LANs but you want to run SSIS (or whatever) against them all.
Overview of what we are trying to accomplish.
Setup your local environment
In order to create the VPN tunnel you need a special router which supports dynamic routing. When configuring it in Azure, Microsoft gives you three alternatives for setting this up:
- Cisco
- Juniper
- Windows 2012 with RRAS
There are actually more routers supported, you can find the complete list here: https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/
I had to choose Windows 2012 with RRAS since it is possible to use for testing without buying a new router. I then used a leftover laptop as server to install on. If you don’t have an old laptop, it may be possible to run on Hyper-V or Wmware instead, but I haven’t tried it. I tried to get it working on a Virtualbox on my own computer but it didn’t work.
If you follow my steps you will at this point have a leftover laptop with a freshly installed Windows 2012 R2 installed on it. This is from here on referred to as the gateway server.
The next step is to make the gateway server reachable from the Internet. Since my LAN has its own router using NAT with only one external ip-address, some configuration has to be done before the server can be reached from the outside. Microsofts official recommendation is to use a separate, new external ip-address if you set this up at a customer site, but since I’m limited to the one I have, I had to find a workaround.
Basically you have two options; using port forwarding or by putting the machine in a DMZ. Some routers have other options as well but that is out of scope in this article.
If you use port forwarding you tell your router to send incoming traffic to a specific internal ip-address if the incoming traffic uses certain ports. If you use the DMZ alternative you basically put the whole machine outside your routers firewall and all incoming traffic is routed to this machine. Since putting it into a DMZ poses a higher security risk, it’s advisable to use port forwarding.
In order to use port forwarding, your gateway server needs to have a fixed ip-address on your LAN. Set it in the properties of the Ethernet card:
At the same time, disable all functionality except IPv4:
Now you have to configure your local router. You need to forward UDP port 50, 500 and 4500 and TCP port 50 to your gateway server:
The same ports also needs to be unlocked in the gateway server (Windows 2012 firewall) for incoming traffic.
Also reserve the ip-addresses for your gateway server and your PC in the router so they don’t dynamically change:
SolidQ-Tuve is my local PC and os1 is my gateway server.
Setup Azure infrastructure
Now we need to create the Azure infrastructure to connect to your gateway server.
If you don’t already have an Azure subscription you can get one month for free by creating a new Outlook account at http://signup.live.com and then go to https://account.windowsazure.com/SignUp to create your free subscription. You have to enter a credit card number but it will not be charged if you picked the free subscription.
Now log in into the Azure portal https://portal.azure.com and begin with creating a new virtual network:
Select the Classic deployment model:
Read more about deployment models here: https://azure.microsoft.com/en-us/documentation/articles/azure-classic-rm/
It is possible to use the Resource deployment model as well but then you have to run a series of powershell scripts as described in this article: https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-create-site-to-site-rm-powershell/#gatewaysubnet
Enter values for Name, Subnet name, Location. Leave the address ranges as they are.
Create your virtual network and wait until you see the page below. Click the window to start creating a VPN connection.
Site-to-site is the type of connection we are trying to create, so it should be marked. Click “Configure required settings”. Now you have to enter some values that defines your local site.
- Enter a name for your local site.
- Enter your LAN public ip-address. You can get your public ip-address from here if you don’t know what it is: http://www.myipaddress.com/show-my-ip-address/
- Enter your client address space. This tells Azure which network address range you have on your LAN.
If you don’t know what it is, run ipconfig in a cmd window on your local computer to see your ip-address and the subnet mask.
My subnet has the mask 255.255.255.0 which can be translated into CIDR = 24. This means that you put 192.168.0.0/24 as address space. It also means that your network has addresses between 192.168.0.0 and 192.168.0.255. Learn more about CIDR here: https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
Press Create and wait for the VPN connection to be created.
When it is finished (it takes a while) you will get this screen:
First it will try to create the gateway:
After a while (it took me 30 minutes) it will change to green:
So now we have a new Azure gateway. Press the icon for MyLocalSite to open up its configuration.
Press the button “VPN Device script” and choose vendor, platform and OS as in this picture:
Download the script and rename it to VpnDeviceScript.ps1. Put it on your Windows 2012 gateway server and run it. It will install the RRAS service and create the configuration. The script is intelligent and can be run multiple times if you need to overwrite old configuration. You don’t have to shut the RRAS server down or check that it is up before running the script.
Wait for a while and the connection should be established:
Tada!
Now, in order to test it, create a new virtual machine in Azure. I’m not going to describe the details about how to do this but you should set the new machine to use your virtual network and use a static ip-address otherwise it will not be reachable from your LAN.
Now you have a VPN tunnel between your gateways but your local PC still don’t know how to reach the Azure resources. You have to tell it to go to your LAN gateway if any network traffic is trying to reach a 10.0.0.x address from your PC.
Open up a cmd prompt as Administrator and run:
route add –p 10.0.0.0 mask 255.255.255.0 192.168.0.150 metric 1
Now you should be able to RDP from your local PC in to the virtual Azure machine using its static ip. You need the port as well, it can be found under “Endpoints” in Azure. To reach my machine I used 10.0.0.4:3389.
You have connected to a local address from your local pc and reached an Azure virtual machine. Now it’s time to see if your virtual machine can reach your LAN resources.
I have configured an instance of SQL Server on my PC and allowed it to accept incoming connections. As you can see in the picture below, my Azure virtual machine is now connecting to my pc on 192.168.0.198 which is a LAN address.
The two networks are now connected.
Summary: In this article I have shown how it’s possible to connect a local network which is protected by NAT, to an Azure virtual network. This is useful for testing and developing solutions which depends on communication between a local network and Azure.
In a production environment, the demands are higher, but the setup is very similar. You may choose to buy a hardware router or you can use Windows 2012 as the gateway. Whatever you choose, the gateway should have its own external ip-address and be secured since it will be exposed to the Internet.