Okay, before I go anywhere with this topic I should point out that:
a) This is most definitely NOT a step-by-step guide on how to configure your VPN device
b) This is basically just an overview of stuff you need to know before you start
c) I can’t think of a third thing to put here, but 2 things just doesn’t feel like enough to justify a list
Why on earth would you need to connect your azure environment to your office VPN anyway?
Actually there’s all sorts of reasons for doing this, for instance you might need your Azure hosted services to connect directly to servers/services inside your office VPN. My main reason for needing to do this was to connect my Azure VMs to my Chef server running on a VM inside the office VPN. (“Why not just move your Chef server to Azure as well?!” I hear you ask. Well, let’s just imagine there was a really good reason for this, and move on).
Setting up a VPN connection can be a bit of a pain (and take ages to implement) with some datacentre providers, but with Azure it’s actually rather quite easy. The first thing you need to determine is the type of VPN connection you want to set up. Your 2 main options are point-to-site and site-to-site.
Point-to-Site essentially just involves setting up a virtual network within Azure and connecting out to it from individually configured clients within your office (if you ever work from home and VPN into the office network then you’ll be very familiar with this type of setup).
Site-to-Site involves connecting an existing office VPN to a virtual network within Azure (it’s basically the equivalent of adding your Azure subscription to your local office network).
I opted for a site-to-site connection because it scales well, and once it’s set up there’s no need to use VPN clients on my on-premise servers.
If you want to setup a site-to-site VPN connection to Azure you’ve basically got 2 choices:
- Setup a connection between your existing VPN hardware (you can find a list of supported VPN devices here) and an Azure Virtual Network
- Setup a connection between an Azure Virtual Network and a local Windows 2012 R2 server with Routing and Remote Access Service (RRAS).
Setting up a connection using your existing VPN hardware
Many organisations will have dedicated VPN devices, but as mentioned previously not all of these are suitable for connecting a site-to-site VPN to Azure. If your device does happen to be supported then you’ll need to get hands-on with the device configuration in order to setup the site-to-site connection. This will differ from one device to the next, so good luck with that!
Whatever supported device you’re using, you’ll still need to create and configure a virtual network in Azure. The full instructions on how to do this can be found here, but here’s a basic checklist of the sort of stuff you’ll need to know:
- Your DNS Servers
- Your local network name (obvs)
- Your VPN device’s IP address
- Your address space
- Subnet details (if you want to create one)
- Affinity group name (you can create one as you go through the Virtual Network setup)
Other than creating the virtual network, you just need to create a gateway within that virtual network. Details of how to do that can be found here. This stuff is all really simple from within the Azure Management UI.
And that’s about it from the Azure side. You now just need to configure your office VPN device. As mentioned earlier, the details of how to do this will depend on what device you have, so time to dig out your VPN device’s user manual!
But what if your VPN device isn’t on “The List”??
Well, fear not, for there is another way! All you need is a Windows 2012 Server with RRAS configured.
NOTE: I know you can also configure RRAS on Windows server 2008 R2 but I don’t yet know if this will work (we’re still trying to test it out as I’m writing this). Here, try this guide if you fancy giving it a shot, and let me know if it works with Azure!
One thing to note is that the Microsoft documentation pretty much says this setup won’t work if your RRAS server is behind a NAT or a firewall, but this isn’t actually the case. It’ll work just as long as your RRAS server has a public IP address.
So, here’s a basic overview of what you’ll need:
- The same shizzle as previously for the Azure Virtual Network
- A Windows server 2012 with 2 NICS
- A public IP address on the 2012 server
- A local Gateway server (you could just use the RRAS machine for this though)
- ICMPv4 enabled on your firewall
So there we are, nothing too complicated at all. There’s plenty of configuration work to be done in setting all this stuff up, but the Azure side is definitely the easy part. As for the RRAS stuff, don’t install and configure this manually – you actually need to edit a powershell script with the details you get along the way, and then run the script. It sounds like a ball-ache, but it’s actually more fun than the usual Windows service installation! There are plenty of good resources for helping you work through a site-to-site setup in a step-by-step guide, such as: