Title: Setting Up A Site to Site VPN Between Microsoft Azure and the Corporate Network

Dean Suzuki Blog Title: Setting Up A Site to Site VPN Between Microsoft Azure and the Corporate Network Created: 6/17/2014 Description: In this blog post, I record the process that I went through to: Setup a site to site VPN from my on-premise lab network (simulating a corporate network) to Microsoft Azure Setup a VM in Azure This scenario simulates a situation where a customer wants to extend their on-premise environment to the Microsoft Azure cloud. A common example is where the customer wants to host machines in Microsoft Azure but needs access to resources on their corporate network (e.g. Active Directory, or Databases). This scenario corresponds to Scenario 2 from this MSDN article. Corporate Network Microsoft Azure Site To Site VPN 10.5.103.x Machine2 10.5.104.x In this scenario, I am using on-premise Windows 2012 R2 Routing and Remote Access capability to serve as the endpoint for the Site-to-Site VPN tunnel from Azure. References: http://msdn.microsoft.com/en-us/library/azure/jj156090.aspx ; Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines http://msdn.microsoft.com/en-us/library/dn631643.aspx ; Configure a Cloud-Only Virtual Network in the Management Portal http://azure.microsoft.com/en-us/documentation/articles/active-directory-new-forest-virtualmachine/ ; Install a new Active Directory forest on an Azure virtual network http://msdn.microsoft.com/library/dn636917.aspx ; Site-to-Site VPN in Azure Virtual Network using Windows Server 2012 Routing and Remote Access Service (RRAS) http://msdn.microsoft.com/library/azure/dn630228.aspx ; Setting Static IP Address in Azure (C) 2012 Dean Suzuki, All Rights Reserved 1

Disclaimer: Contents of this blog and article represent the opinions of Dean Suzuki, and do not reflect the views of my employer. (C) 2012 Dean Suzuki, All Rights Reserved (C) 2012 Dean Suzuki, All Rights Reserved 2

Table of Contents 1 Create Site to Site VPN from Azure to On-Premise Infrastructure... 4 1.1 Confirm if On-Premise VPN Device Meets Requirements For Cross-Premise VPN... 4 1.2 Obtain a Public IP for the VPN Device... 4 1.3 Configure a Azure Virtual Network for Site-to-Site Connectivity... 4 1.4 Configure a Virtual Network Gateway... 7 1.5 Configure VPN Device On-Premise using RRAS... 8 1.6 Run VPN Config Script... 9 1.7 Review Routing and Remote Access Configuration... 9 1.8 Set DNS on Azure Virtual Network... 10 2 Prepare for VM s in the Cloud... 11 2.1 Create an AD Site for Azure... 11 3 Create Machine in Azure on Corporate Network... 13 3.1 Create Virtual Machine... 13 3.2 Set Static IP Address for VM... 15 3.2.1 Download and Install Powershell for Azure... 15 3.2.2 Connect to your Azure subscription.... 16 3.2.3 Verify that Static IP Address is Available... 17 3.2.4 Update VM with Static IP Address... 17 3.3 Setup Routes to Azure Cloud... 18 3.4 Check Connectivity from On-Premise to Cloud VM... 18 3.5 Join Machine to On-Prem Corporate Domain... 19 3.6 Add a Data Disk to VM for AD Database... 20 3.7 Install Active Directory... 22 3.7.1 Install Active Directory Domain Services Role (AD DS)... 22 3.7.2 Promote the machine to a domain controller... 26 4 Appendix: Using F5 as VPN Device... 27 (C) 2012 Dean Suzuki, All Rights Reserved 3

1 Create Site to Site VPN from Azure to On-Premise Infrastructure In the previous blog post, I mentioned that you have a couple options when creating an Azure Virtual Network. They are: Create a Cloud-Only Network that will only exist in Azure Create a network that will be connected through VPN with your on-premise corporate network. In the previous blog, we created a cloud-only network. In this post, we ll create a Azure Virtual Network with Site-to-Site VPN connectivity back to my onpremise lab network. 1.1 Confirm if On-Premise VPN Device Meets Requirements For Cross-Premise VPN Review this MSDN article (http://msdn.microsoft.com/en-us/library/jj156075.aspx) Note that there are two types of VPN supported by Azure Site to Site Connectivity: Used to connect two sites together over VPN. Point to Site Connectivity: Used to connect a machine to a site over a VPN Note that there are two types of gateways: Static routing VPN gateways Dynamic Routing VPN gateways Static routing VPN gateways only support Site-to-Site Connectivity. If you want to support both Site-to- Site and Point-to-Site connectivity, then need to use a Dynamic routing VPN gateway. In my lab, I have a F5 BIG-IP which is a static routing VPN gateway. There is a config note listed that describes how to set this up. I also have a Windows 2012 R2 server which supports Routing and Remote Access and can do dynamic routing. 1.2 Obtain a Public IP for the VPN Device Obtain an externally facing IPv4 IP for your VPN device. This IP address is required for a site-to-site configuration and is used for your VPN device, which cannot be located behind a NAT. 1.3 Configure a Azure Virtual Network for Site-to-Site Connectivity Launch Azure Management Portal (https://manage.windowsazure.com) Login with your credentials (C) 2012 Dean Suzuki, All Rights Reserved 4

In the lower left-hand corner of the screen, click New. In the navigation pane, click Network Services, and then click Virtual Network. Click Custom Create to begin the configuration wizard Enter a name for the Virtual Network and select its Affinity Group. The affinity group is related to the physical location where you want your resources (VMs) to reside. Even if you already have an affinity group, it might not be associated with the region that you want your resources to reside in. If that s the case, select Create a new affinity group from the dropdown. NOTE: What is an affinity group? Windows Azure datacenters are physically very large and contain hundreds of thousands of servers. There is a significant difference in network latency between two servers in a single rack and two servers at opposite ends of a datacenter. Windows Azure therefore provides an affinity group feature to provide a higher degree of co-location within a datacenter than would otherwise be possible using random placement. Associated cloud and storage services should be placed within an affinity group to minimize network latency. This minimization is particularly important when a cloud service makes extensive use of storage services. Affinity groups allow you to group your Windows Azure services to optimize performance. All services within an affinity group will be located in the same data center. From (http://social.msdn.microsoft.com/forums/en-us/cc2fbca1-0b5e-4e72-808cb09066d54dc3/affinity-group?forum=windowsazuremanagement) (C) 2012 Dean Suzuki, All Rights Reserved 5

On the next page, press Next. I m going to add a DNS server later. Check the Configure a site-to-site VPN checkbox. On the next page, enter a name for the on-premise network the public IP address for the VPN device that Azure will connect to. It can t be a NAT d IP address the starting IP address and CIDR (Subnet mask) for the on-premise networks that will be communicated with by the servers in Azure. On the Virtual Network Address Spaces page, specify the address range that you want to use for your virtual network. It s especially important to select a range that does not overlap with any of the ranges that are used for your on-premises network. Also, I needed to specify a Gateway subnet. Please the Add gateway subnet button. Hit Check button to continue. (C) 2012 Dean Suzuki, All Rights Reserved 6

1.4 Configure a Virtual Network Gateway A virtual network gateway is required to create a secure cross-premises connection. After creating your virtual network, use the following steps to configure the virtual network gateway and gather the information you ll need to configure your VPN device. See http://msdn.microsoft.com/en-us/library/jj156210.aspx for more information. 1. On the Networks page, verify that the status column for your virtual network is Created. 2. In the Name column, click the name of your virtual network. 3. On the Dashboard page, notice that this VNet doesn t have a gateway configured yet. You ll see this status as you go through the steps to configure your gateway. 4. At the bottom of the page, click Create Gateway. 5. Since I am using RRAS, I selected Dynamic Routing. (C) 2012 Dean Suzuki, All Rights Reserved 7

6. Press Yes at the confirmation prompt Gateway is being created. Once it has been created, we will need to configure the VPN device on-premise. 1.5 Configure VPN Device On-Premise using RRAS I used http://msdn.microsoft.com/library/dn636917.aspx as a reference On the machine that will be the VPN on-premise connection point, download the VPN configuration script. The machine needs to have: two NICs, one NIC on the internal network, the second NIC on the Internet with public IP address (Can t be NAT d), and be running Windows 2012 R2. From the Azure Portal, click the hyperlink Download VPN Device Configuration Script. (C) 2012 Dean Suzuki, All Rights Reserved 8

Select Microsoft, RRAS, and Windows Server 2012 Rename the file name extension of the downloaded file from a.cfg to a.ps1 file name extension to indicate that it is a Windows PowerShell script. 1.6 Run VPN Config Script Note that in order to run the VPN configuration script, the Windows PowerShell Execution policy on the RRAS machine must be set to Unrestricted. To do so, start a Windows PowerShell console with administrative permissions, and then run Set-ExecutionPolicy Unrestricted Drag and drop the VPN Config Script into the Powershell Window and execute it. You may receive some warnings. 1.7 Review Routing and Remote Access Configuration Launch the Routing and Remote Access MMC (C) 2012 Dean Suzuki, All Rights Reserved 9

Go to the ServerName > Network Interfaces and you should see the Site to Site VPN connection and Azure Gateway object In the Azure Portal, press Connect to initiate the VPN. Yay! VPN is configured! 1.8 Set DNS on Azure Virtual Network Now that the Site to Site VPN is established, we will go back and set the DNS servers on the Azure Virtual Network to use the on-premise DNS server. Go to Azure Portal > Networks, select the Site to Site VPN network and press Configure. (C) 2012 Dean Suzuki, All Rights Reserved 10

2 Prepare for VM s in the Cloud Now, that the VPN is place, a common scenario is to place a domain controller from the corporate Active Directory into Microsoft Azure. This process is outlined at: http://azure.microsoft.com/en-us/documentation/articles/virtual-networks-install-replica-activedirectory-domain-controller/ 2.1 Create an AD Site for Azure A first step to put a Domain Controller or services in the cloud is to configure the Active Directory Sites and Subnets to cover that network. On the On-Premise DC, launch AD Sites and Services Create a new Site for the Azure Cloud Name the site and select DefaultIPSiteLink as the transport. (C) 2012 Dean Suzuki, All Rights Reserved 11

Create the Subnet Object for the Azure Cloud Virtual Network (C) 2012 Dean Suzuki, All Rights Reserved 12

3 Create Machine in Azure on Corporate Network 3.1 Create Virtual Machine Create a new VM in Azure Choose the Virtual Network that we established the Site to Site VPN on. (C) 2012 Dean Suzuki, All Rights Reserved 13

Wait for the VM to be created. Log on to the new VM Open a Command Prompt and run ipconfig /all Notice that the DNS servers are set to what we configured earlier. (C) 2012 Dean Suzuki, All Rights Reserved 14

3.2 Set Static IP Address for VM By default Azure VM s are assigned dynamic ip addresses (DIP). The Dynamic IP addresses persist for the life of the VM. However, the dynamic address is deallocated if the VM is shutdown. To prevent the IP address from being deallocated, you can use Set-AzureStaticVNetIP to assign a static IP address. 3.2.1 Download and Install Powershell for Azure Read the following article for more background: http://azure.microsoft.com/enus/documentation/articles/install-configure-powershell/ Download and install the Azure Powershell module from: http://go.microsoft.com/fwlink/p/?linkid=320376&clcid=0x409 (C) 2012 Dean Suzuki, All Rights Reserved 15

3.2.2 Connect to your Azure subscription. Review (http://azure.microsoft.com/en-us/documentation/articles/install-configure-powershell/) and notice that there are two methods to connect to your Azure subscription. I am going with the management certificate approach. From the article: 1. Sign in to the Azure Management Portal using the credentials for your Azure account. 2. Open the Azure PowerShell console, as instructed in How to: Install Azure PowerShell. 3. Type the following command: Get-AzurePublishSettingsFile 1. When prompted, download and save the publishing profile and note the path and name of the.publishsettings file. This information is required when you run the Import-AzurePublishSettingsFile cmdlet to import the settings. The default location and file name format is: C:\Users<UserProfile>\Download\[MySubscription-...]-downloadDate-credentials.publishsettings (C:\deandata\ds_mtc\1-Private-Cloud-lab\Azure-Management-Certificate) 1. Type a command similar to the following, substituting your Windows account name and the path and file name for the placholders: Import-AzurePublishSettingsFile C:\Users<UserProfile>\Downloads<SubscriptionName>credentials.publishsettings (C) 2012 Dean Suzuki, All Rights Reserved 16

Commands to check your Azure account Get-azureaccount Get-azuresubscription Help azure ; lists all cmdlets in Azure Powerhell 3.2.3 Verify that Static IP Address is Available Run command similar to: Test-AzureStaticVNetIP VNetName TestVNet IPAddress 192.168.4.7 3.2.4 Update VM with Static IP Address First, get information on the VM and confirm that this is the VM that we want to change the IP Address of. Get-azureVM servicename dc1-s2s name dc1-s2s If we are sure that we want to change the IP address of this VM, run the following to update that VM Get-AzureVM -ServiceName StaticDemo -Name VM2 Set-AzureStaticVNetIP - IPAddress 192.168.4.7 Update-AzureVM (C) 2012 Dean Suzuki, All Rights Reserved 17

After the VM restarts, I checked for the new IP address. Note: You can connect to the VM via RDP by selecting the VM in the portal and at the bottom, there is a Connect button. 3.3 Setup Routes to Azure Cloud In my lab, I m using a Windows 2012 R2 RRAS server as my VPN gateway to Azure. So, I ll need to tell my domain controllers how to route packets to get to the Azure network. Note: In a production environment, the routers would need to be updated with the routes to get to Azure. 3.4 Check Connectivity from On-Premise to Cloud VM Enable Ping through the firewall on the VMs Open the Windows Firewall with Advanced Security MMC Go to Inbound rules and Enable the rule for File and Printer Sharing (Echo Request ICMPv4-IN) Now, initiate a ping from a machine on-premise to the Cloud VM (C) 2012 Dean Suzuki, All Rights Reserved 18

3.5 Join Machine to On-Prem Corporate Domain On the Azure VM that was created, join the machine to the corporate domain (e.g. irvlab.mtcdemos.net) If the VPN, DNS, and routing are all working, then the VM should join the corporate domain. Reboot the machine and login with a domain account from your corporate domain. (C) 2012 Dean Suzuki, All Rights Reserved 19

3.6 Add a Data Disk to VM for AD Database By default, the Azure VM OS disk has write caching enabled. AD Best Practices recommends disabling write caching to ensure that AD database changes are committed to the disk before proceeding. In Azure, another disk option, the data disk, is available. Data disk drives do not cache writes by default. Data disk drives that are attached to a VM use write-through caching. Write-through caching makes sure the write is committed to durable Azure storage before the transaction is complete from the perspective of the VM s operating system. It provides durability, at the expense of slightly slower writes. Please note that at this time, Azure Data disks are constrained to 1 TB in size. 1. Select the VM in the Azure Management Portal 2. Press the Attach button and select Attach empty disk on the pop-up menu 3. Specify a size (e.g. 2GB) and make sure that the Host Cache Preference is set to None. (C) 2012 Dean Suzuki, All Rights Reserved 20

4. Initialize the disk From (http://azure.microsoft.com/en-us/documentation/articles/active-directory-new-forest-virtualmachine/) 1. Log on to the VM and format the additional disk. 1. Click Connect to log on to the VM, click Open to create an RDP session, and click Connect again. 2. Change the credentials to the new user name and password you specified. 3. In Server Manager, click Tools > Computer Management. 4. Click Disk Management and click Ok to initialize the new disk. 5. Right-click the disk name and click New Simple Volume. Complete wizard to format the new drive. (C) 2012 Dean Suzuki, All Rights Reserved 21

3.7 Install Active Directory I used (http://technet.microsoft.com/library/jj574166.aspx) as a reference. 3.7.1 Install Active Directory Domain Services Role (AD DS) 1. Launch Server Manager 2. Select Add roles and features 3. Press Next 4. Press Next (C) 2012 Dean Suzuki, All Rights Reserved 22

5. Press Next. 6. Select Active Directory Domain Services (C) 2012 Dean Suzuki, All Rights Reserved 23

7. Click Add Features 8. Press Next. 9. Press Next. (C) 2012 Dean Suzuki, All Rights Reserved 24

10. Press Next. 11. I checked to allow automatic restarts. Press Install. (C) 2012 Dean Suzuki, All Rights Reserved 25

3.7.2 Promote the machine to a domain controller 1. Click the link Promote this service to a domain controller (C) 2012 Dean Suzuki, All Rights Reserved 26

4 Appendix: Using F5 as VPN Device Reviewed http://msdn.microsoft.com/en-us/library/jj156075.aspx and got referred to the F5 page (https://devcentral.f5.com/articles/connecting-to-windows-azure-with-the-big-ip#.u40i9dhou5s) Downloaded and imported the F5 iapp (C) 2012 Dean Suzuki, All Rights Reserved 27

Note, get the pre-shared key and the remote endpoint address from the Azure portal The iapp didn t work so I went the manual route. Create the IKE Peer Create IPSec Policy (C) 2012 Dean Suzuki, All Rights Reserved 28

Create Traffic Selector (C) 2012 Dean Suzuki, All Rights Reserved 29

(C) 2012 Dean Suzuki, All Rights Reserved 30