In the previous chapter, we covered load balancing services in Azure and explored the configuration of services such as Load Balancer and Application Gateway.
This chapter continues with this objective by covering how to integrate your on-premises network with an Azure virtual network. In this chapter, we are going to focus on virtual private network (VPN) connections from your on-premises environment to Azure. You will learn how to create an Azure VPN gateway, and you will learn how to configure a Site-to-Site (S2S) VPN using an on-premises server and Azure VPN Gateway. At the end of the chapter, we will explore Azure Virtual WAN and the capabilities this introduces.
In this chapter, we are going to cover the following main topics:
To follow along with the hands-on material, you will need the following:
Azure VPN Gateway provides a secure gateway that can be used for sending encrypted traffic over the internet between an Azure virtual network and an on-premises location. This gateway can be used for sending encrypted traffic between different Azure virtual networks and the Microsoft networks as well.
For each virtual network, you can only have one VPN gateway. You can, however, create multiple connections to the same VPN gateway. When creating multiple connections, all the VPN tunnels will share the available gateway bandwidth.
A virtual network gateway is created with two or more virtual machines (VMs) that are deployed in a gateway subnet. This is a specific subnet that is created for the VPN connection. The VMs that are deployed in the gateway subnet are created at the same time as the virtual network gateway is created. The VMs are then configured to contain specific gateway services and routing tables to connect to the gateway in Azure. It is not possible to configure the gateway services and routing tables manually. All gateway stock keeping unit (SKUs) except for the Basic SKU include 128 Point-to-Site (P2S) connections in the price.
Azure VPN Gateway offers the following pricing tiers:
There is also the option for an availability zone (AZ) variation of each Gateway SKU, except for Basic, denoted with a suffix of AZ, for example, VpnGw4AZ. They offer similar specifications and are as follows:
For better redundancy (high-availability) options, it is, of course, better to select the AZ variant, but understand that it costs significantly more than the standard SKU. This would be desirous for customers and workloads where constant connectivity is essential to operations and downtime would be costly to the client. Next, we will explore S2S VPN connections.
An S2S VPN gateway connection is a connection over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. These connections can be used for hybrid configurations and cross-premises configurations. It is designed to create a secure connection between a location and your virtual network over the internet. The location can be an office or even another VPN gateway, as an example. Once the S2S VPN connection is configured, you can connect every device from that location to Azure using the same VPN location.
An S2S connection requires a compatible VPN device located on-premises that has a public IP address assigned to it. It should not be located behind a NAT. S2S connections are designed to be persistent in nature and always on; this is not required, of course, but important to understand the intended design.
Top Tip
For more information about the compatible VPN devices, you can refer to the following documentation: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#s2s.
The following diagram shows an S2S VPN connection from an on-premises environment to Azure:
In the next section, we are going to look at multi-site VPNs.
A multi-site VPN connection is a variation of the S2S connection. You use this type of connection for connecting to multiple on-premises sites from your virtual network gateway. It is required that multi-site connections use a route-based VPN type gateway. All connections through the gateway will share the available bandwidth. This is because each virtual network can only have one VPN gateway.
The following diagram shows a multi-site VPN connection from an on-premises environment to Azure:
In the next section, we are going to look at the P2S VPN.
A P2S VPN gateway connection is designed to create a secure connection between an individual client and your virtual network over the internet. It is established from the client's computer and is useful for people who are working from different locations, such as from their home or from a hotel. A PS2 VPN is also the best solution if you only have a few clients to connect to a virtual network.
A P2S connection does not require an on-premises, public-facing IP address as S2S VPN connections do. You are able to use P2S connections together with S2S connections over the same VPN gateway. You need to make sure that the configuration requirements for both connections are compatible so that you can use both connection types over the same gateway.
The following diagram shows a P2S VPN connection from an on-premises environment to Azure:
In the next section, we are going to look at ExpressRoute.
ExpressRoute offers a private connection that is facilitated by a connectivity provider. ExpressRoute connections don't go over the public internet, but they use a more reliable connection. These types of connections offer lower latencies, higher security, and faster speeds than connections that go over the internet. You can use it to extend your on-premises networks to Azure and Office 365. Connections can be made from an any-to-any (IP VPN) network, a virtual cross-connection at a co-location facility, and a point-to-point Ethernet network connection.
ExpressRoute uses a virtual network gateway, which is configured with a gateway type of ExpressRoute instead of a VPN. By default, the traffic is not encrypted, but you can create a solution that encrypts the traffic that goes over the ExpressRoute circuit.
The following diagram shows an ExpressRoute connection from an on-premises environment to Azure:
Now that we have looked at the different types of VPN connections you can configure, we are now going to create and configure an Azure VPN gateway.
In the upcoming sections, we are going to configure an Azure VPN gateway, configure an S2S VPN, and verify the connectivity between Azure and the on-premises environment.
We are going to use Windows Server 2019 with the Routing and Remote Access Service (RRAS) enabled to serve as the compatible VPN device that is installed on the on-premises environment.
To create a VPN gateway, you can perform the following steps to follow along in our example:
You have now deployed a VPN gateway. Next, we will explore the creation of an S2S VPN connection using the Gateway service. First, we will need a VM to act as the VPN server.
To deploy your VPN server, you will need to perform the following steps:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vmName": { "type": "string", "defaultValue": "az104vpnserver" },
"adminUsername": { "type": "string", "defaultValue": "Packtadmin" },
"adminPassword": { "type": "securestring", "defaultValue": "P@55w0rd()" },
"windowsOSVersion": { "type": "string", "defaultValue": "2019-Datacenter" },
"vmSize": { "type": "string", "defaultValue": "Standard_D2s_v4" },
"resourceTags": { "type": "object", "defaultValue": { "Application": "AZ104 VPN Gateway" } },
"vnetName": { "type": "string", "defaultValue": "vpnvnet" },
"subnetName": { "type": "string", "defaultValue": "vnpsubnet" }
},
"functions": [],
"variables": {
"diagnosticsStorageAccountName": "[concat(parameters('vmName'),'sa01')]",
"nicName": "[concat(parameters('vmName'),'-nic01')]",
"nsgName": "[concat(parameters('vmName'),'-nsg-01')]",
"publicIPName": "[concat(parameters('vmName'),'-ip-01')]"
},
"resources": [
{
"name": "[toLower(variables('diagnosticsStorageAccountName'))]",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-04-01",
"location": "[resourceGroup().location]",
"tags": "[parameters('resourceTags')]",
"sku": { "name": "Standard_LRS" },
"kind": "Storage"
},
{
"name": "[variables('publicIPName')]",
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2020-11-01",
"location": "[resourceGroup().location]",
"tags": "[parameters('resourceTags')]",
"properties": { "publicIPAllocationMethod": "Dynamic", "dnsSettings": { "domainNameLabel": "[toLower(parameters('vmName'))]" } }
},
{
"name": "[variables('nsgName')]",
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2020-11-01",
"location": "[resourceGroup().location]",
"properties": {
"securityRules": [ {
"name": "nsgRule1",
"properties": { "description": "description", "protocol": "Tcp", "sourcePortRange": "*", "destinationPortRange": "3389", "sourceAddressPrefix": "*", "destinationAddressPrefix": "*", "access": "Allow", "priority": 100, "direction": "Inbound" }
} ]
}
},
{
"name": "[parameters('vnetName')]",
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2020-11-01",
"location": "[resourceGroup().location]",
"dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]" ],
"tags": "[parameters('resourceTags')]",
"properties": {
"addressSpace": { "addressPrefixes": [ "99.0.0.0/24" ] },
"subnets": [ {
"name": "[parameters('subnetName')]", "properties": { "addressPrefix": "99.0.0.0/24", "networkSecurityGroup": { "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]" } }
} ]
}
},
{
"name": "[variables('nicName')]",
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2020-11-01",
"location": "[resourceGroup().location]",
"dependsOn": [ "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPName'))]", "[resourceId('Microsoft.Network/virtualNetworks', parameters('vnetName'))]" ],
"tags": "[parameters('resourceTags')]",
"properties": {
"ipConfigurations": [
{
"name": "ipConfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": { "id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPName'))]" }, "subnet": { "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('vnetName'), parameters('subnetName'))]" }
}
}
]
}
},
{
"name": "[parameters('vmName')]",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2021-03-01",
"location": "[resourceGroup().location]",
"dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts', toLower(variables('diagnosticsStorageAccountName')))]", "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]" ],
"tags": "[parameters('resourceTags')]",
"properties": {
"hardwareProfile": { "vmSize": "[parameters('vmSize')]" },
"osProfile": { "computerName": "[parameters('vmName')]", "adminUsername": "[parameters('adminUsername')]", "adminPassword": "[parameters('adminPassword')]" },
"storageProfile": {
"imageReference": { "publisher": "MicrosoftWindowsServer", "offer": "WindowsServer", "sku": "[parameters('windowsOSVersion')]", "version": "latest" },
"osDisk": { "name": "[concat(parameters('vmName'),'osdisk')]", "caching": "ReadWrite", "createOption": "FromImage" }
},
"networkProfile": { "networkInterfaces": [ { "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]" } ] },
"diagnosticsProfile": { "bootDiagnostics": { "enabled": true, "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('diagnosticsStorageAccountName'))).primaryEndpoints.blob]" } }
}
}
]
}
You have just configured your VPN server for the VPN gateway in Azure. Next, we will configure the Azure VPN Gateway side to establish an S2S connection.
To configure an S2S VPN tunnel using Azure VPN Gateway, we will use a Windows server with RRAS features installed. This will work as the equivalent of an on-premises appliance that would typically run a persistent connection with the VPN gateway. An S2S tunnel is typically designed to be persistent:
Now that you have configured your Windows VPN server, we will test it in the next section.
To verify connectivity, follow these steps:
In the next section, we will explore VNet to VNet connectivity.
Configuring a VNet-to-VNet connection is a simple way to connect VNets. Connecting a virtual network to another virtual network is similar to creating an S2S IPSec connection to an on-premises environment. Both the connection types use Azure VPN Gateway. The VPN gateway provides a secure tunnel IPsec/IKE and they communicate in the same way. The difference is in the way the local network gateway is configured.
When you create a VNet-to-VNet connection, the local network gateway address space is automatically created and populated. If you update the address space for one VNet, the other VNet automatically routes to the updated address space. This makes it faster and easier to create a VNet-to-VNet connection than an S2S connection.
Top Tip
To create a VNet-to-VNet connection from the Azure portal, you can refer to the following tutorial: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal.
In the following exercise, we will explore the creation of an ExpressRoute circuit. We will only emulate the deployment as it typically includes involvement from a provider with a corresponding circuit configuration at the edge to join Azure:
For the completion of setting up an ExpressRoute circuit connection, you will need to contact your ExpressRoute provider and confirm the circuit numbers as part of your deployment. You will provide them with the service key associated with the circuit you have deployed in Azure.
For additional reading and guidance on the deployment steps, you can read these articles:
Now that you understand how to configure an ExpressRoute circuit, you can feel confident in starting the deployment in your organization. Next, we will explore Azure Virtual WAN.
Azure Virtual WAN provides a mechanism for a managed hub-and-spoke network within Azure. It consolidates all your endpoint connection types into a single service that simplifies the management of your complex networks and enables transitive network functionality.
The following diagram shows an illustration of the various interconnections that may be employed in a typical environment:
As illustrated in the preceding diagram, you could have a variety of connection types, such as ExpressRoute, S2S connections, P2S connections, and even VNet peering. All the traffic flow configurations are managed through Azure Virtual WAN, which will also configure your transitive network flows, eliminating the need for an additional Network Virtual Appliance (NVA). The deployment of Virtual WAN also allows for the deployment of a firewall in the solution, allowing you to secure traffic natively through your hub-and-spoke model.
There are two SKUs that you can purchase as part of the service:
Effectively, the intention of Virtual WAN is to act as a head-end for your network being the primary routing service for all your interconnections required.
Top Tip
While you can upgrade from the Basic to Standard SKU, you cannot downgrade from Standard to Basic. This is important in deciding your direction for implementation and upgrading.
Now that you understand what Virtual WAN is, we will look at the deployment of the service next.
In order to configure Azure Virtual WAN, you will need to perform the following steps:
Now that you have a Virtual WAN deployment, you will create a VPN site next.
In this exercise, you will create your first VPN site for the Virtual WAN:
Now that you have created your VPN site, you will need to connect this to the hub next.
Now that your site is configured, you will need to connect to your VPN connection using your VPN server:
Now you have a VPN connection, you will attempt to connect to this next.
Now that your site is connected to the hub, you can connect to this using your VPN server:
You have now experienced connecting a S2S VPN using both Azure Virtual WAN and Azure VPN Gateway. You should feel confident in implementing the basic network structures you need within your Azure environments.
In this chapter, we covered various services for connecting on-premises networks to Azure, such as through Azure VPN Gateway and Azure Virtual WAN. You have learned about the various types of VPN connections available to you and the difference between each of them. You have also experienced the configuration of several of these. You should now feel comfortable in connecting your networks to Azure and what services to use. In the next chapter, we will explore monitoring and troubleshooting for networks in Azure in detail.
3.22.249.220