Today I will be writing about creating a Site to Site (S2S) Virtual Private Network from your Azure virtual network to your on-premises network without the need to use a dedicated VPN hardware device.
Requirements:
-
active Azure subscription
-
Azure Resource Group
-
Azure virtual network
-
on-premises VM to install Windows Server 2019
-
proper firewall settings.
-
some networking knowledge
We will start by logging on to https://portal.azure.com.
You can use an existing resource group if you already have networks and VMs in it or create a new resource group.
I will create a new one :
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-1.png)
After creating the resource group I will go and create a Virtual Network. Go to + Create a resource and search for Virtual Network like below:
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-2.png)
Then press Create:
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-3.png)
Give the virtual network a meaningful name, choose the resource group and region in which to deploy, then click Next: IP Addresses
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-4.png)
Create an IP address space that will be different from your on-premises space:
Create a subnet by pressing Add subnet to which you want your resources (VMs) to connect and to which on premise traffic will be routed.
Define the subnet name and address space:
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-6.png)
Then press Add:
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-7.png)
Click on Next: Security:
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-8.png)
Leave settings as default, and click Review+Create. Make sure Validation passed, then click on Create
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-9.png)
Wait for the deployment to finish:
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-10.png)
Click Go to resource:
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-11.png)
Click Subnets
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-12.png)
Then click on the + Gateway subnet. You can use the defaults or customize the gateway network (this will be used by the VPN gateway) based on your needs:
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-13.png)
Click OK and wait for the subnet to be added:
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-14.png)
The next step is to create the Virtual Network Gateway which is our VPN gateway actually. We will deploy a new one from the Marketplace.
Click on + Create a resource and type in the search box virtual network, then select Virtual Network Gateway:
Then press Create:
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-16.png)
Select the subscription, the resource group, give it a meaningful name, select the region (make sure it is the same as the virtual network), the Gateway type is VPN and the VPN type is Route Based. Select the SKU based on your bandwidth needs, the Generation and virtual network (the one we just created). Create a new Public IP address as this will be our connection point for the VPN. If you want to create an active-active VPN with BGP you can configured that also ( I will write another article on that). Then click Review + create:
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-17.png)
Make sure Validation passed, then click on Create
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-18.png)
Be patient (this will take around 20-30 minutes) and Wait for the deployment to finish:
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-19.png)
Then click Go to resource
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-20.png)
Check that is was created and that it has a public IP assigned:
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-21.png)
The next step is to create a Local Network Gateway. To do this go to + Create a resource and search for local network gateway (this will be the definition for the on premise gateway) and click on it:
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-22.png)
Click Create
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-23.png)
Give the Local Network Gateway a meaningful name, your public IP address for your on-premise device or RRAS server, select the on premise address range that you want to route to Azure:
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-24.png)
Click Create and wait for the deployment to finish:
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-25.png)
Then click Go to resource
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-26.png)
The next step is to create the VPN connection. For this we need to go to Connections and click + Add
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-27.png)
Give it a meaningful name, select the Virtual Network Gateway we created earlier and the Local Network Gateway, add a passphrase for the share key and leave the protocol as IKEv2, then click OK
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-28.png)
Wait for the connection to get created
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-29.png)
This finished the Azure part of the configuration.
Now we will need to configure our on premises RRAS server. For this I have created a VM, installed Windows Server 2019 on it and now we will install the needed roles on it, then configure the connection. For the routing to work correctly we will need to give the VM 2 network adapters – 1 connected to the external or DMZ network and the 2nd connected to our internal network.
Below are the configured NICs:
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-30.png)
Now let’s install the RRAS role. Go to Server manager – Manage – Add Roles and Features. Select Role-Based or feature-based installation.
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-31.png)
Select the server
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-32.png)
Select the Remote Access role
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-33.png)
On features click next, then on the Remote Access click next. On Role Services select DirectAccess and VPN (RAS), then click on Add Features
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-34.png)
Click Next
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-35.png)
On the Web Server Role (IIS) click next, same on role services
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-36.png)
Click Install
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-37.png)
Wait for the installation to finish.
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-38.png)
After the installation has finished click Close, then open the Routing and Remote Access console
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-39.png)
Right Click the server name and then click on Configure and Enable Routing and Remote Access
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-40.png)
Click Next
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-41.png)
Select Secure connection between two private networks
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-42.png)
Select Yes
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-43.png)
If you have a DHCP server in your environment select Automatically. Else select From a specified range of addresses and define the range. I will select Automatically, then click Next
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-44.png)
Click Finish and wait for the configuration to finish.
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-45.png)
On the new wizard for the Demand Dial click next
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-46.png)
Give the connection a meaningful name and click Next
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-48.png)
Select Connect using virtual private networking (VPN)
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-49.png)
For the protocol select IKEv2 (same as we select on the Azure side), click Next
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-50.png)
Go to the VPN gateway on azure and get the Public IP of the VPN gateway.
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-51.png)
Enter the Public IP of the gateway
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-52.png)
Make sure Route IP Packets on this interface is selected and click Next
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-53.png)
On the Static Router click Add
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-54.png)
Add the address space you defined on the Azure Virtual Network and on the Subnet you defined for your VMs, add a low metric, then click OK
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-55.png)
It should look like this, click Next
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-56.png)
On the credentials page put just Azure, click Next
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-57.png)
Click Finish
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-58.png)
After the configuration has been finished expand it then go to Network Interfaces
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-59.png)
Right click Azure S2S, select Properties
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-60.png)
Go to Security, select Use preshared key for authentication and add the key that was configured on the Azure VPN gateway, then click OK
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-61.png)
Right click the connection and select connect
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-62.png)
And he now have a VPN connection to our Azure VNET
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-63.png)
Now we need to add the route to our VNET in the configuration. Go to IPv4, right click Static Routes and select New static route
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-64.png)
Add the address space of your Azure subnet, selecting a low metric, click OK
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-65.png)
I have quickly deployed a test VM on my subnet and tried to ping it from my RAS gateway machine:
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-66.png)
Plus I can now RDP on the internal interface so no need for public RDP:
![image image](https://windowsrockstar.com/wp-content/uploads/2020/03/image_thumb-67.png)
This is how you deploy a site to site VPN from on premise to Azure for without the need for expensive hardware.
Thank you for reading it all up.
In a future article I will show you how to be able to use a VPN with a dynamic IP address with minimal downtime.