Today I will be writing about creating a Site to Site (S2S) Virtual Private Network from your Azure virtual network to your on-premises network without the need to use a dedicated VPN hardware device.
Requirements:
We will start by logging on to https://portal.azure.com.
You can use an existing resource group if you already have networks and VMs in it or create a new resource group.
I will create a new one :
After creating the resource group I will go and create a Virtual Network. Go to + Create a resource and search for Virtual Network like below:
Then press Create:
Give the virtual network a meaningful name, choose the resource group and region in which to deploy, then click Next: IP Addresses
Create an IP address space that will be different from your on-premises space:
Create a subnet by pressing Add subnet to which you want your resources (VMs) to connect and to which on premise traffic will be routed.
Define the subnet name and address space:
Then press Add:
Click on Next: Security:
Leave settings as default, and click Review+Create. Make sure Validation passed, then click on Create
Wait for the deployment to finish:
Click Go to resource:
Click Subnets
Then click on the + Gateway subnet. You can use the defaults or customize the gateway network (this will be used by the VPN gateway) based on your needs:
Click OK and wait for the subnet to be added:
The next step is to create the Virtual Network Gateway which is our VPN gateway actually. We will deploy a new one from the Marketplace.
Click on + Create a resource and type in the search box virtual network, then select Virtual Network Gateway:
Then press Create:
Select the subscription, the resource group, give it a meaningful name, select the region (make sure it is the same as the virtual network), the Gateway type is VPN and the VPN type is Route Based. Select the SKU based on your bandwidth needs, the Generation and virtual network (the one we just created). Create a new Public IP address as this will be our connection point for the VPN. If you want to create an active-active VPN with BGP you can configured that also ( I will write another article on that). Then click Review + create:
Make sure Validation passed, then click on Create
Be patient (this will take around 20-30 minutes) and Wait for the deployment to finish:
Then click Go to resource
Check that is was created and that it has a public IP assigned:
The next step is to create a Local Network Gateway. To do this go to + Create a resource and search for local network gateway (this will be the definition for the on premise gateway) and click on it:
Click Create
Give the Local Network Gateway a meaningful name, your public IP address for your on-premise device or RRAS server, select the on premise address range that you want to route to Azure:
Click Create and wait for the deployment to finish:
Then click Go to resource
The next step is to create the VPN connection. For this we need to go to Connections and click + Add
Give it a meaningful name, select the Virtual Network Gateway we created earlier and the Local Network Gateway, add a passphrase for the share key and leave the protocol as IKEv2, then click OK
Wait for the connection to get created
This finished the Azure part of the configuration.
Now we will need to configure our on premises RRAS server. For this I have created a VM, installed Windows Server 2019 on it and now we will install the needed roles on it, then configure the connection. For the routing to work correctly we will need to give the VM 2 network adapters – 1 connected to the external or DMZ network and the 2nd connected to our internal network.
Below are the configured NICs:
Now let’s install the RRAS role. Go to Server manager – Manage – Add Roles and Features. Select Role-Based or feature-based installation.
Select the server
Select the Remote Access role
On features click next, then on the Remote Access click next. On Role Services select DirectAccess and VPN (RAS), then click on Add Features
Click Next
On the Web Server Role (IIS) click next, same on role services
Click Install
Wait for the installation to finish.
After the installation has finished click Close, then open the Routing and Remote Access console
Right Click the server name and then click on Configure and Enable Routing and Remote Access
Click Next
Select Secure connection between two private networks
Select Yes
If you have a DHCP server in your environment select Automatically. Else select From a specified range of addresses and define the range. I will select Automatically, then click Next
Click Finish and wait for the configuration to finish.
On the new wizard for the Demand Dial click next
Give the connection a meaningful name and click Next
Select Connect using virtual private networking (VPN)
For the protocol select IKEv2 (same as we select on the Azure side), click Next
Go to the VPN gateway on azure and get the Public IP of the VPN gateway.
Enter the Public IP of the gateway
Make sure Route IP Packets on this interface is selected and click Next
On the Static Router click Add
Add the address space you defined on the Azure Virtual Network and on the Subnet you defined for your VMs, add a low metric, then click OK
It should look like this, click Next
On the credentials page put just Azure, click Next
Click Finish
After the configuration has been finished expand it then go to Network Interfaces
Right click Azure S2S, select Properties
Go to Security, select Use preshared key for authentication and add the key that was configured on the Azure VPN gateway, then click OK
Right click the connection and select connect
And he now have a VPN connection to our Azure VNET
Now we need to add the route to our VNET in the configuration. Go to IPv4, right click Static Routes and select New static route
Add the address space of your Azure subnet, selecting a low metric, click OK
I have quickly deployed a test VM on my subnet and tried to ping it from my RAS gateway machine:
Plus I can now RDP on the internal interface so no need for public RDP:
This is how you deploy a site to site VPN from on premise to Azure for without the need for expensive hardware.
Thank you for reading it all up.
In a future article I will show you how to be able to use a VPN with a dynamic IP address with minimal downtime.
Category: IT
System Center Virtual Machine Manager ports and protocols.
Port and protocol exceptions
| Connect | Port/protocol | Details | Configure |
|---|---|---|---|
| VMM server to VMM agent on Windows Server-based hosts/remote library server | 80: WinRM; 135: RPC; 139: NetBIOS; 445: SMB (over TCP) | Used by the VMM agent
Inbound rule on hosts |
Can’t modify |
| VMM server to VMM agent on Windows Server-based hosts/remote library server | 443:HTTPS | BITS data channel for file transfers
Inbound rule on hosts |
Modify in VMM setup |
| VMM server to VMM agent on Windows Server-based hosts/remote library server | 5985:WinRM | Control channel
Inbound rule on hosts |
Modify in VMM setup |
| VMM server to VMM agent on Windows Server-based hosts/remote library server | 5986:WinRM | Control channel (SSL)
Inbound rule on hosts |
Can’t modify |
| VMM server to VMM guest agent (VM data channel) | 443:HTTPS | BITS data channel for file transfers
Inbound rule on machines running the agent The VMM guest agent is a special version of the VMM agent. It’s is installed on VMs that are part of a service template, and on Linux VMs (with or without a service template). |
Can’t modify |
| VMM server to VMM guest agent (VM control channel) | 5985:WinRM | Control channel
Inbound rule on machines running the agent |
Can’t modify |
| VMM host to host | 443:HTTPS | BITS data channel for file transfers
Inbound rule on hosts and VMM server |
Modify in VMM setup |
| VMM server to VWware ESXi servers/Web Services | 22:SFTP
Inbound rule on hosts |
Can’t modify | |
| VMM server to load balancer | 80:HTTP; 443:HTTPS | Channel used for load balancer management | Modify in load balancer provider |
| VMM server to remote SQL Server database | 1433:TDS | SQL Server listener
Inbound rule on SQL Server |
Modify in VMM setup |
| VMM server to WSUS update servers | 80/8530:HTTP; 443/8531:HTTPS | Data and control channels
Inbound rule on WSUS server |
Can’t modify from VMM |
| VMM library server to Hyper-V hosts | 443:HTTPS | BITS data channel for file transfers
Inbound rule on hosts – 443 |
Modify in VMM setup |
| VMM console to VMM | WCF:8100 (HTTP); WCF:8101 (HTTPS); Net.TCP: 8102 | Inbound rule on VMM console machine | Modify in VMM setup |
| VMM server to storage management service | WMI | Local call | |
| Storage management service to SMI-S provider | CIM-XML | Provider-specific | |
| VMM server to Baseboard Management Controller (BMC) | 443: HTTP (SMASH over WS-Management) | Inbound rule on BMC device | Modify on BMC device |
| VMM server to Baseboard Management Controller (BMC) | 623: IPMI | Inbound rule on BMC device | Modify on BMC device |
| VMM server to Windows PE agent | 8101:WCF; 8103:WCF | 8101 is used for control channel, 8103 is used for time sync | Modify in VMM setup |
| VMM server to WDS PXE provider | 8102: WCF | Inbound rule on PXE server | |
| VMM server to Hyper-V host in untrusted/perimeter domain | 443:HTTPS (BITS) | BITS data channel for file transfers
Inbound rule on VMM server |
|
| Library server to Hyper-V host in untrusted/perimeter domain | 443:HTTPS | BITS data channel for file transfers
Inbound rule on VMM library |
|
| VMM server to Windows file server | 80: WinRM; 135: RPC; 139: NetBIOS; 445: SMB (over TCP) | Used by the VMM agent
Inbound rule on file server |
|
| VMM server to Windows file server | 443:HTTPS | BITS used for file transfer
Inbound rule on file server |
|
| VMM server to Windows file server | 5985/5986:WinRM | Control channel
Inbound rule on file server |
For more information read the Microsoft docs here: https://docs.microsoft.com/en-us/system-center/vmm/plan-ports-protocols?view=sc-vmm-2019
“Watch” command in Windows
These days I needed to be able to check on the execution of a repetitive task. If I would use linux I could use the watch command but I am a Windows guy.
So I came up with an alternative – I created a bat file with the below content:
@ECHO OFF
:loop
cls
%*
timeout /t 5
goto loopTo change the duration of the loop change the timeout /t 5 value (now it is 5 seconds).
Usage is similar to linux: watch dir *.jpg
Finding the WSUS server from which updates are downloaded
Open an administrative command prompt and type:
Reg query „HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” /s |findstr „WUServer”
The result is something like below:
WUServer REG_SZ http://wsusservername.domain.com
UseWUServer REG_DWORD 0x1
Done!
Cool study about cybersecurity trends
Stumbled across a very interesting study “Considerations on Challenges and Future Directions in Cybersecurity” by the National CyberInt and CERT-RO organizations.
It can be accessed here: https://cert.ro/doc/CybersecurityRO2019.pdf
Take time to read it as it is quite detailed and very long.