Azure Site to Site VPN without dedicated VPN hardware device

Today I will be writing about creating a Site to Site (S2S) Virtual Private Network from your Azure virtual network to your on-premises network without the need to use a dedicated VPN hardware device.

Requirements:

  • active Azure subscription
  • Azure Resource Group
  • Azure virtual network
  • on-premises VM to install Windows Server 2019
  • proper firewall settings.
  • some networking knowledge

We will start by logging on to https://portal.azure.com.

You can use an existing resource group if you already have networks and VMs in it or create a new resource group.

I will create a new one :

image

After creating the resource group I will go and create a Virtual Network. Go to + Create a resource and search for Virtual Network like below:

image

Then press Create:

image

Give the virtual network a meaningful name, choose the resource group and region in which to deploy, then click Next: IP Addresses

image

Create an IP address space that will be different from your on-premises space:

Create a subnet by pressing Add subnet to which you want your resources (VMs) to connect and to which on premise traffic will be routed.

Define the subnet name and address space:

image

Then press Add:

image

Click on Next: Security:

image

Leave settings as default, and click Review+Create. Make sure Validation passed, then click on Create

image

Wait for the deployment to finish:

image

Click Go to resource:

image

Click Subnets

image

Then click on the + Gateway subnet. You can use the defaults or customize the gateway network (this will be used by the VPN gateway) based on your needs:

image

Click OK and wait for the subnet to be added:

image

The next step is to create the Virtual Network Gateway which is our VPN gateway actually. We will deploy a new one from the Marketplace.

Click on + Create a resource and type in the search box virtual network, then select Virtual Network Gateway:

image 

Then press Create:

image

Select the subscription, the resource group, give it a meaningful name, select the region (make sure it is the same as the virtual network), the Gateway type is VPN and the VPN type is Route Based. Select the SKU based on your bandwidth needs, the Generation and virtual network (the one we just created). Create a new Public IP address as this will be our connection point for the VPN. If you want to create an active-active VPN with BGP you can configured that also ( I will write another article on that). Then click Review + create:

image

Make sure Validation passed, then click on Create

image

Be patient (this will take around 20-30 minutes) and Wait for the deployment to finish:

image

Then click Go to resource

image

Check that is was created and that it has a public IP assigned:

image

The next step is to create a Local Network Gateway. To do this go to + Create a resource and search for local network gateway (this will be the definition for the on premise gateway) and click on it:

image

Click Create

image

Give the Local Network Gateway a meaningful name, your public IP address for your on-premise device or RRAS server, select the on premise address range that you want to route to Azure:

image

Click Create and wait for the deployment to finish:

image

Then click Go to resource

image

The next step is to create the VPN connection. For this we need to go to Connections and click + Add

image

Give it a meaningful name, select the Virtual Network Gateway we created earlier and the Local Network Gateway, add a passphrase for the share key and leave the protocol as IKEv2, then click OK

image

Wait for the connection to get created

image

This finished the Azure part of the configuration.

Now we will need to configure our on premises RRAS server. For this I have created a VM, installed Windows Server 2019 on it and now we will install the needed roles on it, then configure the connection. For the routing to work correctly we will need to give the VM 2 network adapters – 1 connected to the external or DMZ network and the 2nd connected to our internal network.

Below are the configured NICs:

image

Now let’s install the RRAS role. Go to Server manager – Manage – Add Roles and Features. Select Role-Based or feature-based installation.

image

Select the server

image

Select the Remote Access role

image

On features click next, then on the Remote Access click next. On Role Services select DirectAccess and VPN (RAS), then click on Add Features

image

Click Next

image

On the Web Server Role (IIS) click next, same on role services

image

Click Install

image

Wait for the installation to finish.

image

After the installation has finished click Close, then open the Routing and Remote Access console

image

Right Click the server name and then click on Configure and Enable Routing and Remote Access

image

Click Next

image

Select Secure connection between two private networks

image

Select Yes

image

If you have a DHCP server in your environment select Automatically. Else select From a specified range of addresses and define the range. I will select Automatically, then click Next

image

Click Finish and wait for the configuration to finish.

image

On the new wizard for the Demand Dial click next

image

Give the connection a meaningful name and click Next

image

Select Connect using virtual private networking (VPN)

image

For the protocol select IKEv2 (same as we select on the Azure side), click Next

image

Go to the VPN gateway on azure and get the Public IP of the VPN gateway.

image

Enter the Public IP of the gateway

image

Make sure Route IP Packets on this interface is selected and click Next

image

On the Static Router click Add

image

Add the address space you defined on the Azure Virtual Network and on the Subnet you defined for your VMs, add a low metric, then click OK

image

It should look like this, click Next

image

On the credentials page put just Azure, click Next

image

Click Finish

image

After the configuration has been finished expand it then go to Network Interfaces

image

Right click Azure S2S, select Properties

image

Go to Security, select Use preshared key for authentication and add the key that was configured on the Azure VPN gateway, then click OK

image

Right click the connection and select connect

image

And he now have a VPN connection to our Azure VNET

image

Now we need to add the route to our VNET in the configuration. Go to IPv4, right click Static Routes and select New static route

image

Add the address space of your Azure subnet, selecting a low metric, click OK


image

I have quickly deployed a test VM on my subnet and tried to ping it from my RAS gateway machine:

image

Plus I can now RDP on the internal interface so no need for public RDP:


image

This is how you deploy a site to site VPN from on premise to Azure for without the need for expensive hardware.

Thank you for reading it all up.

In a future article I will show you how to be able to use a VPN with a dynamic IP address with minimal downtime.


System Center Virtual Machine Manager ports and protocols.

Port and protocol exceptions

Connect Port/protocol Details Configure
VMM server to VMM agent on Windows Server-based hosts/remote library server 80: WinRM; 135: RPC; 139: NetBIOS; 445: SMB (over TCP) Used by the VMM agent

Inbound rule on hosts

Can’t modify
VMM server to VMM agent on Windows Server-based hosts/remote library server 443:HTTPS BITS data channel for file transfers

Inbound rule on hosts

Modify in VMM setup
VMM server to VMM agent on Windows Server-based hosts/remote library server 5985:WinRM Control channel

Inbound rule on hosts

Modify in VMM setup
VMM server to VMM agent on Windows Server-based hosts/remote library server 5986:WinRM Control channel (SSL)

Inbound rule on hosts

Can’t modify
VMM server to VMM guest agent (VM data channel) 443:HTTPS BITS data channel for file transfers

Inbound rule on machines running the agent

The VMM guest agent is a special version of the VMM agent. It’s is installed on VMs that are part of a service template, and on Linux VMs (with or without a service template).

Can’t modify
VMM server to VMM guest agent (VM control channel) 5985:WinRM Control channel

Inbound rule on machines running the agent

Can’t modify
VMM host to host 443:HTTPS BITS data channel for file transfers

Inbound rule on hosts and VMM server

Modify in VMM setup
VMM server to VWware ESXi servers/Web Services 22:SFTP

Inbound rule on hosts

Can’t modify
VMM server to load balancer 80:HTTP; 443:HTTPS Channel used for load balancer management Modify in load balancer provider
VMM server to remote SQL Server database 1433:TDS SQL Server listener

Inbound rule on SQL Server

Modify in VMM setup
VMM server to WSUS update servers 80/8530:HTTP; 443/8531:HTTPS Data and control channels

Inbound rule on WSUS server

Can’t modify from VMM
VMM library server to Hyper-V hosts 443:HTTPS BITS data channel for file transfers

Inbound rule on hosts – 443

Modify in VMM setup
VMM console to VMM WCF:8100 (HTTP); WCF:8101 (HTTPS); Net.TCP: 8102 Inbound rule on VMM console machine Modify in VMM setup
VMM server to storage management service WMI Local call
Storage management service to SMI-S provider CIM-XML Provider-specific
VMM server to Baseboard Management Controller (BMC) 443: HTTP (SMASH over WS-Management) Inbound rule on BMC device Modify on BMC device
VMM server to Baseboard Management Controller (BMC) 623: IPMI Inbound rule on BMC device Modify on BMC device
VMM server to Windows PE agent 8101:WCF; 8103:WCF 8101 is used for control channel, 8103 is used for time sync Modify in VMM setup
VMM server to WDS PXE provider 8102: WCF Inbound rule on PXE server
VMM server to Hyper-V host in untrusted/perimeter domain 443:HTTPS (BITS) BITS data channel for file transfers

Inbound rule on VMM server

Library server to Hyper-V host in untrusted/perimeter domain 443:HTTPS BITS data channel for file transfers

Inbound rule on VMM library

VMM server to Windows file server 80: WinRM; 135: RPC; 139: NetBIOS; 445: SMB (over TCP) Used by the VMM agent

Inbound rule on file server

VMM server to Windows file server 443:HTTPS BITS used for file transfer

Inbound rule on file server

VMM server to Windows file server 5985/5986:WinRM Control channel

Inbound rule on file server

For more information read the Microsoft docs here: https://docs.microsoft.com/en-us/system-center/vmm/plan-ports-protocols?view=sc-vmm-2019

“Watch” command in Windows

These days I needed to be able to check on the execution of a repetitive task. If I would use linux I could use the watch command but I am a Windows guy.

So I came up with an alternative – I created a bat file with the below content:

@ECHO OFF
:loop
  cls
  %*
  timeout /t 5
goto loop

To change the duration of the loop change the timeout /t 5 value (now it is 5 seconds).

Usage is similar to linux: watch dir *.jpg

Finding the WSUS server from which updates are downloaded

Open an administrative command prompt and type:

 Reg query „HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” /s |findstr „WUServer”

The result is something like below:

WUServer REG_SZ http://wsusservername.domain.com
UseWUServer REG_DWORD 0x1

Done!

Cool study about cybersecurity trends

Stumbled across a very interesting study “Considerations on Challenges and Future Directions in Cybersecurity” by the National CyberInt and CERT-RO organizations.

It can be accessed here: https://cert.ro/doc/CybersecurityRO2019.pdf

Take time to read it as it is quite detailed and very long.