How to create a Site-to-Site VPN between your network and Azure

Extend your lab network to the cloud and start learning the ways you can leverage the cloud to benefit your enterprise.

•    Download Windows Server 2012 or Windows Server 2012 R2 Preview
•    Use the info in this post to setup your own lab.
•    Consume the following MVA modules they’re full of great info you can access at your convenience.)
–    Introduction To Windows Azure Training
–    Introduction to Private, Hybrid and Public Cloud
–    Introduction to the Microsoft Private Cloud
–    Windows Azure Security Overview
Once you Lab network is setup. Follow the next steps to establish a site-to-site VPN between your environment and Azure. Essentially making the cloud part of your environment.

1- Logon to the Azure Portal, and create a new virtual network. Click on the NETWORKS link in the left navigation pane and then click the +NEW button located on the bottom toolbar.

2- In the Wizard that popup, give your network a meaningful name, select the region you want to use to deploy your network in, and create and name an affinity group name.
Affinity Groups are a way to tell the Fabric Controller that those two elements, Compute and Storage, should always be together and close to one another, and what this does is when the Fabric Controller is searching for the best suited Container to deploy those services will be looking for one where it can deploy both in the same Cluster, making them as close as possible, and reducing the latency, and increasing the performance.

In summary, Affinity Groups provide us:
•    Aggregation, since it aggregates our Compute and Storage services and provide the Fabric Controller the information needed for them to be kept in the same Data Center, and even more, in the same Cluster.
•    Reducing the Latency, because by providing information to the Fabric Controller that they should be kept together, allow us to get a lot better latency when accessing the Storage from the Compute Nodes, which makes difference in a highly available environment.
•    Lowering costs, as by using them we don’t have the possibility of getting one service in one Data Center and the other in another Data Center if for some reason we choose the wrong way, or even because we choose for both one of the “Anywhere” options.

Once you have that filled out, just click the arrow in the lower right corner.

3- In the next screen you’ll need to list the DNS servers you want the machines in your new virtual to use for name resolution. In our case DC1 is the DC in our on premise lab.
Before clicking the lower right arrow, ensure you select the Configure site-to-site VPN check box.

4- The next step is for you to identify your on premise network by giving it a name, defining the address space you are using, and the external IP address of the edge device you are using.  In my case I’m using a Cisco ASA 5505 security appliance.
This information will be used by azure to configure the routing in your virtual network and across the gateway we will setup in the next few steps.

5- In the Virtual Network Address Space screen you get to design how you want you virtual network to be configured.

6- Now that we have defined both our virtual network architecture and on premise network, we can create the gateway that will join both of them together.  In the Azure Portal, select NETWORKS in the left menu, then click the Virtual network you just finished creating.

7- Once the virtual network info loads in the portal, click on CREATE GATEWAY. In my case since I’m using a Cisco ASA 5505 security appliance as my edge device I have to use Static Routing.  Once the process starts, it will take a bit of time.

8- Once you come back the gateway will be complete and your internet VPN end point address will be listed in the portal.

9- After the gateway has been created, you can gather the necessary information to send to your network administrator to configure the VPN device.
•    On the virtual network dashboard, copy the GATEWAY IP ADDRESS.
•    Get the Shared Key. Click Manage KEY at the bottom of the screen, and then copy the SHARED KEY displayed in the dialog box.
•    Download the VPN configuration file. On the dashboard, click DOWNLOAD.  On the Download VPN Device Config Script dialog box, select the vendor, platform, and operating system for your company’s VPN device. Click the checkmark button and save the file.  In order to create a site-to-site connection, you’ll need to either obtain and configure a VPN device, or use Routing and Remote Access Service (RRAS) on Windows Server 2012. Be aware that VPN device requirements vary depending on the type of connection that you want to create.  You can find more info on compatible machines and\or services here.

If you don’t see your VPN device in the drop-down list, see About VPN Devices for Virtual Network in the MSDN library for additional script templates.

10- After you have all that you can begin to configure your VPN device.  Copy the content of the configuration file you downloaded in the last step to the clipboard.  Open the Cisco ASDM application to manage the edge device and in the Tools menu, select Command Line Interface.
11- After you select Multiple Line
12- Paste the content of the configuration file in the commands window and click the Send button to send the script top the appliance.
13- Once done the 2 networks will connect and setup the VPN tunnel. If the connection does not occur right away.

Click the connect button in the portal at the bottom and initiate the connection.  Once it’s connected the portal will show the connected state.



Disclaimer: Many of the articles are taken from MSDN, Azure tutorials and other sources on internet to provide a single place for various information about azure development.No copyright on this information is claimed and the copyright of all information is acrrued to all original authors including MSDN and Microsoft azure training materials.Some of this information shall be outdated or incorrect and the authenticty of the information contained should be verified with changes in azure or your own environment. We do not recommend using any of this information without proper consultation.