Azure Site-To-Site VPN – From Home Lab To The Cloud – Part 2: Create/Connect the Gateway

In the previous post, we configured a Virtual Network in Azure. Now we need to configure its connectivity to our on-prem.

We will start by creating a Gateway. Logged into our Azure subscription, navigate to the Networks space that should show the Azure Virtual Network we created in the previous post.

AzureS2SVPN-VirtualNetworksCreated Azure Site-To-Site VPN - From Home Lab To The Cloud - Part 2: Create/Connect the Gateway

Azure Site-to-Site VPN – Virtual Network Created

Click on the Virtual Network, and click on the Dashboard link. You should see that the Virtual Network is ready, but it is waiting for a Gateway.

AzureS2SVPN-VirtualNetworksCreated Azure Site-To-Site VPN - From Home Lab To The Cloud - Part 2: Create/Connect the Gateway

Azure Site-to-Site VPN – Virtual Network Pre-Gateway Creation

At the bottom of the page, click on the Create Gateway button, and choose the applicable option (either Static or Dynamic). In my lab example, I am using Dynamic Gateway.

AzureS2SVPN-VirtualNetworksCreated Azure Site-To-Site VPN - From Home Lab To The Cloud - Part 2: Create/Connect the Gateway

Azure Site-to-Site VPN – Create Gateway

You will be prompted to confirm that you want to create a Gateway for this Virtual Network.

AzureS2SVPN-VirtualNetworksCreated Azure Site-To-Site VPN - From Home Lab To The Cloud - Part 2: Create/Connect the Gateway

Azure Site-to-Site VPN – Create Gateway Confirmation

Even though Microsoft says that it may take up to 15 minutes for the gateway to be created, in my experience, it actually takes longer than that.

After the gateway is created, we need 3 pieces of information to connect the Azure Virtual Network to the on-prem lab network.

First, we need the newly created Gateway IP Address. This is accessible via the Dashboard view of the Virtual Network.

AzureS2SVPN-VirtualNetworksCreated Azure Site-To-Site VPN - From Home Lab To The Cloud - Part 2: Create/Connect the Gateway

Azure Site-to-Site VPN – Gateway Created

Second, we need the Shared Key for the network (if you are configuring a physical network/VPN device). On the same Dashboard screen, at the bottom of the page, click on the Manage Key button.

AzureS2SVPN-VirtualNetworksCreated Azure Site-To-Site VPN - From Home Lab To The Cloud - Part 2: Create/Connect the Gateway

Azure Site-to-Site VPN – Manage Shared Key

Copy the Managed Shared Key. Refer to the following to Configure The VPN Device.

AzureS2SVPN-VirtualNetworksCreated Azure Site-To-Site VPN - From Home Lab To The Cloud - Part 2: Create/Connect the Gateway

Azure Site-to-Site VPN – Shared Key

Third, we need to configure the on-prem VPN device. Depending on what type of VPN device you have, the configuration script provided will be different. In my lab example, as was mentioned in the previous post, I’m using a Virtual Machine that is running the Routing and Remote Access Service (RRAS) service.

So, click on the Download Device VPN Script link.

AzureS2SVPN-VirtualNetworksCreated Azure Site-To-Site VPN - From Home Lab To The Cloud - Part 2: Create/Connect the Gateway

Azure Site-to-Site VPN – Download VPN Device Script

In the dialog, choose the applicable selections. In my lab example, I’m using RRAS running on Windows Server 2012 R2.

AzureS2SVPN-VirtualNetworksCreated Azure Site-To-Site VPN - From Home Lab To The Cloud - Part 2: Create/Connect the Gateway

Azure Site-to-Site VPN – Configuration Script Selection

If you take a look at the .CFG file, in this lab example, you will notice that it will contain the Azure Gateway IP address, the Azure Virtual Network IP subnet, and the Shared Secret (which is the Managed Shared Key).

AzureS2SVPN-VirtualNetworksCreated Azure Site-To-Site VPN - From Home Lab To The Cloud - Part 2: Create/Connect the Gateway

Azure Site-to-Site VPN – Configuration Script Contents

In my lab example, I copied the .CFG file to my RRAS virtual machine. Then I changed the file extension from .CFG to .PS1 (aka PowerShell). This way I can run the script on the RRAS server, which will configure the connection from on-prem to Azure.

After the script runs, you will have to reboot the RRAS server. Back in Azure, you will also have to click the “Connect” to enable the Azure connection to the on-prem VPN.

AzureS2SVPN-VirtualNetworksCreated Azure Site-To-Site VPN - From Home Lab To The Cloud - Part 2: Create/Connect the Gateway

Azure Site-to-Site VPN – Connected Gateway

 

Test Site-to-Site VPN Connectivity

Now that we have the site-to-site VPN configured and communicating, we can create a Virtual Machine in order to test/confirm connectivity.

Note: When you create the VM, remember to set the Virtual Network to the Azure Virtual Network that you created for this VPN.

AzureS2SVPN-VirtualNetworksCreated Azure Site-To-Site VPN - From Home Lab To The Cloud - Part 2: Create/Connect the Gateway

Azure Site-to-Site VPN – Virtual Machine Configuration

Once the Virtual Machine is created, login and attempt to PING an IP address from your on-prem environment. In my lab example, my internal lab network is using the 192.168.1.0/24 subnet.

Notice that I am testing connectivity via PINGing against an IP address and not against a server name. This is because we don’t yet have a DNS server configured for the Azure virtual network, nor do we have an Active Directory Domain Controller installed in Azure yet (this will be detailed in a different post).

AzureS2SVPN-VirtualNetworksCreated Azure Site-To-Site VPN - From Home Lab To The Cloud - Part 2: Create/Connect the Gateway

Azure Site-to-Site VPN – PING Results

If you look at Azure Virtual Network, you will now see the Virtual Machine listed.

AzureS2SVPN-VirtualNetworksCreated Azure Site-To-Site VPN - From Home Lab To The Cloud - Part 2: Create/Connect the Gateway

Azure Site-to-Site VPN – Virtual Network Resources

So that covers my experience in setting up and configuring Azure Site-to-Site VPN into my home lab. Now that we have this connectivity available, we can explore other Azure services. Stay tuned for more Azure articles.

If anyone has any requests, please feel free to contact me (via the About Me page).

—————————————————————

Don’t forget to check out the following:

CANITPro: Did you know there is a site dedicated to Canadian IT professionals? You can win a 3D movie prize package by upgrading your IT skills with Microsoft. Check out CANITPRO At The Movies, either in English: CANITPro At The Movies or French: CANITPro At The Movies

Azure: Sign up for a FREE trial and get $200 to spend on Microsoft Azure cloud computing services. Full access, no strings.

MSDN: Ever wanted to work with the latest Microsoft technologies, without having to spend thousands of dollars? Now you can, with the MSDN subscription

%d bloggers like this: