A follow-up post is available with a complete reference implementation: Reference implementation: Creating a hybrid cloud with Windows Azure Virtual Networks software based Site-to-Site VPN
Two days ago, only one week after Virtual Machines and Virtual Networks reached general availability, Scott Guthrie already announced a few new improvements to Virtual Machines and Virtual Networks. One of the big changes for Virtual Networks is the support for software based Site-to-Site VPN based on the Routing and Remote Access role available in Windows Server 2012.
Let’s take a look at how easy it is to setup a Site-to-Site VPN with RRAS based on a customer case. Contoso is a company with a datacenter in Belgium (Brussels). For a marketing campaign the created a new application and because they needed a quick time-to-marked they decided to deploy it on a few Windows Azure Virtual Machines in the Western Europe datacenter. These machines connect to some of their systems like the intranet, their Oracle database, … For security reasons they didn’t want to make these systems available through the internet, so that’s why they decided to setup a Site-to-Site VPN between their on-premises network (the datacenter in Brussels) and the Virtual Machines running in Windows Azure.
Works on my machine!
Before we start we’ll need to see if our network matches the requirements:
- Windows Server 2012
- The server is not behind a NAT (http://msdn.microsoft.com/en-us/library/windowsazure/dn133795.aspx)
- We opened the required ports for IKEv2 on the server: (http://blogs.technet.com/b/rrasblog/archive/2006/06/14/which-ports-to-unblock-for-vpn-traffic-to-pass-through.aspx)
- IP Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv2 (IPSec control path)
- IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv2 (IPSec control path)
- IP Protocol Type=UDP, UDP Port Number=1701 <- Used by L2TP control/data path
- IP Protocol Type=50 <- Used by data path (ESP)
- This is not a port, it’s a protocol.
- This one can be a show stopper if you’re using a residential line or a dedicated server somewhere.
Defining the local network
The first thing we need to do is define the local network (this would be our on-premises network). This can be done on the portal under the Networks option by clicking the New button:
After that simply define the name, the address space and the public IP of your server:
Creating the Virtual Network
Now go ahead and create a new Virtual Network. On the second page you’ll need to enable the Configure Site-To-Site VPN option. This is where you get to choose the local network:
On the next page you’ll simply need to define a gateway subnet and you’ll be able to complete the wizard. After a few seconds the Virtual Network will have been created.
Setting up the gateway
After the Virtual Network has been created you’ll need to setup the gateway. At the moment static routing is not supported for RRAS so you’ll need to create a gateway with dynamic routing (http://msdn.microsoft.com/en-us/library/windowsazure/jj156075.aspx):
And now you’ll need to wait a few minutes. Once you’re done waiting you can download the VPN Device Script.
VPN Device Script
When you click the Download VPN Device Script link you’ll see the following dialog:
This is where you’ll get to choose RRAS. After downloading the script you might need to fix a small issue. When I downloaded the script (I tried several times) it looked like something was wrong with the file. Take a look at it:
It looks like double quotes have been replaced with a little square. Maybe an encoding issue? Just replace them with double quotes with any text editor (I’m using Notepad++) and you’re ready to continue. Now you’ll need to modify a few variables:
- Line 75: Replace <SP_AzureGatewayIpAddress> with the IP address of your gateway (the big IP address you’ll find on the portal)
- Line 75: Replace <SP_AzureNetworkCIDR> with the network CIDR you defined when creating the new Virtual Network (in my case this was 10.1.2.0/24)
- Line 75: Replace <SP_AzureNetworkMetric> with your network metric (I used 10)
- Line 78: Replace <SP_AzureGatewayIpAddress> with the IP address of your gateway (the big IP address you’ll find on the portal)
- Line 79: Replace <SP_AzureGatewayIpAddress> with the IP address of your gateway (the big IP address you’ll find on the portal)
- Line 85: Replace <SP_AzureGatewayIpAddress> with the IP address of your gateway (the big IP address you’ll find on the portal)
Finally save the file as a *.ps1 file and execute it on your server. This will install (if not present) RRAS and configure the site to site VPN:
Now the error you see here isn’t a real issue. It looks like the server wasn’t ready configuring RRAS when we executed the script. Wait a few seconds and open RRAS to see the result (the interface should have connected by now):
Connecting both Sites
You’re done! Go back to the portal, open the Virtual Network and press the Connect button. After a few seconds the Site-to-Site VPN between your on-premises network and your Virtual Network will be running:
And the link is working! Now you can go ahead and configure whatever needs to be configured in RRAS (routing to specific parts of your network for example).
Enjoy!