Export (0) Print
Expand All

Connect an on-premises network to a Microsoft Azure virtual network

 

Applies to: Windows Server 2012, Microsoft cloud services, Microsoft Azure

Topic Last Modified: 2014-06-08

Summary: Learn how to connect your on-premises network to a Microsoft Azure Virtual Network.

Your virtual machines in Microsoft Azure might need access to resources on your on-premises network. You can make on-premises resources available to Azure virtual machines by using an Azure Virtual Network. This article shows you how to set up the connection between your on-premises network and your Azure Virtual Network.

In this article:

Your virtual machines in Azure don’t have to be isolated from your on-premises environment. For example, you can configure your virtual machines in Azure to access the Internet through your on-premises proxy server. To connect Azure virtual machines to your on-premises network resources, you must configure an Azure Virtual Network.

The following diagram shows you the required components to deploy an Azure Virtual Network with a virtual machine in Azure.

Connectivity Overview

In the diagram, there are two networks connected by a virtual private network (VPN) connection: the on-premises network and the Azure Virtual Network. The on-premises network has a VPN gateway device that terminates the VPN tunnel from the Azure Virtual Network. The Azure Virtual Network has virtual machines that require access to resources on the on-premises network, and the Azure VPN Gateway. The Azure VPN Gateway is used to set up a site-to-site VPN connection from the Azure Virtual Network to the on-premises network. Network traffic originating from virtual machines on the Azure Virtual Network is forwarded to a VPN gateway in Azure, which then forwards the traffic across the site-to-site VPN connection to the VPN gateway device on the on-premises network. The routing infrastructure of the on-premises network then forwards the traffic to its destination, for example, a domain controller or a proxy server.

To set up the VPN connection between your Azure Virtual Network and your on-premises network, do the following steps:

  1. On-premises   Define and create an on-premises network that requires a route to the Azure virtual network and a VPN gateway device.

  2. Microsoft Azure   Create an Azure virtual network with a site-to-site VPN connection via the Azure Management Portal.

  3. On premises   Configure your on-premises hardware or software VPN gateway to terminate the VPN tunnel, which uses Internet Protocol security (IPsec).

After you establish the VPN connection, your Azure virtual machines can communicate with your on-premises network resources.

NoteNote:
After you start the VPN gateway in Azure, the Azure Management Portal creates configuration scripts that you can use to help set up the VPN connection. Scripts can be created for Windows Server 2012 Routing and Remote Access (RRAS), Cisco, and Juniper Networks VPN gateway devices.

  • An Azure subscription. For information about Azure subscriptions, go to the Microsoft Azure subscription page.

  • An available private IPv4 address space to assign to the virtual network and the subnet hosted in the Azure virtual network, with sufficient room for growth to accommodate the number of virtual machines needed now and in the future.

  • An available VPN device in your on-premises network to host the site-to-site VPN connection that supports the requirements for IPsec. For more information, see About VPN Devices for Virtual Network. There are automated deployment scripts for Cisco and Juniper VPN devices and for Routing and Remote Access service (RRAS) in Windows Server 2012.

  • Changes to your routing infrastructure so that traffic routed to the address space of the Azure virtual network is forwarded to the VPN device that hosts the site-to-site VPN connection.

  • A web proxy that gives computers that are connected to the on-premises network and the Azure virtual network access to the Internet.

The following list represents the design choices you should make when you design and deploy this solution architecture. For additional solution design choices, see Variations to solution design later in this article.

  • This solution uses a single Azure virtual network with a site-to-site VPN connection. The Azure virtual network hosts a single subnet that contains any number of virtual machines.

  • This solution uses RRAS in Windows Server 2012 to establish an IPsec site-to-site VPN connection between the on-premises network and the Azure virtual network. You can also use other options, such as Cisco and Juniper Networks VPN devices.

  • The on-premises network might still have network resources like Active Directory Domain Services (AD DS), Domain Name System (DNS), and a proxy server. Depending on your requirements, it might be beneficial to place some of these network resources in Azure.

Here are some additional design choices for you to consider when you deploy this solution in your environment:

  • For an existing Azure virtual network with one or more subnets, determine whether there is remaining address space for an additional subnet to host your servers, based on your requirements. If you don’t have remaining address space for an additional subnet, create an additional virtual network that has a site-to-site VPN connection.

You must configure your on-premises routing infrastructure to forward traffic destined for the address space of the Azure virtual network to the on-premises VPN device that is hosting the site-to-site VPN connection.

The exact method of updating your routing infrastructure depends on how you manage routing information, which can be:

  • Routing table updates based on manual configuration.

  • Routing table updates based on routing protocols, such as Routing Information Protocol (RIP) or Open Shortest Path First (OSPF).

Consult with your routing specialist to make sure that after the site-to-site VPN connection is established, traffic destined for the Azure virtual network is forwarded to the on-premises VPN gateway device.

If your VPN device is on a perimeter network that has a firewall between the perimeter network and the Internet, you might have to configure the firewall for the following rules to allow the site-to-site connection.

  • Traffic to the VPN device:

    • Destination IP address of the VPN device and IP protocol 50

    • Destination IP address of the VPN device and UDP destination port 500

    • Destination IP address of the VPN device and UDP destination port 4500

  • Traffic from the VPN device:

    • Source IP address of the VPN device and IP protocol 50

    • Source IP address of the VPN device and UDP source port 500

    • Source IP address of the VPN device and UDP source port 4500

The private IP address space of the Azure virtual network must be able to accommodate addresses used by Azure to host the virtual network and with at least one subnet that has enough addresses for your Azure virtual machines.

To determine the number of addresses needed for the subnet, count the number of virtual machines that you need now, estimate for future growth, and then use the following table to determine the size of the subnet.

 

Number of virtual machines needed Number of host bits needed Size of the subnet

1–3

3

/29

4–11

4

/28

12–27

5

/27

28–59

6

/26

60–123

7

/25

Before you create an Azure virtual network to host virtual machines, you must determine the following settings. You can enter settings for your environment in the Configuration settings column of the following tables.

Names and name resolution support

 

Description Configuration settings

Name to assign to the Azure virtual network (for example, AzureNet).

Name to assign to your on-premises network (for example, OrgNet).

Name of a previously configured, or new, Azure affinity group.

Friendly names and IP addresses of DNS servers on your on-premises network that the Azure Virtual Machines use for name resolution.

IPv4 addresses and address spaces

 

Description Configuration settings

Public IPv4 address of your VPN device's interface on the Internet.

IP address of public DNS server on the Internet.

The private IP address space(s) assigned to your on-premises network. You need to supply the starting IP address and prefix length in CIDR notation. For example, 192.168.100.0/24.

The overall address space for the virtual network defined in a single public address prefix. You need to supply the starting IP address and prefix length in CIDR notation.

The address space of the subnet within the virtual network, based on the overall address space for the virtual network.

Information from the Azure Management Portal

NoteNote:
When you create the Azure virtual network, the Azure Management Portal provides you with the following information. You can record it in these tables for your documentation purposes.

 

Description Configuration settings

Public IPv4 address of the Azure VPN gateway for your virtual network

The IPsec pre-shared key for the site-to-site VPN connection

Configuring the VPN connection and using virtual machines in Azure consists of three phases, as shown in the following diagram.

Deployment Workflow

 

Phase Description

Phase 1

Prepare your on-premises network.

Phase 2

Create the cross-premises virtual network in Azure.

Phase 3 (optional)

Prepare your Azure environment.

You must configure routing between your on-premises network and the Azure virtual network. Consult with your network administrator to determine which routing changes to apply so that the networks can communicate with one another.

If you are building a single-subnet test network, complete the following steps to add static routes to all of the on-premises servers.

  1. At the Windows PowerShell command prompt, use the Get-NetAdapter cmdlet to list the names of the adapters on the computer. For more information, see Get-NetAdapter.

  2. At the Windows PowerShell command prompt, run the following command to add a static route from the on-premises network to the Azure virtual network:

    
    New-NetRoute -DestinationPrefix <DestinationPrefix> -InterfaceAlias <InterfaceAlias> -NextHop <NextHop>
    
    
    • Where

      • <DestinationPrefix> specifies a destination prefix of an IP route. A destination prefix consists of an IP address prefix and a prefix length, separated by a slash (/). For example, you can enter a value that looks like 192.168.1.0/24.

      • <InterfaceAlias> is the name of the network interface from the results of running the Get-NetAdapter command in step 1.

      • <NextHop> specifies the IP address of the router interface that is the next hop for the route.

    You can also follow these steps to configure your routers that are running Windows Server 2012 and RRAS.

    For more information about creating routes, see New-NetRoute.

The first step is to configure a cross-premises Azure virtual network. Ensure you have your IP addressing scheme figured out for the Azure virtual network before trying to create it. To configure the cross-premises Azure virtual network, see Configuring an Azure Virtual Network later in this article.

ImportantImportant:
Ensure you are not already using the IP address range for the Azure virtual network on your on-premises network.

After you complete these steps, you must start the gateway. For more information, see Start the Gateway. After starting the gateway and generating the VPN Device Configuration Script, you must download the script and run it on your VPN gateway device. If you are using Windows Server 2012 RRAS, you can use the script to configure the RRAS service for a site-to-site connection and IPsec protection.

Create the virtual machines you need in Azure. For more information about how to create virtual machines in Azure, see How to create the virtual machine.

ImportantImportant:
If you do not use the Gallery to create your virtual machine, you must manually create a storage account for use with the virtual machine. For more information, see How To Create a Storage Account.

If you join your virtual machines to an Active Directory domain, verify that your virtual machines are joined to the domain by checking your internal DNS to ensure that Address (A) records were added for the virtual machines with the correct IP addresses from Azure. To access the internet, your Azure virtual machines must be configured to use your on-premises network's proxy server. You should contact your network administrator for additional configuration steps to perform on the server.

Complete the following steps to create an Azure virtual network to host a single subnet that contains Microsoft Azure virtual machines. For more information, see Configure a Site-to-Site VPN in the Management Portal.

  1. In the Azure Management Portal, click New > Networks > Virtual Network > Custom Create.

  2. On the Virtual Network Details page of the Azure Virtual Network wizard, do the following:

    • In NAME, type the name of the Azure virtual network that will host the virtual machines.

    • In AFFINITY GROUP, select the appropriate affinity group for the virtual network. If you do not have a previously configured affinity group, select Create a new affinity group and specify the REGION and AFFINITY GROUP NAME.

  3. Click the Next arrow.

  4. On the DNS Servers and VPN Connectivity page, do the following:

    • In DNS Servers, type a friendly name and IP address of the selected DNS server for your on-premises network. The friendly name that you choose does not have to match the name of your on-premises DNS server.

    • Select Configure site-to-site VPN.

    NoteNote:
    If you have previously configured your organization's name and address space, you can select it in the LOCAL NETWORK list. Otherwise, select Specify a New Local Network.

    Here is an example:

    Example of DNS Servers and VPN Connectivity
  5. Click the Next arrow.

  6. On the Site-to-Site Connectivity page, do the following:

    NoteNote:
    If you specified the name of an existing LOCAL NETWORK on the DNS Servers and VPN Connectivity page, you will not see the Site-to-Site Connectivity page.
    • In NAME, type the name for your on-premises network.

    • In VPN DEVICE IP ADDRESS, type the public IPv4 address of the VPN device's interface on the Internet.

    • In ADDRESS SPACE, add the address space of your on-premises network as a set of private IPv4 address prefixes. For each prefix, specify the prefix (under STARTING IP) and the prefix length (under CIDR (ADDRESS COUNT)).

    Here is an example:

    Site-to-Site Connectivity
  7. Click the Next arrow.

  8. On the Virtual Network Address Spaces page, do the following:

    • In ADDRESS SPACE, add the address space of the Azure single-subnet virtual network as a private IPv4 address prefix. Specify the prefix (in STARTING IP) and the prefix length in CIDR (ADDRESS COUNT).

  9. Click the add gateway subnet button.

  10. Click the Complete icon to create the virtual network.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft