Connect an on-premises network to a Microsoft Azure virtual network

 

Applies to: Microsoft Azure, Microsoft cloud services, Windows Server 2012

Topic Last Modified: 2016-04-18

Summary: Learn how to configure a cross-premises Azure virtual network for Office server workloads.

A cross-premises Azure virtual network allows your virtual machines in Azure to directly access resources on your on-premises network. For example, a DirSync server running on an Azure virtual machine needs to query your on-premises domain controllers for changes to accounts and synchronize those changes with your Office 365 subscription. This article shows you how to set up a site-to-site VPN connection between your on-premises network and your Azure virtual network.

In this article:

Your virtual machines in Azure don’t have to be isolated from your on-premises environment. For example, you can configure your virtual machines in Azure to access the Internet through your on-premises proxy server. To connect Azure virtual machines to your on-premises network resources, you must configure a cross-premises Azure virtual network.

The following diagram shows the required components to deploy a cross-premises Azure virtual network with a virtual machine in Azure.

On-premises network connected to Microsoft Azure by a site-to-site VPN connection

In the diagram, there are two networks connected by a site-to-site virtual private network (VPN) connection: the on-premises network and the Azure virtual network. The on-premises network has a VPN device that terminates the VPN tunnel from the Azure virtual network. The Azure virtual network has virtual machines that require access to resources on the on-premises network, and the Azure VPN gateway. The Azure VPN gateway is used to set up a site-to-site VPN connection from the Azure virtual network to the on-premises network. Network traffic originating from virtual machines on the Azure virtual network is forwarded to the VPN gateway in Azure, which then forwards the traffic across the site-to-site VPN connection to the VPN device on the on-premises network. The routing infrastructure of the on-premises network then forwards the traffic to its destination.

To set up the VPN connection between your Azure virtual network and your on-premises network, do the following steps:

  1. On-premises   Define and create an on-premises network route that points to your on-premises VPN device and the Azure virtual network.

  2. Microsoft Azure   Create an Azure virtual network with a site-to-site VPN connection. This article does not describe the use of ExpressRoute.

  3. On premises   Configure your on-premises hardware or software VPN device to terminate the VPN tunnel, which uses Internet Protocol security (IPsec).

After you establish the site-to-site VPN connection, your Azure virtual machines can communicate with your on-premises network resources.

  • An Azure subscription. For information about Azure subscriptions, go to the Microsoft Azure subscription page.

  • An available private IPv4 address space to assign to the virtual network and the subnet hosted in the Azure virtual network, with sufficient room for growth to accommodate the number of virtual machines needed now and in the future.

  • An available VPN device in your on-premises network to host the site-to-site VPN connection that supports the requirements for IPsec. For more information, see About VPN devices for site-to-site virtual network connections.

  • Changes to your routing infrastructure so that traffic routed to the address space of the Azure virtual network is forwarded to the VPN device that hosts the site-to-site VPN connection.

  • A web proxy that gives computers that are connected to the on-premises network and the Azure virtual network access to the Internet.

The following list represents the design choices that have been made for this solution architecture. For additional solution design choices, see Variations to solution design later in this article.

  • This solution uses a single Azure virtual network with a site-to-site VPN connection. The Azure virtual network hosts a single subnet that contains any number of virtual machines.

  • You can use the Routing and Remote Access Service (RRAS) in Windows Server 2012 to establish an IPsec site-to-site VPN connection between the on-premises network and the Azure virtual network. You can also use other options, such as Cisco and Juniper Networks VPN devices.

  • The on-premises network might still have network resources like Active Directory Domain Services (AD DS), Domain Name System (DNS), and a proxy server. Depending on your requirements, it might be beneficial to place some of these network resources in Azure.

Here are some additional design choices for you to consider when you deploy this solution in your environment:

  • For an existing Azure virtual network with one or more subnets, determine whether there is remaining address space for an additional subnet to host your needed virtual machines, based on your requirements. If you don’t have remaining address space for an additional subnet, create an additional virtual network that has its own site-to-site VPN connection.

You must configure your on-premises routing infrastructure to forward traffic destined for the address space of the Azure virtual network to the on-premises VPN device that is hosting the site-to-site VPN connection.

The exact method of updating your routing infrastructure depends on how you manage routing information, which can be:

  • Routing table updates based on manual configuration.

  • Routing table updates based on routing protocols, such as Routing Information Protocol (RIP) or Open Shortest Path First (OSPF).

Consult with your routing specialist to make sure that traffic destined for the Azure virtual network is forwarded to the on-premises VPN device.

If your VPN device is on a perimeter network that has a firewall between the perimeter network and the Internet, you might have to configure the firewall for the following rules to allow the site-to-site VPN connection.

  • Traffic to the VPN device (incoming from the Internet):

    • Destination IP address of the VPN device and IP protocol 50

    • Destination IP address of the VPN device and UDP destination port 500

    • Destination IP address of the VPN device and UDP destination port 4500

  • Traffic from the VPN device (outgoing to the Internet):

    • Source IP address of the VPN device and IP protocol 50

    • Source IP address of the VPN device and UDP source port 500

    • Source IP address of the VPN device and UDP source port 4500

The private IP address space of the Azure virtual network must be able to accommodate addresses used by Azure to host the virtual network and with at least one subnet that has enough addresses for your Azure virtual machines.

To determine the number of addresses needed for the subnet, count the number of virtual machines that you need now, estimate for future growth, and then use the following table to determine the size of the subnet.

 

Number of virtual machines needed Number of host bits needed Size of the subnet

1–3

3

/29

4–11

4

/28

12–27

5

/27

28–59

6

/26

60–123

7

/25

Before you create an Azure virtual network to host virtual machines, you must determine the settings needed in the following tables.

For the settings of the virtual network, fill in Table V.

Table V: Cross-premises virtual network configuration

 

Item Configuration element Description Value

1.

Virtual network name

A name to assign to the Azure virtual network (example DirSyncNet).

__________________

2.

Virtual network location

The Azure datacenter that will contain the virtual network (such as West US).

__________________

3.

Local network name

A name to assign to your organization network.

__________________

4.

VPN device IP address

The public IPv4 address of your VPN device's interface on the Internet. Work with your IT department to determine this address.

__________________

5.

Virtual network address space

The address space (defined in a single private address prefix) for the virtual network. Work with your IT department to determine this address space. The address space should be in Classless Interdomain Routing (CIDR) format, also known as network prefix format. An example is 10.24.64.0/20.

__________________

6.

IPsec shared key

A 32-character random, alphanumeric string that will be used to authenticate both sides of the site-to-site VPN connection. Work with your IT or security department to determine this key value and then store it in a secure location. Alternately, see Create a random string for an IPsec preshared key.

__________________

Fill in Table S for the subnets of this solution.

  • For the first subnet, determine a 28-bit address space (with a /28 prefix length) for the Azure gateway subnet. For more information, see Gateways

  • For the second subnet, specify a friendly name, a single IP address space based on the virtual network address space, and a descriptive purpose.

Work with your IT department to determine these address spaces from the virtual network address space. Both address spaces should be in CIDR format.

Table S: Subnets in the virtual network

 

Item Subnet name Subnet address space Purpose

1.

Gateway subnet

_____________________________

The subnet used by the Azure gateway.

2.

_____________________________

_____________________________

_____________________________

For the on-premises DNS servers that you want the virtual machines in the virtual network to use, fill in Table D. Give each DNS server a friendly name and a single IP address. This friendly name does not need to match the host name or computer name of the DNS server. Note that two blank entries are listed, but you can add more. Work with your IT department to determine this list.

Table D: On-premises DNS servers

 

Item DNS server friendly name DNS server IP address

1.

_____________________________

_____________________________

2.

_____________________________

_____________________________

To route packets from the Azure virtual network to your organization network across the site-to-site VPN connection, you must configure the virtual network with a local network. This local network contains a list of the address spaces (in CIDR notation) for all of the locations on your organization's on-premises network that the virtual machines in the virtual network must reach. This can be all of the locations on the on-premises network or a subset. The list of address spaces that define your local network must be unique and must not overlap with the address spaces used for other virtual networks.

For the set of local network address spaces, fill in Table L. Note that three blank entries are listed but you will typically need more. Work with your IT department to determine this list of address spaces.

Table L: Address prefixes for the local network

 

Item Local network address space

1.

_____________________________

2.

_____________________________

3.

_____________________________

Configuring the site-to-site VPN connection and using virtual machines in Azure consists of three phases, as summarized in the following diagram and table.

Deployment steps for connecting an on-premises network to Microsoft Azure with a VPN connection

 

Phase Description

Phase 1

Prepare your on-premises network.

Phase 2

Create the cross-premises virtual network in Azure.

Phase 3 (optional)

Prepare your Azure environment.

You must configure routing between your on-premises network and the Azure virtual network. Consult with your network administrator to determine which routing changes to apply so that the networks can communicate with one another.

If you are building a single-subnet test network, complete the following steps to add static routes to all of the on-premises, Windows-based servers.

  1. At an administrator-level Windows PowerShell command prompt, use the Get-NetAdapter cmdlet to list the names of the adapters on the computer. For more information, see Get-NetAdapter.

  2. At the Windows PowerShell command prompt, run the following command to add a static route from the on-premises network to the Azure virtual network:

    
    New-NetRoute -DestinationPrefix <VirtualNetworkPrefix> -InterfaceAlias <InterfaceAlias> -NextHop <NextHop>
    
    
    • Where

      • <VirtualNetworkPrefix> is the address space of the virtual network

      • <InterfaceAlias> is the name of the network interface from the results of running the Get-NetAdapter command in step 1.

      • <NextHop> specifies the IP address of the router interface that is the next hop for the route.

    You can also follow these steps to configure your routers that are running Windows Server 2012 and RRAS.

    For more information about creating routes, see New-NetRoute.

The first step is to configure a cross-premises Azure virtual network. Ensure you are not already using the IP address range for the Azure virtual network on your on-premises network.

First, open an Azure PowerShell prompt. If you have not installed Azure PowerShell, see How to install and configure Azure PowerShell.

NoteNote:
These commands are for Azure PowerShell 1.0 and above.

Next, login to your Azure account with this command.

Add-RMAzureAccount

Get your subscription name using the following command.

Get-AzureRMSubscription | Sort SubscriptionName | Select SubscriptionName

Set your Azure subscription. Replace everything within the quotes, including the < and > characters, with the correct subscription name.

$subscr="<subscription name>"
Select-AzureRMSubscription -SubscriptionName $subscr -Current

Next, create a new resource group for your virtual network. To determine a unique resource group name, use this command to list your existing resource groups.

Get-AzureRMResourceGroup | Sort ResourceGroupName | Select ResourceGroupName

Create your new resource group with these commands.

$rgName="<resource group name>"
$locName="<Table V - Item 2 - Value column>"
New-AzureRMResourceGroup -Name $rgName -Location $locName

Resource Manager-based virtual machines require a Resource Manager-based storage account. You must pick a globally unique name for your storage account that contains only lowercase letters and numbers. You can use this command to list the existing storage accounts.

Get-AzureRMStorageAccount | Sort Name | Select Name

To create a new storage account, run these commands.

$rgName="<your new resource group name>"
$locName="<the location of your new resource group>"
$saName="<unique storage account name>"
New-AzureRMStorageAccount -Name $saName -ResourceGroupName $rgName -Type Standard_LRS -Location $locName

Next, you create the Azure virtual network.

# Fill in the variables from previous values and from Tables V, S, and D
$rgName="<name of your new resource group>"
$locName="<Azure location of the new resource group>"
$locShortName="<Azure location name from $locName in all lowercase letters with spaces removed. Example:  westus>"
$vnetName="<Table V - Item 1 - Value column>"
$vnetAddrPrefix="<Table V - Item 5 - Value column>"
$gwSubnetPrefix="<Table S - Item 1 - Subnet address space column>"
$SubnetName="<Table S - Item 2 - Subnet name column>"
$SubnetPrefix="<Table S - Item 2 - Subnet address space column>"
$dnsServers=@( "<Table D - Item 1 - DNS server IP address column>", "<Table D - Item 2 - DNS server IP address column>" )

# Create the Azure virtual network and a network security group that allows incoming remote desktop connections to the subnet hosting virtual machines
$gatewaySubnet=New-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -AddressPrefix $gwSubnetPrefix
$vmSubnet=New-AzureRMVirtualNetworkSubnetConfig -Name $SubnetName -AddressPrefix $SubnetPrefix
New-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName -Location $locName -AddressPrefix $vnetAddrPrefix -Subnet $gatewaySubnet,$vmSubnet -DNSServer $dnsServers
$rule1=New-AzureRMNetworkSecurityRuleConfig -Name "RDPTraffic" -Description "Allow RDP to all VMs on the subnet" -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389
New-AzureRMNetworkSecurityGroup -Name $SubnetName -ResourceGroupName $rgName -Location $locShortName -SecurityRules $rule1
$vnet=Get-AzureRMVirtualNetwork -ResourceGroupName $rgName -Name $vnetName
$nsg=Get-AzureRMNetworkSecurityGroup -Name $SubnetName -ResourceGroupName $rgName
Set-AzureRMVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $SubnetName -AddressPrefix $SubnetPrefix -NetworkSecurityGroup $nsg

Next, use these commands to create the gateways for the site-to-site VPN connection.

# Fill in the variables from previous values and from Tables V and L
$vnetName="<Table V - Item 1 - Value column>"
$localGatewayIP="<Table V - Item 4 - Value column>"
$localNetworkPrefix=@( <comma-separated, double-quote enclosed list of the local network address prefixes from Table L, example: "10.1.0.0/24", "10.2.0.0/24"> )
$vnetConnectionKey="<Table V - Item 6 - Value column>"
$vnet=Get-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $rgName
# Attach a virtual network gateway to a public IP address and the gateway subnet
$publicGatewayVipName="PublicIPAddress"
$vnetGatewayIpConfigName="PublicIPConfig"
New-AzureRMPublicIpAddress -Name $vnetGatewayIpConfigName -ResourceGroupName $rgName -Location $locName -AllocationMethod Dynamic
$publicGatewayVip=Get-AzureRMPublicIpAddress -Name $vnetGatewayIpConfigName -ResourceGroupName $rgName
$vnetGatewayIpConfig=New-AzureRMVirtualNetworkGatewayIpConfig -Name $vnetGatewayIpConfigName -PublicIpAddressId $publicGatewayVip.Id -SubnetId $vnet.Subnets[0].Id
# Create the Azure gateway
$vnetGatewayName="AzureGateway"
$vnetGateway=New-AzureRMVirtualNetworkGateway -Name $vnetGatewayName -ResourceGroupName $rgName -Location $locName -GatewayType Vpn -VpnType RouteBased -IpConfigurations $vnetGatewayIpConfig
# Create the gateway for the local network
$localGatewayName="LocalNetGateway"
$localGateway=New-AzureRMLocalNetworkGateway -Name $localGatewayName -ResourceGroupName $rgName -Location $locName -GatewayIpAddress $localGatewayIP -AddressPrefix $localNetworkPrefix
# Create the Azure virtual network VPN connection
$vnetConnectionName="S2SConnection"
$vnetConnection=New-AzureRMVirtualNetworkGatewayConnection -Name $vnetConnectionName -ResourceGroupName $rgName -Location $locName -ConnectionType IPsec -SharedKey $vnetConnectionKey -VirtualNetworkGateway1 $vnetGateway -LocalNetworkGateway2 $localGateway

Next, configure your on-premises VPN device to connect to the Azure VPN gateway. For more information, see About VPN Devices for site-to-site Azure Virtual Network connections.

To configure your VPN device, you will need the following:

  • The public IPv4 address of the Azure VPN gateway for your virtual network. Use the Get-AzureRMPublicIpAddress -Name $vnetGatewayIpConfigName -ResourceGroupName $rgName command to display this address.

  • The IPsec pre-shared key for the site-to-site VPN connection (Table V- Item 6 – Value column).

Create the virtual machines you need in Azure. For more information, see How to create the virtual machine.

Use the following settings:

  • On the Basics pane, select the same subscription and resource group as your virtual network. Record the user name and password in a secure location. You will need these later to log on to the virtual machine.

  • On the Size pane, choose the appropriate size.

  • On the Settings pane, in the Storage section, select the Standard storage type and the storage account set up with your virtual network. In the Network section, select the name of your virtual network and the subnet for hosting virtual machines (not the Gateway Subnet). Leave all other settings at their default values.

Verify that your virtual machine is using DNS correctly by checking your internal DNS to ensure that Address (A) records were added for the virtual machines with the correct IP addresses from Azure. To access the Internet, your Azure virtual machines must be configured to use your on-premises network's proxy server. You should contact your network administrator for additional configuration steps to perform on the server.

Show: