How to Create Site to Site VPN Linking Windows Azure to Your On-Premise Network

ByAdrian

You’ve built your Azure webapp, and it’s successfully running. Congrats!

But what if you want to connect additional sites or resources to your Azure instance? Or, what if you have a need to scale out your web application to support more concurrent users?

In this tutorial, we’ll walk you through the steps to create a site-to-site VPN link between your on-premise network and your Azure instance.

Setting Up the On-Premise Network

Before you begin the process of configuring the Azure VPN link, you need to prepare the on-premise network that will connect the two sites.

The first step is to create a dedicated VPN subnet in your on-premise network. This subnet will be used by Azure for establishing the VPN connection. For security reasons, it’s recommended to use a unique subnet for this VPN endpoint.

You can allocate any private IP range to this subnet

For testing purposes, we’ll use the same IP range for our VPN endpoint. So, let’s create a subnet within the 10.0.0.0/24 range:

route-table vpn:

(Default) (Valid) (Public) (Private)

10.0.0.0/24 *(Restricted - public)

Creating the VPN Endpoint

Next, you’ll need to create the endpoint for your VPN. You can do this by using the New-AzureRmVpnGateway cmdlet.

Remember: You won’t be able to create a VPN endpoint in your Azure VM if you don’t have a dedicated subnet configured. You also need to specify the subnet to which you’ll connect.

In our example, we’ll connect our VPN endpoint to the subnet we previously allocated for the on-premise network. So, the endpoint will use the same 10.0.0.0/24 IP range as the on-premise subnet:

New-AzureRmVpnGateway -Name MyVpnGateway -ResourceGroup MyResourceGroup -Location "East US" -Connections 0 -PublicKey 5c9e316d7ca4cb838fc3352f672646fbd9d2345 -SharedKey xxxxxxxxx -SubnetId 10.0.0.0/24 -DefaultProfile {Your Azure Login Name}

Once you enter the above, you’ll be presented with a confirmation screen. If you’d now like to connect a site to this VPN endpoint, use the Connect-AzureRmVpnGateway cmdlet with the -SiteName parameter.

The default value for the -SiteName parameter is the full URL to your site. However, you can also use a relative URL or a domain name to create a site-to-site VPN link.

In our example, we’ll use the VPN endpoint we just created to connect to our Azure VM:

Connect-AzureRmVpnGateway -Name MyVpnGateway -ResourceGroup MyResourceGroup -Location "East US" -SiteName "mysite.com"

After you’ve connected the sites, you can verify the VPN endpoint and verify the configuration of the on-premise network by using the Get-AzureRmVpnGateway cmdlet.

Configuring the On-Premise Application Proxy

Now that your VPN endpoint is configured, you need to configure the Application Proxy within your on-premise network. This is used for routing traffic to and from your Azure instance. You can use the New-AzureRmApplicationProxy cmdlet to create the Application Proxy. You need to provide the following parameters to the cmdlet:

  • Name: The name of the application proxy.

  • Resource group: The name of the resource group into which you’ll place your application proxy. This is required because application proxies are tied to a specific resource group.

  • Address: The IP address of the application server within your on-premise network. This is used for the reverse-proxy function of the application proxy.

  • Protocol: The communication protocol used by your Azure instance (for example, TCP, UDP, or IPv6).

  • Port: The port used by your Azure instance for TCP and UDP connections.

  • Credentials: Your Azure login credentials.

  • The SSL certificate used to secure network traffic to and from your Azure instance (if you plan to use HTTPS).

  • The certificate thumbprint (or Subject Alternative Name/SAN) used to authenticate the SSL certificate (if you plan to use HTTPS).

  • The DNS record(s) used to resolve hostnames into IP addresses (for IPv6 connectivity).

  • The region in which the application proxy is located (for performance reasons).

  • The availability zone(s) within the region in which the application proxy is located (for performance reasons).

  • The amount of bandwidth (in GB) that you want to make available for public websites.

  • The resource policies that you want to apply to your Azure instance (for example, you can limit the amount of network traffic or request rates).

  • The administrative security group(s) associated with your Azure instance (if you plan to use security groups).

Let’s configure an Application Proxy with these parameters:

New-AzureRmApplicationProxy -Name myAppProxy -ResourceGroup MyResourceGroup -Location "East US" -Protocol TCP -Port 443 -Credentials (Get-AutomatonAccount) -AllowedCertificateTypes (Get-AutomatonCertificateType) -SSLCertificate (Get-AutomatonCertificate) -AllowedProtocols (New-AutomatonCertificateProtocol) -AllowedHostNames (New-AutomatonCertificateAlternativeName)

The above cmdlet will create a new Application Proxy within your on-premise network. If you’d now like to connect an Azure website to this Application Proxy, use the Set-AzureRmApplicationProxy cmdlet with the -SiteName parameter as we did with the VPN endpoint.

Configuring the On-Premise Network Router

Once you’ve connected the Application Proxy to your on-premise network, you need to configure the device responsible for routing network requests to and fro your Azure instance. This is called the “on-premise network router” and it’s configured using standard device configurations (such as DHCP or Static IP assignment).

In our example, we’ll use a Static IP address to configure the on-premise network router. To do this, use the Set-AzureRmApplicationGatewayConfig cmdlet.

The above cmdlet will update the static IP address of the on-premise network router to 10.0.0.10. You can then verify this by using the Get-AzureRmApplicationGatewayConfig cmdlet.

Now that your network router is configured, you can use standard routing protocols to route traffic to and from your Azure instance. For instance, you can use the RSVP protocol to exchange routing information between devices (for instance, switches and routers) participating in the VPN.

Testing Your Site-to-Site VPN Connection

Once you’ve configured your Azure VPN and Application Proxy, you can test the connection between your two sites by using the Get-AzureRmVpnConnectionStatus cmdlet.

The above cmdlet will return a list of all the test connection status for your Azure VPN and Application Proxy. In our example, we expect to see the following test results:

Similar Posts

How to Free VPN for iPhone 4S

ByAdrian

The following article is for informational purposes only and is not meant to be used for medical advice. The information presented here is not intended to diagnose, treat, or cure any disease or health condition. Always consult your doctor or other qualified healthcare provider before making any major changes to your lifestyle. Why You Might…