Configure Azure Site-Site VPN to On-Premise network
Introduction
First of all, let’s start with knowing, what is VPN and why was it created?
VPN — the virtual private network was created to provide security to the connection. VPN came to existence during the mid 90s when the internet took off. There was a security for end user systems in form of a Anti-Virus or a Anti-Malware programs but these programs were meant only to secure the single computer where they were installed. With the rise of internet connection in mid-90s the requirement of securing the whole connection came to picture and this was achieved by the creation of VPN.
VPN is a private connection over the internet. It consists of several different protocols, all of whose common motive to connect remotely to a private network over a public connection. In the beginning, it was being used exclusively in the business. But now VPNs are used to secure the internet connection used by a common person by preventing malware and hacking, ensure digital privacy etc.
Now that we have known what a VPN is let’s try to know what is Site to Site connection. The site to Site VPN connection is a type of VPN connection, there are other types of VPN connection like “Point-to-Site “. In this blog, I will be elaborating on Site-to-Site. A Site-to-Site VPN connection means that there are at least 2 sites and each has a bunch of computers, and these computers want to share resources among themselves without using the internet. These 2 sites can be On-Premises or one of them can be a Cloud site and the other can be an On-Premise site or both can be Cloud sites. Here we will discuss a typical scenario where one of the site is On-Premise and the other is on the cloud (Azure cloud).
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE VPN tunnel.
So here we will discuss steps that will create a connection between computers in the azure network and computers on the on-premise network.
Prerequisites
Three things we need as prerequisites
- Need a valid Azure subscription.
- Need to have a VPN device on On-Premise and knowledge to configure the VPN device.
- The VPN device should have an external public IP address which should be static.
Create a virtual network
- For this, you have to type Virtual Network in the search box and press enter key. The Virtual Network will appear on the screen.
2. Click on the Virtual Network it will open a window as below and you have to click on Create button.
3. Once you click on Create button the Create Virtual Network screen opens. You will see a screen as shown below. You have to fill in the details asked on the screen like choose the Subscription on which you want to create the virtual network. You choose from the existing Resource Group or create a new one. Give a suitable name to your Virtual Network and you choose the region.
Now in the IP Address tab, you will see the “IPv4 address space” is filled with a default value. You may change this address
In the “Security” tab, keep everything default and click on Review + create.
After settings have been validated, click on Create button and this will create the Virtual Network.
Create Virtual Network Gateway:
Now that we have created the Virtual Network, we now have to create the Virtual Network Gateway.
What is Gateway and what does it do? : A Gateway is a network hardware that allows data to pass from one discrete network to another network.
So now to create a Virtual Network Gateway, the proper way is to first go to the resource group in which you have created the Virtual Network. Here you see the + Add button, click on it.
Once you clicked on the +Add button you will see a screen as below, where you have to enter “Virtual network gateway” and press the enter key.
Doing so will take you to a screen as below.
Clicking on Create button will take you to a form where you will fill in the details regarding the configuration of the virtual network gateway.
Provide an appropriate name, select the region same as you have chosen for creating the virtual network, select Gateway type as VPN, select VPN type as Route Based, select SKU as gateway SKU, select Generation as Generation1, select the Virtual network which you created recently above, Gateway subnet address range keep it which it has appeared, Public IP address select Create new, give an appropriate name to Public IP address name, rest of the fields keep it as shown in the image above.
Clicking on the Review + create button will try to validate the configuration, if the validation is success Create button will appear. Clicking on this Create button will create the VPN gateway.
Create a local network gateway
A local network gateway is a specific object that represents your on-premises location (the site) for routing purposes. To create a local network gateway again go to your resource group where you have created other resources and click on the + Add button.
The Azure Marketplace window will open and you have to fill “Local network gateway” details.
You will land on a screen where you will find a create button to create the Local network gateway.
Clicking on create button will take you to a screen where you have to fill the details regarding the configuration of the local network gateway.
In the “Name” field fill an appropriate name, in the Endpoint select the IP address. If your VPN device has a static IP. Choose FQDN if your VPN device has dynamic IP provided by ISP. For the Address Space field add some IP ranges, you may add multiple IP ranges of address but keep in mind that these IP ranges must not overlap with ranges of another network you want to connect to. Keep the Configure BGP setting unchecked, check this only if are configuring the BGP. For Location choose any location it may not be the same as the location used for creating a Virtual Network.
Configure your VPN device
To configure your VPN device you have to go through the documentation of the device you have bought. Here is the link to download the configuration script for popular devices.
Create a VPN connection
Now we have to create a “Site-to-Site VPN” connection between the virtual network gateway which we have already created and the on-premises VPN device which you will be creating as per the documentation of your device and also the help mentioned in the above paragraph.
For creating the VPN connection, we have to go to your Virtual network. You can browse here by searching the name of your Virtual network or go to the resource group where you have used while creating the Virtual Network. In my case the name is VNet1. Once you are there the screen will look similar to the below image. Here you have to click on Connected devices as highlighted in the below image. You can see the virtual network gateway which you have created in the right panel. Click on the virtual network gateway (here that is VNet1GW).
Clicking on the virtual network gateway will open a screen as below. Clicking on Connections a screen will appear which has +Add button.
Clicking on Add button will take you here
In this form for the “Name” field, you fill an appropriate name, Connection type select Site-to-site(IPSec), for Virtual network gateway field keep the value which has appeared by itself. This is a fixed value and won’t change as we are creating the connection from here. For the Local network, the gateway selects the local network gateway which we have created previously for this demo, so I will select Site1. For the Shared key, the value must match the value that you are using for your local on-premises VPN device. For Use Azure Private IP Address, keep it unchecked. For Enable BGP, leave it unchecked. Select IKEv2 value for IKE Protocol field. The remaining values for Subscription, Resource Group, and Location are fixed.
Click on OK and this will create a connection.
Verify the VPN connection
Once the connection is created following the above step now it’s time to verify the connection. So go to Virtual network gateway (here that is VNet1GW). On the left-hand side, you will see an option named “Connections”. Click on this and you will be able to see the connection which you have created above (VNet1toSite1). Click on the name of the connection and then on the Essentials
Here the Status must be Connected, otherwise, some issues have happened while creating the connection.
How to connect to a Virtual Machine that is on your virtual network
Now the last step will be to verify whether we are able to connect a computer on On-Premise to a computer in the virtual network. So for that provision a computer in your virtual network. Once the VM is deployed get the IP of the VM. Now from a computer on the On-Premise network do the RDP to this IP on the virtual network. If you had no issue while following all the above steps you will be able to connect the On-Premise computer to the computer on a virtual network through RDP.
We can connect Azure functions to the virtual network
Yes. We can integrate Azure functions with a virtual network on Azure. But what is the use case of it? Why do we even need to integrate Azure function into the virtual network. Let’s try to understand it. Suppose the Azure function needs some resources which are there in the virtual network, for example, a computer or set of computers are there in a virtual network and the azure function wants to access these computers. Or let’s say there different types of files on these computers which are on the virtual network. In this type of scenario, the Azure function may need to establish a connection with the Azure virtual network where these computers are to access them.
We can connect our App on Azure with Azure virtual network.
The benefit of connecting an APP in Azure to a virtual network in Azure is that your app will be able to access the resources which are available in that virtual network. Think of a scenario where the app is facing the internet but it wants to log something essential which will be used by all the employees who have access to the same virtual network. Another example could be, let’s say there is a computer in the virtual network where the employees are uploading some documents which are needed for the app running in your app service. So for these kinds of scenarios, there must a connection between your App service with your Azure virtual network.
These last two topics where I tried to talk about the use cases of virtual networks can be an independent topic in detail. The details may consist of how to establish a connection between these services with the Azure virtual network. But these details are out of scope for this blog. I encourage you to find regarding how to establish a connection between these services and the Azure virtual network on the internet if you need to know more about this.
Conclusion
We have discussed the steps how to create a virtual network, a VPN gateway, a local network gateway, about referring the device document to configure VPN device, how to create a VPN connection and verify it, and lastly to connect a computer from on-premise to a computer on the virtual network.
So these are steps to create site to site virtual network and to establish the connection from on-premise.
