Site-to-Site Azure VPN with a Windows RRAS Server

in this video I demonstrate how to setup a VPN tunnel between a route and remote access server and Azure hello everyone my refer is Travis and this is Ciraltos I set up a VPN connectionbetween a VNet gateway in Azure and a routing and remote access, or RRAS serverlast year to connect my home lab with my network at the time my home lab was justa VMware Workstation racing a couple VMs on a desktop my lab has grown andmost of my VMs are now loping on a hyper-v server with the exception ofthat routing a remote access server in this video I go over deploying a new RRASserver and connecting it to and Azure gateway the process is not limited tohome laboratories it could be used for small-time bureau or an environment where asite-to-site VPN to Azure is required also if you plan to take an Azurecertification such as the AZ 103 strolling through this instance with me will giveyou some good hands-on experience without having to purchase a VPNappliance before I get started please take a second to subscribe and click thebell icon to get alerts on brand-new material too sounds the like button that helpssupport this direct let’s get started there are a lot of differentconfigurations that this will work with for example I currently have a singlesubnet on my home network the RRAS server sits behind a cable modem and VPNtraffic is forwarded to that RRAS server in this configuration I have to set astatic gateway to the internal RRAS server for any servers that need toconnect to Azure but I have a couple teenagers in the house and with alltheir manoeuvres and Smart TVs and home automation my subnet is getting stretchthere’s not many IP’s left for servers my brand-new configuration will look somethinglike this the plan is to have one subnet on the hyper-v server for my home labthe RRAS server will act as a gateway for that subnet this will free up ip’s on myhome structure and isolate my laboratory freight on its own subnet I put this project inthis video offer a while because it wasn’t sure how to address the localnetworking aspect there are so many different configuration alternatives Icouldn’t possibly address all in this video so I’m just gonna say thatany device that needs to connect to Azure over the VPN will need the radserver gave as its default gateway I suspect most people watching this videowill know how to set DHCP or a static IP entry and stir that happen but for thisvideo I’m gonna focus more on creating that VPN tunnel between the twoendpoints and not so much better on the actual networking behind it there are acouple things needed to get this set up first a Windows server to host therouting and remote access role I’m expending the server 2019 in this example but 2016 are now working too the server will have ports open to the Internet so will notbe domain affiliated my current setup is running server core but I had someissues with configuration settings so I’m employing the full desktop in thisexample the server has an internal and external NIC fastened connected to theinternal and external subnet I likewise have an azure subscription and A VNet set upin that subscription I have admin titles to the firewall with the capabilities of portforwarding on that firewall you do not need a static public IP but one that’srelatively consistent will help a lot I’ll dive into that laterthe last item is expenditure expending a basic gateway this setup cost me about $25 permonth your expense will vary depending on traffic and the size of the Gatewayselected it’s not possible to deallocate gateways like you can with a VM so aslong as it’s on your due you’re getting charged for it that’s a goodreason to set up budgets and cost alarms on your due I have just thevideo for that I’ll share it above here’s an overview of how this will lookonce finished if I had an enterprise firewall I could just handle the VPNtermination there but I don’t so instead I’m forwarding IPSec ports UDP 500 andUDP 4500 to the RRAS server as stated this setup requires that you forwardinbound traffic you’ll need to verify that your modem ISP or any other deviceis not blocking that inbound freight it’s possible that some of you may havea modem that’s also a firewall you’ll have to figure out how to forward portsin that situation as I said before there are a lot of options and I can’t covereverything to come this to work in whatever setupthose two ports will need to be forwarded to the routing and remoteaccess server here’s the steps we’re going to go over in the demo we’re gonnaadd the route a remote access character to the server we’re gonna create an azurenetwork gateway we’re gonna create a local network gateway and edger we’regoing to configure the route remote access for the VPN and we’re going tocreate the connection and then test let’s is starting here I am logged intothe routing a remote access server I’m going to go to manage compute roles andfeatures I’ll click Next to step through the hotshot selecting the regional serverunder server characters select remote access and click Nextclick Next at aspects this will make you to remote access under capacity servicesselect direct access and VPN at the screen that opens select add featuresnext select routing under character service and click Nextcontinue by snap next on the evidence pages and then installit’ll take a few minutes to finish formerly done open routing and remote access toverify it lay the service will show stopped we’ll come back and finishconfiguration shortly ok to get started the first thing I’m gonna do is create agateway subnet this is a subnet in the VNet with the worded GatewaySubnet it hasto have that GatewaySubnet name you do have the option to set this up when youdeploy the Gateway but I didn’t want to set it up in advance so we can see thewhole process so the first thing I’m going to do is go into my VNet and goto subnets and I’m gonna create a gateway subnet I’m gonna change this to 10.0.200.0 and reallyyou can use any subnet you’ll requirement for this I’m just picking 200 kind of atrandom and I’m gonna leant a/ 27 minimum is a/ 28 but I’ll merely contributed/ 27 so there’s a couple added IP addresses in there and the rest can beleft as is I’ll click OK and now it’s creating that subnet thereso we can go in and see that gateway subnet it has the IP addresses of 10. 0dot 200 0.31 and the rest can be left as it is nowI’m gonna go back to my network rich radical next I’m gonna create the virtualnetwork gateway I do that by creating a resource and I’ll search for a virtualnetwork gateway and here it is I’ll select virtual system gateway andcreate I’ll leave the subscription is pay-as-you-go I need a list for this andI’ll call it LabGW for gateway one you may notice that the resource group willbe the resource group of the virtual structure that you select later on so I’mgonna adopt the same location as my virtual structure the Gateway type is VPNand the VPN type is route based road based gateways direct freight based onthe routing information in the routing table and forward containers to the propertunnel interface the containers are encrypted and decrypted in and out ofthat tunnel policy based on the other hand encrypts and manages packets basedon the IPSec policy configuration with a combination of address prefixes betweenyour on-premises system and the azure VNet this is available only for basicgateways and is limited to one tunnel so I’m just gonna leave this as superhighway basedthe SKU is going to be a basic and the only option is generation 1 the basicskew is considered a legacy skew and has some aspect restrictions but it is thecheapest and it works well for a lab I’m just gonna select my virtual system andyou can see next it’s gonna draw that gateway subnet address that we alreadyconfigured I’m gonna create a brand-new public IP address and I’m gonna give this thepublic IP name of let’s see here LabGW_PIP and I’ll leave enableactive active procedure and configure BGP as incapacitated next is the calls I’m just gonnagive this let’s see here Department and I’ll pay it ITreview and crate the validation past so I’m gonna get container next and I’ll waitfor it to finish this will take sometimes up to 45 minutes to finish soI’m just gonna let it go I’ll pause now and I’ll be getting back formerly it’s finished I’mback in the virtual network gateway has finished it did take quite some time butlet’s move on so the next thing I’m going to do is create a local gateway sowhat this is is it’s a the representatives from your VPN endpoint in Azure this is whereit gets some of its configuration information materials and how it knows what toconnect to so let’s create a resource and search for local gateway or a localnetwork gateway there it is and I’ll made crate so I’ll give it a list I’ll justcall it homelab now the IP address is the IP address of the endpoint so thiswould be my local and again neighbourhood refers to local to me not to Azure soit’s my home network external IP address and I like to use a tool called IP Chicken to find this you can use any implement wishes to but IPChicken.comwill give you your public IP address so I’ll come back copy that and paste it inokay so next is address infinite so what it’s asking for is what are the addressspaces or the subnets on that remote network and in my case I’m only gonnahave one but you could have multiple okay so my remote network is gonna be1 92.168.200.0 generator group I like to made allmy networking objectives at least for a specific region in one resource groupthey’re easier to be noted that nature I’ll leave the location to central US andnext I’m going to clink form next thing I’m going to do is hop back to mylocal remote routing an access server and finish the configuration on that sohere you can see I have two network cards I’ve got an internal that’sconnected to an internal hyper-v switch so I can superhighway traffic from anythingwithin that hyper-v hosts and the multitude itself over thatinterface and that doesn’t need to be a static IP address because that’s thegateway for anything on that 200 Network so external in such cases is justexternal to the internal structure I guess so that’s going to be connected to the1 92 168 254 system again that’s just the same structure as all of my householdappliances are on and then that’s going to proxy to the connection out over theinternet linkage but regardless in this little environment external is justexternal to that internal structure and that’s what’s going to connect to theinternet so now I’m going to go into routing and remote access services andI’m going to right sounds and configure and enable route and remote access soI’ll click Next at the hotshot for the configuration I’m going to use secureconnection between two private structures I’ll click Next and I’ll leave dialdemand as yes and my patrons are gonna get an IP address automatically so Ilook like yes and I’m can leave that as is and just click finish and we’ll letit get the services started and it’s gonna reminder me for another wizard herein a second ok here is the demand dial interfacewizard so I’m going to clink Next and I’ll give this interface a specify and thisis the interface that’s going to actually connect to the VPN endpoint in Azure so I’m gonna call it AzureGW and I’ll click Next and I’m going toconnect using a VPN and for the VPN type I will choose IKEv2 now it’s askingme for the remote IP address of the emcee I’ll find that located in the public IPinformation on that gateway let’s move back to the azure portal and we’ll getthat info we’ll go to resource groups and everything is in my networkRG resource group and labGW1 PIP for public IP and I’m just going to copythat that is the IP address it’s going toconnect to I’m going to leave this as superhighway IP containers here wants me toconfigure a static itinerary so what this does is it tellsthe routing and remote access server anytime it gets an IP bound for aspecific IP address to route it out the VPN interface so in order to do this Ihave to add I have to add a end Network and what I’m gonna dolet’s just hop-skip back to a sure because we really didn’t talk about this if I go toNetwork RG I’m gonna go into my virtual structure under address rooms there’s theaddress locate that that v-net will host in this case it’s 10.0.0.0/ 16 soanything within that address space could exist in this VNet and that’s furthercut down into subnets so that’s what we actually assign next to but here it’ssaying that anything in the 10.0.0.0/ 16 could exists on this me net so I’mgonna going to be home and computed 10.0.0.0/ 16 is 255 255 0 0 and for the metric I willjust apply 10 so there it is and then i’ll click next and for this dialogcredentials I can leave that space for now and finish ok let’s review that tomake sure it’s set up ok there it moves so network interfaces here’s the azureGWdial demand and it’s enabled but it’s disconnected which is something that I wouldexpect and let’s go into ipv4 general dial demand there’s nothing showingthere static directions now I actually had a problem with this and I thought it wasgoing maybe a little bit nuts but so under static itineraries now for ipv4and ipv6 there’s nothing and their own problems is we just set that up but it’s not hereso I’m not sure if that was for something different or what’s going onbut you do have to add a new static superhighway this is a repeat of what we didbefore but all I’m doing is having that same destination and the metric I’llchange that back to 10 so although I belief I position this up whenI deployed the network interface it didn’t take so this you can see hereit’s gonna call this route to initiate the demand I’ll connection and I’llclick OK there now our static route is in there that is important this won’t workwithout having the static road in and again that IP address is the addressspace on the VNet in Azure okay so that’s setup but we still have to goback to Azure here we go I’m gonna go back into my network source group I’mgoing to go into the home lab local network gateway and under connectionsI’m going to add a contact so a joining is the representation of theactual VPN tunnel this is where it’s gonna get some VPN information andshared key so I’m gonna request this laboratory connect I’m gonna adopt lab gatewayone for the virtual structure gateway so that’s the gateway and azure home laboratory isalready selected for the local network gateway so again that’s the endpoint theVPN endpoint on my local network and then a pre shared key I’m gonna callthis new key 1 2 3 and of course that will be changed by the time you see thisI’ll leave it IKEv2 and the rest is the same I’m gonna click ok I’ll render ita second to create it there it is it’s updating if we come back when we comeback in a pair minutes it’ll say it’s trying to connect I’m gonna hop-skip back tothe server and see what’s going on there let’s see network interfaces it’sdisconnected now there’s one more thing I it is necessary do before this will connectI’m gonna go back to my web browser and I’m not sure how much I’ll actually showyou of this but this is a dated firewall that I use on my networkbut what I want to show is that under virtual servers in port forwarding Ihave two ports forwarded they’re UDP 500 and UDP 4500 and the right now they’regoing to 192 168 254 200 thats my old-time server that I had set up let’s go backto my server I’m just going to run authority now herethe external boundary which is going to connect to that subnet is 201 so I needto go back and I need to update this so I’m going to change it from 200 to 201 okay that’s saved but this router willnot make that configuration until it’s rebooted so I’m gonna reboot it realquick and then come back and finish up while we’re waiting for that to reboot iteach router is gonna have a different configuration as I said before perhaps youhave a cable modem or DSL modem and firewall compounded I happen to have themon two separate designs so it could be there could be a lot of options and howto configure port forwarding if you’re having difficulties I’d recommend standing upIIS or Apache server on that network and hosting a simple website on port 80 and configure a router to route external congestion to that once you’re able toforward traffic to a web server you should be able to use that sameconfiguration as advice to forward traffic to the 4500 and 500 UDP portsit’s just a little bit easier to troubleshoot if you can see that portsare actually being forwarded accurately okay so that’s done I’m gonna go back tothe server and I have one more thing to do I’m going to go into this gateway I’mgonna go into properties questions of safety and I have to add that passphrase so there itis and I’ll click OK now let’s go back to the portal that is saying updatinglet me only refresh it okay so that’s set to connecting but it’s not connectedyet and the azure GW interface still shows undone this is a demand dial interface represent it actually has to get some traffic before it’ll connect so letme merely ping something on the azure subnet and see if I can get thatconnection to come demonstrated okay that miscarried but let me go back do a refreshthere it says it’s connected I’m gonna freshen this still saysconnecting okay there we go now it’s connected and only to let you know I didhave to restart my router a second time not quite sure why that is but that wasa issue on my aim not with the RRAS server or with Azure let’s come back andwe can see we’ve got some traffic coming pastlet me try pinging again creating a ping from this computer kick-started a demanddialing seminar and connected the problem is is the traffic is stillcoming from a 192 168 254 IP address not the 200 which was defined in the localgateway so what I did is I precisely lent a server here so this is the IP address of192 168 220 now you can see and what I’m going to do is simply try to pingthat server in Azure there we go now we’re getting a reply back and I canshow that now we go to the home lab and we go into let’s see here configurationyou can see I have an address space of 192 168 200 0 so that’s telling theGateway and the VPN connection that that subnet exists on the other side of thatVPN connection but what I don’t have in here is 192 168 254 which is the IPaddress of that routing a remote access server so it’s not going to returntraffic to there but it will return traffic where it matters and that’sanything on that internal dot 200 subnet now if I understate this and come back tothe routing and remote access server we can see that we have the demand phone ispassing traffic in both directions ok so we can connect to a server that islocated in the azure subnet but one problem we have is I can’t reallyconnect to anything else so for example if I try to simply ping a DNS serverit won’t work and that’s because we haven’t configured the routing remoteaccess server to act as like proxy server so let’s go back hereand we’re gonna go into NAT so this is going to configure the network addresstranslation so everything in that internal subnet going to get masked oran added behind the external interface we are therefore do that by adding a brand-new interfaceI’m gonna select internal I notice I have two of them here could be because ofsome of my testing or perhaps you’ll have two as wellI’m just going to pick the first one and see if that works and that’s going to bethe private interface so internal is the private it’s the only option now anywayand then I’ll click OK and next I’m going to add another new interface thistime is external I’ll click OK and I’m going to change this to public interfacethat’s connected to the Internet and I’m going to enable network addresstranslation on this interface so I’ll click addres and ok and now let’s go backand see if I can ping that server yep that works let’s just see let’s see whatIP chicken says there it is so that is now working these servers can get to theinternet and they can also get to the subnet in Azure ok one more thing beforewe go what happens when your isp converts your public IP address so you wouldnotice that this would break-dance this wouldn’t work so what the hell is you do youwould go back into Azure you would find what your brand-new external IP address isusing IP chicken or something like that and then come in and find your residence labconfiguration and inform the IP address in configuration to the new IP addressand that should taken into consideration it that is a downside to having a home lab behinddynamically apportioned public IP address but to be honest I’ve done this and Idon’t think I’ve had to change it formerly merely because my internet contact isalways on and even though they are it restarts it is generally gets the same IP address backbut I’m sure all ISPs are different some people may be changing that morefrequently okay so I considered that coatings it for the demo we supplemented the routing andremote access work capacity we got our public IP address for the local networkwe created a gateway in Azure and the Gateway subnet we created a localnetwork gateway and then we created a contact we finished configuring therouting and remote access server that included deepening the port forwarding onmy firewall we created a acquaintance and then we finish it all up then we testedit by feeing a ping mastery from a server on that internal structure that’sit for the demo that does it for this video if you felt it supportive pleasesubscribe and click the buzzer icon Thanks for watching!

You May Also Like