Portable Site-to-Site VPN connection to Azure
Why do I have a portable Site-to-Site VPN connection to Azure?
I do several demos for user groups and other technology outreach activities on a regular basis now as well as my day job is full of demos and technology evangelism.
I found that to present really great demos I need a mobile data center, more info here on my mobile data center, and a link to Windows Azure while I travel from place to place.
Now this post is a walkthrough of what I have already configured, not a complete step by step tutorial on how to configure the Windows Azure Site-to-Site connection.
If you are just starting out check out these resources as a place to begin: Windows Azure Virtual Network Overview About VPN Devices for Virtual Network
Feel free to contact me with any questions and I will do my best to assist you.
An idea is born
Like I mentioned before I do a lot of demos and I had the idea that I needed a portable Site-to-Site VPN connection to Windows Azure to make my demos really special.
Like many individuals I cannot afford a Cisco or Juniper device for demos and I do not really want to lug any of those around from place to place.
I tried the Windows 2012 RRAS solution and it worked if I used my cable modem and a VM in Hyper-V but I was interested in something not tied to a wall jack.
So I checked the connectivity specifications of the Windows Azure Site-to-Site VPN and I noticed that while enterprise devices like Cisco or Juniper are officially supported I know that other consumer or SOHO devices are also capable of the VPN requirements.
I also started looking for VPN devices that were capable of using 4G/LTE or similar for the WAN connection.
Azure Site-to-Site VPN Requirements
More information from Technet The items in bold are the primary places to review VPN equipment to see if it is potentially capable of connecting to the Windows Azure gateway.
Property | Static routing VPN gateway | Dynamic routing VPN gateway |
---|---|---|
Site-to-site connectivity | Policy-based VPN configuration | Route-based VPN configuration |
Computer-to-site connectivity | Not supported | Supported (coexists with S2S connectivity) |
Authentication method | Pre-shared key | Pre-shared key for site-to-site connectivity Certificates for point-to-site connectivity |
Maximum Number of Site-to-site connections | 1 | 1 |
Maximum Number of Point-to-site connections | Not supported | 128 (source) |
Key exchange | IKE v1 | IKE v2 |
Encapsulation | ESP | ESP for site-to-site SSTP for computer-to-site |
Diffie-Hellman Group | Group 2 | Group 2 |
Encryption Algorithms | 3DES AES128 AES256 | 3DES AES256 |
Hashing Algorithm | SHA1(SHA128) SHA2 (SHA 256) | SHA1(SHA128) SHA2 (SHA 256) (SHA 384) |
Phase 1 Security Association (SA) Lifetime (Time) | 28800 seconds | 28800 seconds |
Phase 2 Security Association (SA) Lifetime (Time) | 3600 seconds | 3600 seconds |
Phase 2 Security Association (SA) Lifetime (Throughput) | 102400000 KB | 102400000 KB |
Active Routing Support (BGP) | Not supported | Not supported |
Dead Peer Detection | Not supported | Supported |
Portable VPN Device
Based on the above requirements I evaluated a few portable VPN devices.
The portable VPN device I selected is the Cradlepoint MBR1200B
**
**
VPN (IPSec) Tunnel:
NAT-T and transport modes, device to CradlePoint, Cisco/Linksys, Linux system, Hash (MD5, SHA128, SHA256, SHA384, SHA512), Cipher (AES, 3DES, DES), support for 2 connections, GRE tunneling, multiple networks supported in a single tunnel
**
Internet Access and Device Connectivity**
- Plug-and-play support for over 125 of the most advanced broadband data modems (LTE, WiMAX, HSPA+). Security cap available to prevent device theft
- 5 Ethernet 10/100 LAN/WAN ports for Ethernet-enabled devices or landline Internet (up to 2 WAN, up to 5 LAN, 5 total)
- Wireless LAN - WiFi (802.11 b/g/n) supports up to 64 connections at a time
Now that I had the portable VPN device I needed to find a compatible 4G/LTE/Wimax card or dongle that works with the MBR1200B
**
**
WAN Card
This task to research modems was a little more difficult as I needed to be sure that the network provider provisioned a public IP address and also didn't block ports.
I was very lucky that I had used Clear in the past and I was aware that they provided a public IP address with each connection.
I did a little more research and I found that various people on the forums stated that Clear does not block VPN ports.
So it was even more awesome that I had a Clear USB modem in one of my tech junk drawers.
Specifically the Clear USB Modem is the very first one that Clear released.
I signed up and with crossed fingers I waited for the public IP address to show up and it did!
The Goal
So this is what I hoped to accomplish, a connected Site-to-Site VPN from my MBR1200B to Windows Azure. http://www.sharepointfeed.com/wp-content/uploads/2013/07/8-az-nets2s-connected-1024x513.png
Configure a Site-to-Site VPN in the Management Portal
I will include links to the Windows Azure documentation while I demonstrate what I did in my environment.
Remember that I am not going step by step but rather using my screenshots as the result of following Microsoft's steps. Configure a Site-to-Site VPN in the Management Portal
Virtual Network Details
http://www.sharepointfeed.com/wp-content/uploads/2013/07/network-info-1024x513.png
**
**
DNS Servers
I have two DNS servers, one On Prem and one on Windows Azure.
I do this so I can resolve machine FQDN from Windows Azure to On Prem and vice versa. itglab-dc 10.10.65.1 (on prem) all of my On Prem machines are on the 10.10.65.0/24 network address space.
Azure-DNS 10.10.0.4 (Windows Azure) all cloud machines and subnets are on the 10.10.0.0/22 network address space.
http://www.sharepointfeed.com/wp-content/uploads/2013/07/12-az-network-top-1024x513.png
**
**
Site-to-Site Connectivity
The public IP address from the Clear WAN Card that is plugged into the MBR1200B is used for the VPN Device IP Address
http://www.sharepointfeed.com/wp-content/uploads/2013/07/10-az-localnet-public-ip-1024x513.png
**
**
Local Network Address space
Again, I am using 10.10.65.0/24 for my on prem machine IP addresses.
(A little limiting, but I inherited this network scheme from a large demo, I will most likely change it.)
http://www.sharepointfeed.com/wp-content/uploads/2013/07/11-az-localnet-subnet-1024x513.png
http://www.sharepointfeed.com/wp-content/uploads/2013/07/9-az-localnet-config-1024x513.png
**
**
Virtual Network Address Spaces
I created two subnets in Windows Azure.
An infra subnet where I will place things like domain controllers and other infrastructure servers.
I have a public subnet where I will place things like SharePoint web front ends, other web servers, and additional public servers.
The gateway is needed and is created in the address space.
A tip is to make sure you configure your Windows Azure address space to have enough room to contain the gateway subnet or you will have to start over or remove one of your other subnets.
To point out my address space: 10.10.0.0/22 has enough room to contain 10.10.0.4 - 10.10.3.254
My subnets are: 10.10.1.0/24 10.10.2.0/24 10.10.3.0/24 If I want to add another subnet I cannot because the address space is full.
http://www.sharepointfeed.com/wp-content/uploads/2013/07/13-az-network-bottom-1024x513.png
Virtual Network Gateway
Configure a Virtual Network Gateway in the Management Portal I don't have a screenshot for this as I don't want to recreate the gateway.
When I followed the steps I selected Static Routing for my network scenario and so it would work with the MBR1200B.
After the gateway is created you should be at a screen that is similar to the below where the gateway has not connected yet.
Also, the gateway will have created a Shared Key that you will use to input into the VPN device when you connect to Windows Azure.
http://www.sharepointfeed.com/wp-content/uploads/2013/07/before-connecting-1024x513.png
Configure the Cradlepoint MBR1200B VPN connection
Again, this is not meant to be a step by step guide but rather a reference if you are thinking about the MBR1200B or a similar VPN device.
The goal is a screen that is completely filled out with an enabled VPN tunnel.
http://www.sharepointfeed.com/wp-content/uploads/2013/07/1-cp-vpn-overview-1-1024x511.png
**
**
Create VPN Connection
Pre-Shared Key from the Windows Azure gateway
http://www.sharepointfeed.com/wp-content/uploads/2013/07/shared-key.png
In this screen you enter the Local Public IP address from the Clear Modem and the Public Windows Azure gateway IP address.
You also include the pre-shared key that you retrieve from the Windows Azure gateway.
http://www.sharepointfeed.com/wp-content/uploads/2013/07/2-cp-vpn-config-2-1024x511.png
**
**
Configure the Local Network Addresses
I have the 10.10.65.0/24 net configured for my on prem network.
http://www.sharepointfeed.com/wp-content/uploads/2013/07/3-cp-local-net-3-1024x511.png
**
**
Remote Networks
I have the 10.10.0.0/22 (netmask 255.255.252.0) network configured in Windows Azure for my address space.
Something to keep in mind is that is generally the address space IP address and while it is noted in Windows Azure with CIDR this requires a netmask.
There are many online calculators that can help you translate CIDR to netmask.
The Cradlepoint also wants the Windows Azure gateway public IP address in the Remote Networks gateway entry.
http://www.sharepointfeed.com/wp-content/uploads/2013/07/4-cp-remote-net-4-1024x511.png
For the Cradlepoint, the IKE Phase 1 match the requirements for connecting to Windows Azure.
http://www.sharepointfeed.com/wp-content/uploads/2013/07/5-cp-phase1-5-1024x511.png
Also the IKE Phase 2 options match the Windows Azure requirements.
http://www.sharepointfeed.com/wp-content/uploads/2013/07/6-cp-phase2-6-1024x511.png
And finally, the last screen in the Cradlepoint deals with Dead Peer Detection. I just left the defaults.
http://www.sharepointfeed.com/wp-content/uploads/2013/07/7-cp-deadpeer-7-1024x511.png
So this is how the config is done for the VPN in the Cradlepoint MBR1200B.
Since the always on option was selected the MBR1200B should start connecting now.
Wait a few seconds and Yes! The message SA established signifies that the VPN connected to the Windows Azure gateway
http://www.sharepointfeed.com/wp-content/uploads/2013/07/link-established-e1373410063736.png
Hmm, is Windows Azure connected? No? what is going on? http://www.sharepointfeed.com/wp-content/uploads/2013/07/not-yet.png
Okay, so I found that you have to ping from a local machine on the local network to a machine on a subnet on Windows Azure to get Windows Azure to change the connection status.
In the below picture I ping the dev-workstation and the spsnyc-dc machine from a machine on the local 10.10.65.0/24 network.
Keep in mind I already opened the firewall to allow ping into dev-workstation and spsnyc-dc since Windows Azure machines have the firewall on by default. The ping worked so this is proof that the VPN is connected.
http://www.sharepointfeed.com/wp-content/uploads/2013/07/ping-out.png So
What is going on with the Windows Azure connection? Hit F5........Success!!!!
http://www.sharepointfeed.com/wp-content/uploads/2013/07/8-az-nets2s-connected.png
So with this environment I have a portable hybrid cloud. In an upcoming post I will describe the Architecture behind my demo environment.
Some features of my demo environment are two mobile Windows Server 2012 R2 Hyper-V servers, SCVMM 2012 R2, an iSCSI target managed by SCVMM 2012R2, and SCAC 2012R2., and the Azure Pack.
I can actually transport all of this in a backpack and setup anywhere I have power and a Clear Wimax connection.