It is highly likely you will be required to
create a site to site VPN from your on-premises network to the Azure public
cloud. In order to do this you must have a compatible VPN peer that is capable
of terminating the IPsec VPN. All of the main network vendors have supported
devices such as Cisco, Juniper and Palo Alto etc. You can consult the following
website to see what devices are supported;
Windows Server 2012/2012 R2 is also a supported
configuration with the Routing and Remote Access (RRAS) role installed, this
however when I tried to do it behind my Cisco ASA I could not get it to work.
If you research around some forums etc most people only get RRAS to work with
Azure if it is directly connected to the internet without any kind of NAT in-between.
Most enterprises won’t be using RRAS anyway.
This example will cover setting up an Azure vNet
with an Azure Gateway that is connected to a Cisco ASA 5505 firewall. At the
time of writing Azure automatically generated configuration scripts for Cisco
and Juniper devices, although these sometimes need tweaking before they work
correctly, I cover this further down.
Define Local Network
The first stage is to define the Local Network,
which is the network space in which your on premise environment works with. It
is with the Local Network you also specify the outside global address that your
VPN device has on its outside (or public) interface.
Open the Azure Management console, click New
then Network Services, Virtual Network and then Custom Create.
Input a name for the local network, something
descriptive is best and then enter the VPN Device IP as stated above.
You must then specify the address space that
is being used within your on premise network, the address spaces used on
premise and the cloud cannot overlap. Therefore you cannot have 192.168.1.0/24
on site and in the cloud.
Define DNS Servers
The next step is to define the name resolution
servers, you require at least one on premise and in the cloud, click New
> Network Services > Virtual Network > Register DNS Server and
define the DNS servers.
Create Virtual Network
Now create a new Virtual Network click New
> Network Services > Virtual Network > Custom Create. The vNet is
the logical entity that the VM instances connect to.
Enter a descriptive name for the vNet and
set the location.
From the next pane click the DNS Servers that
were defined in the previous step. Tick Configure site-to-site VPN and
then select the Local Network object that was defined in a previous step.
Now configure the address spaces you intend to
use for your cloud based instances. Also click Add Gateway Subnet this
will provision a small subnet to be used for the inter-tunnel communications.
When the network is created the next step is to
create a Virtual Gateway, which is assigned a public address. This process can
take around 15-20 minutes to complete.
Click Create Gateway and select the Routing type, the
Cisco ASA actually only supports Static Routing. Consult the following document to check if dynamic routing is supported for your VPN device
Click Yes to confirm you want to create a
gateway.
The interface will appear like it is below, the
VPN cannot be formed until the VPN device is up dated with the configuration
script. Unfortunately if you do not have a Cisco or Juniper firewall device you
may have to do some manual configuration.
Click Download VPN Device Script from
under Quick Glance. You can then select what options suit your
environment, I hope Microsoft increase the number of devices and operating
systems. The current options do not come close to what Amazon Web Services
offers, they have pre-created scripts for almost all of the networking vendors
I can name, with multiple different operating system versions.
Something that is not obvious when you download
the configuration script for the Cisco ASA is that it assumes your firewall's
interfaces are called inside/outside, for example some environments use private/public,
this is not obvious if you are not a familiar with firewall scripts. I have
highlighted everything below that must be changed to reflect your exact
firewall configurations.
! Microsoft Corporation
! Windows Azure Virtual Network
! This configuration template applies to Cisco
ASA 5500 Series Adaptive Security Appliances running ASA Software 8.3.
! It configures an IPSec VPN tunnel connecting
your on-premise VPN device with the Azure gateway.
!
---------------------------------------------------------------------------------------------------------------------
! ACL and NAT rules
!
! Proper ACL and NAT rules are needed for
permitting cross-premise network traffic.
! You should also allow inbound UDP/ESP traffic
for the interface which will be used for the IPSec tunnel.
object-group network azure-networks
network-object 172.16.0.0 255.240.0.0
exit
object-group network onprem-networks
network-object 10.0.0.0 255.0.0.0
exit
access-list azure-vpn-acl extended permit ip
object-group onprem-networks object-group azure-networks
nat (inside,outside) source static
onprem-networks onprem-networks destination static azure-networks
azure-networks
!
---------------------------------------------------------------------------------------------------------------------
! Internet Key Exchange (IKE) configuration
!
! This section specifies the authentication,
encryption, hashing, Diffie-Hellman, and lifetime parameters for the Phase
! 1 negotiation and the main mode security
association. We have picked an arbitrary policy # "10" as an
example. If
! that happens to conflict with an existing
policy, you may choose to use a different policy #.
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime
28800
exit
! ---------------------------------------------------------------------------------------------------------------------
! IPSec configuration
!
! This section specifies encryption,
authentication, and lifetime properties for the Phase 2 negotiation and the
quick
! mode security association.
crypto ipsec transform-set
azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime
seconds 3600
crypto ipsec security-association lifetime
kilobytes 102400000
! ---------------------------------------------------------------------------------------------------------------------
! Crypto map configuration
!
! This section defines a crypto map that binds
the cross-premise network traffic to the
! IPSec transform set and remote peer. We have
picked an arbitrary ID # "10" as an example. If
! that happens to conflict with an existing
crypto map, you may choose to use a different ID #.
crypto map azure-crypto-map 10 match address
azure-vpn-acl
crypto map azure-crypto-map 10 set peer x.x.x.x
crypto map azure-crypto-map 10 set
transform-set azure-ipsec-proposal-set
! Note that you can only bind one crypto map to
the "outside" interface. You can, however, define
! different peer/transform-set within a crypto
map and identify them with different IDs.
crypto map azure-crypto-map interface outside
!
---------------------------------------------------------------------------------------------------------------------
! Tunnel configuration
!
! This section defines an IPSec site-to-site
tunnel connecting to the Azure gateway and specifies the pre-shared key
! value used for Phase 1 authentication.
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key xxxxxxxxx
exit
! ---------------------------------------------------------------------------------------------------------------------
! TCPMSS clamping
!
! Adjust the TCPMSS value properly to avoid
fragmentation
sysopt connection tcpmss 1350
exit
|
For example if you see my interfaces on my home
ASA are inside/outside so the script is fine for me, but if your
interfaces are different you will have to edit the script. My ASA is also
running IOS 9.3 and the script is for 8.3, the difference is how the static NAT
statement is written.
You can use the ASDM or an SSH session to your
firewall to input the script, if you are using ASDM click Tools and Command
Line Interface...
Select Multiple Lines and copy and paste
the lines of code into the box, I have found the exit statements in the
script get returned by the ASA as none executable code, so I edit them out.
Return to the vNet page and click Connect.
If everything has been completed successfully your VPN should form correctly,
all of the routes etc should automatically be in place therefore when you ping
an on premise server it should get all the way to your Azure instances.
