[Windows Azure] Create a Virtual Network for Site-to-Site Cross-Premises Connectivity

Create a Virtual Network for Site-to-Site Cross-Premises Connectivity

This tutorial walks you through the steps to create a cross-premises virtual network. The type of connection we will create is a site-to-site connection. If you want to create a point-to-site VPN by using certificates and a VPN client, see Configure a Point-to-Site VPN in the Management Portal.

This tutorial assumes you have no prior experience using Windows Azure. It’s meant to help you become familiar with the steps required to create a site-to-site virtual network. If you’re looking for design scenarios and advanced information about Virtual Network, see the Windows Azure Virtual Network Overview.

After completing this tutorial, you will have a virtual network where you can deploy your Windows Azure services and virtual machines, which can then communicate directly with your company's network.

For information about adding a virtual machine and extending your on-premises Active Directory to Windows Azure Virtual Network, see the following:

• How to Custom Create a Virtual Machine

• Install a Replica Active Directory Domain Controller in Windows Azure Virtual Network

For guidelines about deploying AD DS on Windows Azure Virtual Machines, see Guidelines for Deploying Windows Server Active Directory on Windows Azure Virtual Machines.

For additional Virtual Network configuration procedures and settings, see Windows Azure Virtual Network Configuration Tasks.

Objectives

In this tutorial you will learn:

• How to setup a basic Windows Azure virtual network to which you can add Windows Azure services.

• How to configure the virtual network to communicate with your company's network.

Prerequisites

• Windows Live account with at least one valid, active subscription.

• Address space (in CIDR notation) to be used for the virtual network and subnets.

• The name and IP address of your DNS server (if you want to use your on-premises DNS server for name resolution).

• A VPN device with a public IPv4 address. You’ll need the IP address in order to complete the wizard. The VPN device cannot be located behind a NAT and must meet the minimum device standards. See About VPN Devices for Virtual Network for more information.

  Note: You can use RRAS as part of your VPN solution. However, this tutorial doesn’t walk you through the RRAS configuration steps.

  For RRAS configuration information, see Routing and Remote Access Service templates.

• Experience with configuring a router or someone that can help you with this step.

• The address space for your local network (on-premise network).

High-Level Steps

1. Create a Virtual Network

2. Start the gateway and gather information for your network administrator

3. Configure your VPN device

Create a Virtual Network

To create a virtual network that connects to your company's network:

1. Log in to the Windows Azure Management Portal.

2. In the lower left-hand corner of the screen, click New. In the navigation pane, click Networks, and then click Virtual Network. Click Custom Create to begin the configuration wizard.

   

3. On the Virtual Network Details page, enter the following information, and then click the next arrow on the lower right. For more information about the settings on the details page, see the Virtual Network Details section in About Configuring a Virtual Network using the Management Portal.

   • NAME: Name your virtual network. Type YourVirtualNetwork.

   • AFFINITY GROUP: From the drop-down list, select Create a new affinity group. Affinity groups are a way to physically group Windows Azure services together at the same data center to increase performance. Only one virtual network can be assigned an affinity group.

   • REGION: From the drop-down list, select the desired region. Your virtual network will be created at a datacenter located in the specified region.

   • AFFINITY GROUP NAME: Name the new affinity group. Type YourAffinityGroup.

   

4. On the DNS Servers and VPN Connectivity page, enter the following information, and then click the forward arrow on the lower right.

   NOTE

   It’s possible to select both **Point-To-Site** and **Site-To-Site** configurations on this page concurrently. For the purposes of this tutorial, we will select to configure only **Site-To-Site**. For more information about the settings on this page, see the **DNS Servers and VPN Connectivity** page in About Configuring a Virtual Network using the Management Portal.

   • DNS SERVERS: Enter the DNS server name and IP address that you want to use for name resolution. Typically this would be a DNS server that you use for on-premises name resolution. This setting does not create a DNS server. Type YourDNS for the name and 10.1.0.4 for the IP address.
   • Configure Point-To-Site VPN: Leave this field blank.
   • Configure Site-To-Site VPN: Select checkbox.
   • LOCAL NETWORK: Select Specify a New Local Network from the drop-down list.

   

5. On the Site-To-Site Connectivity page, enter the information below, and then click the checkmark in the lower right of the page. For more information about the settings on this page, see the Site-to-Site Connectivity page section inAbout Configuring a Virtual Network using the Management Portal.

   • NAME: Type YourCorpHQ.

   • VPN DEVICE IP ADDRESS: Enter the public IP address of your VPN device. If you don’t have this information, you’ll need to obtain it before moving forward with the next steps in the wizard. Note that your VPN device cannot be behind a NAT. For more information about VPN devices, see About VPN Devices for Virtual Network.

   • ADDRESS SPACE: Type 10.1.0.0/16.

   • Add address space: This tutorial does not require additional address space.

   

6. On the Virtual Network Address Spaces page, enter the information below, and then click the checkmark on the lower right to configure your network.

   Address space must be a private address range, specified in CIDR notation 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 (as specified by RFC 1918). For more information about the settings on this page, see Virtual Network Address Spaces page in About Configuring a Virtual Network using the Management Portal.

   • Address Space: Click CIDR in the upper right corner, then enter the following:
   • Starting IP: 10.4.0.0
   • CIDR: /16
   • Add subnet: Enter the following:
   • Rename Subnet-1 to FrontEndSubnet with the Starting IP 10.4.2.0/24, and then click add subnet.
   • add a subnet called BackEndSubnet with the starting IP 10.4.3.0/24.
   • add a subnet called ADDNSSubnet with the starting IP 10.4.4.0/24.
   • Add gateway subnet with the starting IP 10.4.1.0/24.
   • Verify that you now have three subnets and a gateway subnet created, and then click the checkmark on the lower right to create your virtual network.

   

7. After clicking the checkmark, your virtual network will begin to create. When your virtual network has been created, you will see Created listed under Status on the networks page in the Management Portal.

   

Start the Gateway

After creating your Windows Azure Virtual Network, use the following procedure to configure the virtual network gateway in order to create your site-to-site VPN. This procedure requires that you have a VPN device that meets the minimum requirements. For more information about VPN devices and device configuration, see About VPN Devices for Virtual Network.

To start the gateway:

1. When your virtual network has been created, the networks page will show Created as the status for your virtual network.

   In the NAME column, click YourVirtualNetwork to open the dashboard.

   

2. Click DASHBOARD at the top of the page. On the Dashboard page, on the bottom of the page, click CREATE GATEWAY. Select either Dynamic Routing or Static Routing for the type of Gateway that you want to create.

   Note that if you want to use this virtual network for point-to-site connections in addition to site-to-site, you must select Dynamic Routing as the gateway type. Before creating the gateway, verify that your VPN device will support the gateway type that you want to create. See About VPN Devices for Virtual Network. When the system prompts you to confirm that you want the gateway created, click YES.

   

3. When the gateway creation starts, you will see a message letting you know that the gateway has been started.

   It may take up to 15 minutes for the gateway to be created.

4. After the gateway has been created, you’ll need to gather the following information that will be used to configure the VPN device.

   • Gateway IP address
   • Shared key
   • VPN device configuration script template

   The next steps walk you through this process.

5. To locate the Gateway IP Address – The Gateway IP address is located on the virtual network DASHBOARD page.

   

6. To acquire the Shared Key – The shared key is located on the virtual network DASHBOARD page. Click Manage Key at the bottom of the screen, and then copy the key displayed in the dialog box.

   

7. Download the VPN device configuration script template. On the dashboard, click Download VPN Device Script.

8. On the Download a VPN Device Configuration Script dialog box, select the vendor, platform, and operating system for your company’s VPN device. Click the checkmark button and save the file.

   

If you don’t see your VPN device in the drop-down list, see About VPN Devices for Virtual Network in the MSDN library for additional script templates.

Configure the VPN Device (Network Administrator)

Because each VPN device is different, this is only a high-level procedure. This procedure should be done by your network administrator.

You can get the VPN configuration script from the Management Portal or from the About VPN Devices for Virtual Network, which also explains routing types and the devices that are compatible with the routing configuration that you select to use.

For additional information about configuring a virtual network gateway, see Configure the Virtual Network Gateway in the Management Portal and consult your VPN device documentation.

This procedure assumes the following:

• The person configuring the VPN device is proficient at configuring the device that has been selected. Due to the number of devices that are compatible with virtual network and the configurations that are specific to each device family, these steps do not walk through device configuration at a granular level. Therefore, it’s important that the person configuring the device is familiar with the device and its configuration settings.

• The device that you have selected to use is compatible with virtual network. Check here for device compatibility.

To configure the VPN device:

1. Modify the VPN configuration script. You will configure the following:

   a. Security policies

   b. Incoming tunnel

   c. Outgoing tunnel

2. Run the modified VPN configuration script to configure your VPN device.

3. Test your connection by running one of the following commands:

   -	Cisco ASA	Cisco ISR/ASR	Juniper SSG/ISG	Juniper SRX/J
   Check main mode SAs	show crypto isakmp sa	show crypto isakmp sa	get ike cookie	show security ike security-association
   Check quick mode SAs	show crypto ipsec sa	show crypto ipsec sa	get sa	show security ipsec security-association

Next Steps

In order to extend your on-premises Active Directory to the virtual network you just created, continue with the following tutorials:

• How to Custom Create a Virtual Machine

• Install a Replica Active Directory Domain Controller in Windows Azure Virtual Network

If you want to export your virtual network settings to a network configuration file in order to back up your configuration or to use it as a template, see Export Virtual Network Settings to a Network Configuration File.

See Also

• Windows Azure virtual network

• Virtual Network FAQ

• Configuring a Virtual Network Using Network Configuration Files

• Add a Virtual Machine to a Virtual Network

• About VPN Devices for Virtual Network

• Windows Azure Name Resolution Overview