Create Site-to-Site VPN Between Azure and Windows RRAS Server

9 min read

This article is written for home/office scenarios, it’s NOT recommended for production.

Introduction

My home office started growing and I need to connect my on-premises environment to Azure. Now to build hybrid connectivity to Azure, you have a couple of options. You can read about all the options on Microsoft documentation here.

The most compelling option to me is to use the Azure Site-to-Site VPN connection. One of the required criteria to build a Site-to-Site VPN connection is to have a compatible VPN device and someone who is able to configure it. For more information about compatible VPN devices that Microsoft support and device configuration, please check the official list about VPN Devices here.

What if you don’t have a compatible VPN appliance such as Ubiquiti, Cisco, F5, Fortinet, etc.?

The good news is, you can build a Site-to-Site VPN to Azure without having to purchase a VPN appliance.

In this article, I will go over deploying a new Routing and Remote Access (RRAS) server and connecting it to an Azure Gateway. The process is not limited to home labs, but it could be also used for a small office environment where a Site-to-Site VPN to Azure is required.

Prerequisites

To follow this article, you need to have the following:

  1. Microsoft Azure subscription. If you don’t have an Azure subscription, you can create a free one here.
  2. Azure Virtual Network
    • One or more subnets
    • Gateway Subnet
    • Virtual Network Gateway
    • Local Network Gateway
  3. Router/firewall on-premises with the application forwarding option.
  4. Windows Server (2016 or 2019) with Desktop Experience deployed on-premises with two NICs. The Internal NIC represents the local private network, and the External NIC represents the network of the router which is also private but on a different subnet.
    • RRAS role installed which will act as the gateway for the home/office network.
    • Not domain joined for security purposes.

Network Architecture

In this example, the network architecture for the Site-to-Site VPN in my configuration will look like this:

Create Site-to-Site VPN Between Azure and Windows RRAS Server 1

There are a lot of different options and scenarios, but I will use this architecture for the remainder of this guide.

Assuming you have all the prerequisites in place, now take the following steps:

Add the RRAS Role

The first step is to install the Routing and Remote Access (RRAS) role on Windows Server. To speed up the process, I will use PowerShell instead of UI.

On your RRAS server, open Windows PowerShell and run the following command:

Install-WindowsFeature -Name RemoteAccess, DirectAccess-VPN, Routing -IncludeManagementTools -Verbose

Once the role is installed, you can verify that Routing and Remote Access console is installed by typing the following command: rrasmgmt.msc 

The service will show stopped at this stage, we will complete the configuration in the next section (Configure Windows RRAS).

Create Site-to-Site VPN Between Azure and Windows RRAS Server 2

Create Azure-side resources

In this section, I will create all the Azure side resources that were mentioned in the prerequisites section. To speed up the process, I will be using the Azure CLI.

Open an Azure Cloud Shell session (https://shell.azure.com/) and specify the subscription that you want to use:

az account set --subscription <replace_with_your_subscription_id>

And then create a resource group. You can update the resource group name and the location based on your needs.

az group create --name rg-s2s-vpn-home --location WestEurope

Take now the following steps:

Create an Azure Virtual Network

To create a virtual network, run this command in Azure Cloud Shell named Hub-VNet virtual network and the HubSubnet01 for the first subnet. You can update the IP address prefix based on your needs.

az network vnet create --resource-group rg-s2s-vpn-home --name Hub-VNet-1 --address-prefix 10.1.0.0/16 --subnet-name HubSubnet01 --subnet-prefix 10.1.0.0/24

Then run this command in Cloud Shell to add the GatewaySubnet subnet to Hub-VNet-1.

az network vnet subnet create --resource-group rg-s2s-vpn-home --vnet-name Hub-VNet-1 --address-prefix 10.1.255.0/27 --name GatewaySubnet

Create an Azure Virtual Network Gateway

A virtual network gateway must have a Public IP address. You first create the IP address resource and then refer to it when creating your virtual network gateway.

Run the following command to request and create a Dynamic Public IP address. Please note that the only time the Public IP address changes is when the gateway is deleted and re-created. It doesn’t change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

az network public-ip create --name pip-hub-vpn-gw --resource-group rg-s2s-vpn-home --allocation-method Dynamic

Next, run this command in Cloud Shell to create the vng-hub-vnet-1 virtual network gateway:

If you run this command using the ‘–no-wait‘ parameter, you don’t see any feedback or output. This parameter allows the gateway to create in the background. It takes around 30 minutes to create a gateway.

az network vnet-gateway create --resource-group rg-s2s-vpn-home --name vng-hub-vnet-1 --public-ip-address pip-hub-vpn-gw --vnet Hub-VNet-1 --gateway-type Vpn --vpn-type RouteBased --sku VpnGw1 --no-wait

In this example, I am using the VPN type as ‘RoutedBased‘ since Route-based VPNs are the preferred connection method for on-premises devices, since they are more resilient to topology changes such as the creation of new subnets, for example. I used the Gateway SKU as ‘VpnGw1‘, you can choose the Gateway SKU that you want to use. There are configuration limitations for certain SKUs. For more information, please check Gateway SKUs.

Create Local Network Gateway

The local network gateway typically refers to the on-premises location. You give the site a name by which Azure can refer to it, then specify the public IP address of the on-premises VPN/Router device to which you will create a connection.

To check your current public IP address in your home/office, you can run the following PowerShell command:

(Invoke-RestMethod 'http://ipinfo.io/json').IP

You also need to specify the IP address prefixes that will be routed through the virtual network gateway to the RRAS VPN server. The address prefixes you specify here are the prefixes located on your on-premises (internal) network. If your on-premises network changes, you can easily update the prefixes.

Use the az network local-gateway create command in Cloud Shell to create a local network gateway with multiple local address prefixes representing your home/lab network:

az network local-gateway create --gateway-ip-address 23.99.221.164 --name lgw-s2s-home --resource-group rg-s2s-vpn-home --local-address-prefixes 172.16.20.0/24 172.16.21.0/24

Now that all Azure resources are created, let’s move to put all pieces together.

Configure Port Forwarding

In this step, you need to login to your router/firewall device and then configure port forwarding rules for UDP port 500 and 4500 pointing to your RRAS server.

Here is a screenshot of my port forwarding rules:

Create Site-to-Site VPN Between Azure and Windows RRAS Server 3

Configure Windows RRAS

Now it’s time to switch to the Routing and Remote Access Server console on-premises.

Right-click on the server name and select ‘Configure and Enable Routing and Remote Access‘.

Create Site-to-Site VPN Between Azure and Windows RRAS Server 4

Routing and Remote Access Server Setup Wizard will open. Click Next > on the Welcome page.

Select ‘Secure connection between two private networks‘. Click Next > to continue.

Create Site-to-Site VPN Between Azure and Windows RRAS Server 5

Leave the Demand-Dial Connections as default ‘Yes‘. Click Next > to continue.

Create Site-to-Site VPN Between Azure and Windows RRAS Server 6

For the IP Address Assignment, keep the default ‘Automatically‘ assigned. Click Next > to continue.

Create Site-to-Site VPN Between Azure and Windows RRAS Server 7

Then click ‘Finish‘ on the completing wizard ‘Created a secure connection between this network and a private network‘. When you press ‘Finish‘, the service for Routing and Remote Access will start which may take a couple of seconds to complete.

The Demand-Dial Interface Wizard will open. Click Next > on the Welcome page.

Enter a descriptive name for the Interface Name (i.e. AzureGW). This interface will connect to the VPN gateway in Azure.

Create Site-to-Site VPN Between Azure and Windows RRAS Server 8

For the Connection Type, make sure ‘Connect using virtual private networking (VPN)‘ is selected. Click Next > to continue.

Create Site-to-Site VPN Between Azure and Windows RRAS Server 9

For the VPN Type, select ‘IKEv2‘. Click Next > to continue.

Create Site-to-Site VPN Between Azure and Windows RRAS Server 10

In the ‘Destination Address, enter the Azure virtual network Gateway public IP address (Azure side). Click Next > to continue.

Create Site-to-Site VPN Between Azure and Windows RRAS Server 11

For the Protocols and Security, leave the default ‘Route IP packets on this interface‘. Click Next > to continue.

Create Site-to-Site VPN Between Azure and Windows RRAS Server 12

In the Static Routes for Remote Networks, click ‘Add‘ and enter the address space that you set on the virtual network (Azure side) and then set the ‘Metric‘ to 10. Click ‘OK‘ and then click Next > to continue.

Create Site-to-Site VPN Between Azure and Windows RRAS Server 13

In the Dial-Out Credentials leave the default blank. Click Next > to continue.

Create Site-to-Site VPN Between Azure and Windows RRAS Server 14

Then click ‘Finish‘ on the completing the Demand-Dial Interface Wizard. When you press ‘Finish‘, you will see a new network interface called ‘AzureGW‘ with Disconnected state which expected as shown in the below figure:

Create Site-to-Site VPN Between Azure and Windows RRAS Server 15

Double-click the new interface you just created ‘AzureGW‘ and then select the Options tab. On the Options tab, set the ‘Redial attempts‘ to 3.

Create Site-to-Site VPN Between Azure and Windows RRAS Server 16

On the Security tab, select the preshared key radio button and enter your super-secret shared key here. Please take note of the preshared key here, since you need it in the next section to create the connection.

Create Site-to-Site VPN Between Azure and Windows RRAS Server 17

Then go over IPv4 and create a New Static route… What the Static Routes do, is it tells the Routing and Remote Access server that anytime it gets an IP bound for a specific IP address to send it out the VPN interface.

Create Site-to-Site VPN Between Azure and Windows RRAS Server 18

Enter the address space that you set on the virtual network (Azure side) and set the ‘Metric‘ to 10, and make sure to select ‘Use this route to initiate demand-dial connections‘. Click ‘OK‘. This is a repeatable step of what we did before, but you need to add a static route here as well.

Create Site-to-Site VPN Between Azure and Windows RRAS Server 19

Here is the IPv4 Static Routes configuration in my example.

Create Site-to-Site VPN Between Azure and Windows RRAS Server 20

Create the VPN Connection in Azure

In the final step, we need to create a logical VPN connection in Azure.

Run the following command to create the Site-to-Site VPN connection between your virtual network gateway and your on-premises VPN device.

Pay particular attention to the shared key value, which must match the configured shared key value for the RRAS server that you set as described in the previous section.

az network vpn-connection create --name HubVNet1ToHome --resource-group rg-s2s-vpn-home --vnet-gateway1 vng-hub-vnet-1 --location westeurope --shared-key abc123 --local-gateway2 lgw-s2s-home

After a short while, the connection should be established as shown in the below figure.

Create Site-to-Site VPN Between Azure and Windows RRAS Server 21

Verify Connectivity

Now it’s time to switch to the Routing and Remote Access Server console on-premises, and verify that the ‘AzureGW‘ is connected under Network Interfaces.

Create Site-to-Site VPN Between Azure and Windows RRAS Server 22

To test the connection to Azure, I have deployed a VM in the Azure virtual network (Hub-VNet-1). It got a private IP address 10.1.0.4 and without a public IP address.

Create Site-to-Site VPN Between Azure and Windows RRAS Server 23

Testing the connection from an on-premises server to Azure VM (10.1.0.4):

Create Site-to-Site VPN Between Azure and Windows RRAS Server 24

Testing the connection in the opposite direction from the VM in Azure to an on-premises server (172.16.20.153):

Create Site-to-Site VPN Between Azure and Windows RRAS Server 25

There’s more…

By completing all the steps described above, you will be able to connect from on-premises to Azure but nothing else. In other words, you can’t get to the Internet and browse any site from your home/office network.

There is still one more thing to do which is to enable NAT (Network Address Translation) on the Routing and Remote Access Server, so everything on the internal private subnet is going to be masked/NATed behind the external interface.

Switch back to the Routing and Remote Access Server on-premises and run the following PowerShell commands (assuming the name of the interfaces are External and Internal).

$ExternalInterface="External"
$InternalInterface="Internal"
cmd.exe /c "netsh routing ip nat add interface $ExternalInterface"
cmd.exe /c "netsh routing ip nat set interface $ExternalInterface mode=full"
cmd.exe /c "netsh routing ip nat add interface $InternalInterface"

Now verify that you can browse the Internet from your on-premises private network. As you can see that my (NextHop) is the RRAS server (172.16.20.2) and then to the Internet.

Create Site-to-Site VPN Between Azure and Windows RRAS Server 26

What if your Public IP has changed

Now, what happened if your ISP changed your Public IP address on-premises?

The VPN connection will break of course!

To reconnect, you need to find out what is the new Public IP address using the following command: (Invoke-RestMethod ‘http://ipinfo.io/json’).IP

And then go back to the Azure portal and update the IP address in the Local network gateway under ‘Configuration‘ and hit Save as shown in the below figure (of course you can automate with PowerShell).

Create Site-to-Site VPN Between Azure and Windows RRAS Server 27

That’s it there you have it!

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

About Charbel Nemnom 579 Articles
Charbel Nemnom is a Cloud Architect, Swiss Certified ICT Security Expert, Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems. Excellent communicator is adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design, business continuity, and cloud security.

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.