WFH: Implement a no-data-on-the-cloud VPN solution Azure

We are living in an incredibly challenging time where going to work is not an option for most employees on the planet. And for IT personnel this means we are also responsible for enabling remote access in an unprecedented capacity that might exceed capabilities of existing hardware.

Luckily, in the age of the cloud, capacity should no longer be a limiting factor. In this blog we will discuss how, even if your company has a no-data-in-the-cloud policy, we can utilize azure to (very) quickly implement a scalable and cost efficient VPN solution to thousands of employees if needed.

Lab components

First, let us cover a few assumptions that will help you follow this lab,

Lab Structure

As you can see, we have a simple OnPrem network with the following components,

  • OnPrem vNet: represents your datacenter with a perimeter and DMZ subnets.
    • the gateway is running Windows Server 2019 with Remote Routing and Access Service (RRAS) installed. The gateway has two NICs used for Internal and External facing communication.
  • Cloud Connect vNet: In Azure, this is the virtual network resource and subnet in the cloud.
    • Gateway subnet is the only needed one, dedicated for the Azure Virtual Gateway.
    • Cloud Subnet and Test VM are not required, we use them to test routing and connectivity.
  • Remote user vNet: This is configured on the VPN Gateway. We will explain this in detail later.
  • For the sake of simplicity I did not configure BGP in this lab. I will explain how you can configure routing without BGP. However, using it (specially in a complex environment) is valuable.

Deploying Azure Resources

You will need to deploy the following resources in Azure,

  1. Virtual Network: Make sure the address space does not overlap any of your OnPrem addresses. This will cause routing issues and simply won’t work. Create a subnet called “Gateway Subnet” for the next resource. You may also create a subnet for a Test VM to test connectivity.
  2. VPN Gateway: This will be used to connect your datacenter to the Virtual Network, as well as by the VPN users.
  3. (Optional) Test VM: Create a virtual Machine attached to the virtual network. This will help us validate routing.

Connecting your datacenter to Azure

This means creating a site to site (S2S) connection, this requires configuring an OpPrem gateway (the RRAS server in the lab) and the VPN Gateway on Azure. When doing so make sure of the following,

  • Add all the address spaces to the Local Network Gateway resource on azure. And use the largest possible address space. For example, 192.168.0.0/16 instead of 192.168.0.0/24 and 192.168.1.0/24. The lower number of ranges the better.
  • Create a new connection on the RRAS server that points the VPN Gateway public IP on Azure. Ensure the status is Connected on both sides (OnPrem and Azure)
  • Add static routes on the RRAS server to include the chosen address space of the VPN users.

Configure P2S VPN

This is where we will define the VPN client used by users to connect.

  1. First, we need to choose how they will authenticate, there are three options,

A RADIUS server allows users to authenticate using their Active Directory credentials. Once the S2S connection is up, the VPN Gateway can forward authentication requests to your OnPrem Radius server using its local IP Address.

Do not use simple or short Server Secret. And, please, not abc123!
  1. Configure DNS servers on the virtual network. This will allow VPN users to communicate with the OnPrem DNS servers.
  1. Add custom routes to VPN clients. This will allow clients to reach the local network. Add all address spaces used OnPrem. Custom routes can only be configured using PowerShell.
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $GW -CustomRoute "192.168.0.0/16"
  1. Download and test the client from a remote computer.

Notes from the field

While building the lab I needed to apply a few extra steps, especially as all components were Azure VMs. Here is what I had to do,

$nic = Get-AzNetworkInterface -ResourceGroupName "ResourceGroup1" -Name "NetworkInterface1" $nic.EnableIPForwarding = 1 $nic | Set-AzNetworkInterface

That’s all, feel free to ask any questions in the comments.

This blog and more are available on my personal website, https://www.PlusOnTech.com.

Authors