Establishing Connectivity Between On-Premise Environment and Azure Cloud

In this blog post, we will learn how to establish connectivity between an on-premises environment and Azure Cloud. Establishing a site-to-site (S2S) VPN connection between an on-premises network and Azure provides several benefits. It allows you to extend your on-premises network to Azure, enabling you to access resources in Azure as if they were on your local network.

Essentially, you can access every Azure resource from an on-premises environment or vice versa via a private network. We don’t need to have Azure resources published publicly. We can then leverage private links and private endpoints for more secure connectivity between resources.

The goal of this blog post is to establish connectivity.

Required Azure Resources for S2S VPN

Azure Virtual Network (VNET)

A virtual network (VNET) is the backbone of an Azure network. It provides a logical isolation of the Azure network resources and is the foundation for all other Azure networking services.

Virtual Network Gateway

a software-based VPN appliance that enables you to create a secure connection between your on-premises network and your Azure virtual network.

Local network gateway

A local network gateway (LNG) represents the on-premises network and it’s used to configure the settings for the VPN connection. It’s used to specify the IP address of the VPN device on the on-premises network and the IP address prefixes that the VPN connection will be used to reach.

Connection

A connection represents the VPN link between the virtual network gateway and the local network gateway. It’s used to configure the settings for the VPN connection.

Public IP Address

A public IP address is required for the virtual network gateway

Steps to Establish Connectivity

Create a resource group that will contain Azure S2S components.

Create a virtual network.

Add an IPv4 address range and define the subnet address range.

Add a Gateway subnet. Microsoft’s recommendation is to use a smaller address range.

Gateway successfully created.

Create a Virtual Network Gateway.

Create a local network gateway.

The IP address is the public IP of your network (you can find this by searching “what is my IP” on Google).
The IP address range is the set of IP addresses using the Azure S2S VPN Tunnel. This is an address range of your on-premises network.

Port Forwarding

Before we start configuring RRAS, check the IP address on the external network adapter.

Open the management console for your router. In a web browser, enter the IP Address of the Router (this is the default gateway on your physical device).

Configure Port Forwarding. Different router vendors have different user interfaces for port forwarding. This is an example of Innbox Iskratel, but the configuration is similar everywhere.

We need to open the ports:

500 (UDP)
4500 (UDP)

RRAS Configuration

Enable LAN and demand-dial routing.

Create a new Demand-Dial interface.

Choose the VPN option.

Choose IKEv2.

Visit the Azure portal and copy the public IP address.

Paste the Public IP Address.

Choose the first option.

For the VPN to start working, we need to define a Static Route.

Static routes are a way to tell the Routing and Remote Access server to send IP traffic for a specific IP address through the VPN interface. In other words, it’s a way to ensure that traffic bound for a specific IP address is sent through the VPN connection.

Check the address space of the Hub VNET.

Define the address space for the static route.

You can leave that blank.

Check the VPN interface.

Check if the IP is populated. Some time ago there was a bug and you needed to type it manually. This is the public IP of the VPN gateway.

Optionally change the redial attempts. This attempts to establish a connection three times before reporting an error.

Define the preshared key. The preshared key will be used when we establish the connection.

Create a connection in the Azure portal. Define all required fields. Choose Site-to-site VPN, IKEv2, and enter the pre-shared key that you created in the previous step.