In the previous posts in this series we went through the process of creating a cross-premises Site-to-Site VPN with Azure by gathering some information about our local network, configuring the Azure Virtual Network and gateway and finally configuring VyOS so that the tunnel connected.
Now that the cross-premises tunnel is connected, in this post we’ll run through the process of creating a Virtual Machine in Azure which will reside in the Virtual Network we created in part 2. Before we start, our current network looks as follows (no VM in Azure).
Continue reading Configuring Azure Site-to-Site connectivity using VyOS Behind a NAT – Part 4
In this, part 3 of the series, we’ll implement the configuration required for VyOS to enable it to become a VPN endpoint with which we can connect to our Azure Virtual Network Gateway to form our Site-to-Site VPN.
If you still haven’t, consider reading part 1 and part 2 of this series to provide the background of our modest network and how we configure Azure to create its side of the VPN cross-premises connection. As a reminder, our network configuration looks as follows (no tunnel and no Azure VM yet).
Continue reading Configuring Azure Site-to-Site connectivity using VyOS Behind a NAT – Part 3
If you haven’t read part 1 of this series, please review that before proceeding here. In part 1, I describe the network that we are starting with (mine) and how it is configured to enable routing across a virtual software router called VyOS between a home lab (a Windows domain called transishun.local) hosted in VMware ESXi 5.5 and my main “everyone’s phones are on it” network – I’ll call this the DMZ from here on. I also mention that my primary “edge” router is an off-the-shelf type on which I have installed DD-WRT which adds capabilities that permits it to perform source NAT for more than just the primary network, thereby avoiding double-NAT (bleugh!). If that’s something you’re interested in doing for yourself, it’s educational and I’m always here to answer questions should you feel the need.
As a reminder, here’s the current network before we do anything in Azure.
Continue reading Configuring Azure Site-to-Site connectivity using VyOS Behind a NAT – Part 2
This series of posts will cover the process of creating a Site-to-Site VPN from your on-premises network infrastructure in to Azure IaaS services using VyOS, hosted in a virtual machine. Typically, this results in the “hybrid” model that Microsoft are keen for you to take advantage of when you’re investing in your infrastructure. If you’re asking yourself “Why would I do this?” The answer is: to permit your business to take advantage of the benefits offered by cloud IaaS services such as giving you the ability to spin up virtual machines (VMs) quickly and easily, without the normal associated costs (in terms of both financial and time) typically involved in procuring the hardware, configuring, installing, licencing and finally, commissioning it. In short, if you want to add infrastructure to your existing network and you need it quickly, the cloud is the way to go. Think of the benefits of deploying development environments which can be spun down at the end of the day – no more power, cooling etc. to pay for and better still, you haven’t forked out for new (or had to recycle old) kit.
Yes, yes, but why are you doing this?
As a Microsoft professional, it’s in my best interests to get up to speed on Azure quickly since that is where most Microsoft platforms will likely be deployed in the years ahead. The only way to generally do that is through Technet articles and doing it myself, however, having a home centric internet connection, I’m saddled with a single IP address and limited resources. Throwing money away on blocks of IP addresses, VPN devices etc. to get experience of hybrid cloud models in Azure isn’t something I’m keen on. I needed a way to learn about hybrid cloud from my own lab, so I set about finding out if it was possible and wanted to share my conclusions with you here…long story short, I got it working.
Microsoft have their own documentation on how to set this up but it’s a little vague when it comes to setting up the on-premises side of things and they clearly state that the VPN device cannot be behind a NAT. Well, they’re wrong, it can – it just depends how the network is configured. For this series of posts, the intention here is to create an end-to-end solution using VyOS, an open source router OS that runs very happily on vSphere (and probably Hyper-V) which will host the IPSec site-to-site VPN (it will connect to Azure). I’ve been using VyOS to route between my home lab (hosted on VMware ESXi 5.5) and my main (“everyone’s phones are on it” network) for nearly a year now and it has served this very basic purpose beautifully. I discovered that Vyatta Community Edition was to be discontinued when Vyatta was acquired by Broadcom but thankfully for all of us, someone had the foresight to fork Vyatta and create VyOS.
Continue reading Configuring Azure Site-to-Site Connectivity using VyOS behind a NAT – Part 1