Infrastructure as a Service (IaaS) – Azure Hybrid Infrastructure

Introduction

As one of my first steps into the world of ‘Azure’, I wanted to take a look at the idea of transition. This tutorial is taking the approach from an ‘Azure’ starter and scoped to the technical implementation.

During the same time, I am looking to also write the business ‘why’ case; why would I as a business do this and what are the benefits and flaws… lets be straight; I work with technology and am not a salesman, there are two sides to the coin, no matter whom tries to hide the fact.

Scenario

I want to keep my onsite services, but extend into Azure as a seamless hybrid approach, looking at how the various service opportunities can communicate and the how to ‘best plan for the future’ from a varying point of view. So, first topic to cover is connecting the world of Azure to my onsite infrastructure with the use of a Site-to-Site VPN.

  • As an overview, the following components are required:
  • Azure: Microsoft’s could offering
  • A subscription in Azure: allowing yourself to use the service
  • A virtual Network: created in Azure, think of it like your physical network infrastructure in the cloud
  • Subnet: Network segments
  • On-site Premise: your onsite infrastructure
  • On-site VPN device: a device that will be the termination point at the edge of your onsite and also the access point into your infrastructure.

Now, the saying ‘a picture can paint a thousand words’ is my approach in most of my personal learning; I also think this seems to work with most people and therefore let’s start with a picture:

Not quite the correct hair colour (also a little too much). But this is my mindset in approaching Azure, with the amount of terminology and abbreviations; saying that, I think this is the same with any new technology, so rather than focus on a list of terms at the start, I will summarise at the end of the tutorial, rather than the start.

Key Data Technical Required

Do not worry if you do not understand each element or term, as you proceed through the tutorial.

Example data has been used in the table and will be used throughout the tutorial, however the hope is by the end, that you will understand exactly what the particular data is used for.

Virtual Network
 Item Setting Description
Virtual Network Name VNet01 This is our segment of the pie in the virtual azure world; a piece we are cutting out for ourselves
Address Space 10.10.0.0/16
Subnets
VSubnet01 10.10.1.0/24
VSubnet01 10.10.2.0/24
Resource Group VNetwork
Location West Europe
Custom DNS
DNS Server  8.8.8.8
Gateway Subnet
GatewaySubnet 10.10.0.0/28
Virtual Network Gateway  
Gateway Name VNetGW
Public IP VNetGWIP
Gateway Type VPN
Connection Type
VPN Type Policy-based
Location West Europe
Local Network gateway
Local Network Gateway Name VNetGWSite
On Site VPN Public IP 81.174.152.37
Address Space 192.168.2.0/24
Location West Europe
VNetGW01 Connection
Connection Name cnnSite
Connection Type Site-to-site (IPsec)
Virtual Network Gateway VNetGW
Gateway Type VPN
Local Network Gateway VNetGWSite
Shared Key GR0C413M3
Resource Group Vnetwork
Location West Europe
SOPHOS UTM: IPSec Remote Gateway
Name MSAzureVPN
On Site VPN Public IP 52.174.148.52
Shared Key GR0C413M3
Remote Network Name MSAzureNetwork
Remote Network Name 10.10.0.0./16
SOPHOS UTM: IPSec Policy
Name MSAzurePolicy
IKE Encryption algorythm AES 256
IKE Authentication algorythm SHA1
IKE SA lifetime 28800
IKE DH group Group 2: MODP 1024
IPsec encryption algorythm AES 256
IPsec Authentication algorythm SHA1
IPSec SA lifetime 3600
IPsec PFS group None
Strict policy unchecked
Compression unchecked
SOPHOS UTM: IPSec Connection
Name MSAzureConnection
Remote Gateway MSAzureVPN
Local Interface External (WAN)
Policy MSAzurePolicy
Local Networks Internal (my local)
Automatic firewall rules Checked
Strict routing unchecked
Bind tunnel to local interface unchecked

 

Setup

My setup is a little different than most, but in the simplest form:

[Example Visio Placeholder]

Process

Create the Virtual network, think of it like your physical network infrastructure, initially without the logical part…. A bit like you have just made yourself a little box inside the cloud…. Has to be somewhere. Whilst create  e.g. VNetwork01:

Machine generated alternative text: Create virtual network Name VNetSADOM Address 10100.0/16 10.1000 - 10.10.255.255 (65536 addresses) Subnet name VSubnetO I Subnet address range 1010.1.0,'24 1010.1.0- 1010.1.255 (256 addresses) Subscription Microsoft Parmer Network Resource group O Create new Use existing West Europe
Change subnet, by selecting network and then custom DNS:
Machine generated alternative text: VNetSADOM Virtu al rk Search (Ctrl Activity log Access control (IAM) Tags Address Connected devices Subnets Delete Essentials Resource group VNetwork Location West Europe Subscription name Microsoft Partner Network Subscription ID b6b7a88b-8ba9-4ebb-b1e2-609b7d8cogc2 O connected devices No results. Address space 10.10.00/16 DNS servers 8.8.8B W ADmEss SUBNET
Add any subnets you want on the Azure side:
Add a gateway subnet:

Here is where it will change, add a virtual network gateway:

So now I have my Virtual Network Gateway, the edge of my box….

….so now I have to effectively create the virtual customer premise side…your remote part but in Azure

this could be thought of as the edge device on your site network.

Now, I need to create the connection between the gateways, so I select my previously created virtual network gateway (not local):

Machine generated alternative text: VNetGW Search (Ctrl Overview Activity log Access control (IAM) Tags x Diagnose and solve problems SETTINGS Connections Point-to-site configuration Properties Locks Automation script + TROUBLESHOOTING New support reqæst