One of the great new features of Windows Azure is the ability to create a site-to-site VPN connection to your local network.
Microsoft delivers configuration instructions for Cisco and Juniper and currently only deliver information and step-by-step configuration details for these devices.
In this blogpost I will guide you through configuring a new virtual network to a SonicWALL device through the Windows Azure web portal.
Creating a Local Network
For establishing the connection to a local network you can define your local network before actual creating a new Virtual Network in Windows Azure. This will give you the possibility to create a site-to-site connection in the “New Virtual Network” configuration wizard.
Access the network configuration section in the Windows Azure web portal.
Click the tab called “Local Networks”
Here you click “+ Create” button on the bottom of the page.
Fill out the Name and the public IP address of the VPN gateway.
Then click the next-arrow to proceed to step 2.
You will fill out the subnet(s) and click the checkmark button to create this entry.
Creating a new Virtual Network and the gateway connection in Windows Azure
It is vital that you create the virtual network before you create the virtual machines in Windows Azure as it is not easy to change to another network for the machines (at the moment).
You will access your portal and click the “+ NEW” button and select “Network” and “Custom Create”
Here you will fill in details regarding the network such as Name, Region to be used and select or create an affinity group.
Then click the next-arrow to proceed to step 2.
Here you will create your address space and subnets. It is important that you know a bit about subnetting as the address space must include all the subnets you create. The address space is used for “grouping” the addresses and will be used for routing and the VPN tunnel. The network is virtualized and do not conflict with any other networks in Windows Azure.
I create two subnets as the screenshot shows.
Then click the next-arrow to proceed to step 3.
On this configuration screen you will choose a DNS (if any, the default is a Windows Azure default). If you need to create additional domain controllers for an existing domain from your local network it could be a good idea to fill this out.
This is also the page where you configure the actual connection to the local network. You will type in the subnet of the Windows Azure network that is available for the local network. In this example I will provide access to all my Windows Azure subnets.
Click the checkmark button to create the new Virtual Network and configure the Windows Azure VPN connection.
Note: You cannot change the VPN connection details without deleting the gateway. This takes a while and will delete the Windows Azure VPN entry. Afterwards you can create a new gateway and VPN connection again for this Virtual Network.
Configuring the SonicWALL for the VPN connection to the Windows Azure gateway
This example is made from a SonicWALL with an enhanced firmware installed. The enhanced firmware is not required for this to work and just use the same configuration details for a standard firmware.
Log on to your SonicWALL as an admin and go to the “Network” and “Address Objects” menu.
Create a new Address Object (and possibly an Address Group also for future reconfigurations) that defines the Windows Azure network used in the VPN tunnel.
Now you will start the VPN configuration wizard from the button in the upper right corner of the SonicWALL – click Wizards and choose “VPN Wizard”
Fill in a name, the preshared key and the Remote Peer IP Address. You can find this by accessing the Windows Azure web portal, go to the “Networks” area and clicking your Virtual Network. On this dashboard you can see the “Gateway IP address” which you will use. The preshared key can be found by clicking the “View Key” on the same page.
Select which subnets you want the Windows Azure networks to access internally and the Windows Azure networks created before
Now select the security settings for this tunnel. This can be different in your configuration or future Windows Azure standards and can be found in the configuration script generated by the Windows Azure Virtual Network Download-wizard. Download the file and check the content.
Now you can complete your wizard and both NAT entries and the VPN tunnel will be created.
Edit the VPN tunnel and configure the ID’s for this tunnel to match the public IP of the SonicWALL and the internal Windows Azure gateway IP (you can see this in the SonicWALL log in an error message. Microsoft could change the settings to support other VPN vendors that do not support their auto-IP-ID configuration):
Also check the proposals section for this – The exchange method must be set to “Main mode”
To active this you can try pinging an address on the remote subnet and you should be able to reach this after the VPN tunnel has initialized. Alternatively you can enable the “Keep alive” on the “Advanced” tab of the VPN tunnel configuration on the SonicWALL.
Note: All Windows Azure Windows Servers has activated the Windows Firewall and you need to either disable the firewall (not recommended!) or add an allow-entry for ICMPv4 traffic in this.
You can check the status of the site-to-site connection on the Windows Azure web portal “Networks” area and clicking your Virtual Network.
I hope this guide helps you configuring a site-to-site tunnel between the networks.