Microsoft Azure S2S VPN

Stretch Datacenter Network to Microsoft Azure with RRAS

You may planning to stretch your datacenter network to Windows Azure by setting up a Site to Site VPN where the VMs up in Azure are effectively connected to the Enterprise Datacenter.  The Site to Site VPN just extends the datacenter to allow for VMs to be created in the cloud With VMs both on-premise and up in Azure.

You’ve probably read guidance requiring you to have two network adapters, one for internet facing traffic and the other for internal facing traffic. You may have also read that you must assign a static public IP address on the Internet facing network adapter as you cannot NAT the traffic.

in many cases this might not be possible without making any change in your infrastructure; personally I wouldn’t like to make change in my network for test.

In this blog I will show you (with no change in your current network/infrastructure) how to configure a S2S VPN to Azure with RRAS hosted on Hyper-V behind firewall (NAT), this setting for lab environment but definitely you should follow Microsoft recommendation for a production environment

I created the diagram below to help you to visualize the infrastructure and I will give a fairly simple step-by-step guide to build a S2S VPN to Azure, just remember this is not recommended for production.

Let’s get started!


Lab Setup

I will install a window 2012 r2 vm on my hyper-v server with two vNICs connected to external and private vSwitches.


Rename the network adapter so you can easily identify


On “external” and “private” adapter properties, uncheck all the items as in the picture below and leave only TCP/IP v4 selected. Also ensure that you only have the gateway IP address for your FW/GW set on your “external” vNIC.

AZR_03  AZR_04

Configuring the Internet facing FW (NAT)

These steps differ for different vendor devices but essentially you need to do some form of Port Forwarding for incoming traffic. In my case I have a Cisco firewall and I will forward all ports from the internet (public IP) to a private IP address assigned to my RRAS external vNIC. I am forwarding to

let’s map public IP x.x.x.x to RRAS external IP, example below for Cisco device.(to improve security you can restrict access to specific port)

Cisco Stactic map and ACL on outside and DMZ

Static (dmz,outside) x.x.x.x netmask
access-list acl_out extended permit ip any host x.x.x.x
access-list acl_dmz extended permit ip host any.

We will follow steps below to crate and Test S2S VPN

  • Create Virtual Network and subnet on Azure
  • specified a DNS server IP address
  • Define premises address space in Azure Local Network
  • Configuring the Azure S2S VPN and Gateway
  • Configuring the RRAS Server S2S VPN
  • Testing VPN connection

Create Networks in Azure
Logon to your Azure Account and create the Local network
Select to create a Custom network

Networks – New – Virtual Network – Custom Create
AZR_05  AZR_06

Give the network a name “vnetAZR02” and assign it to Azure location.


Type in the DNS servers you are going to have locally on your network.


Assign the Virtual Network a non-routable (private) IPv4 address space


It will start creating the Virtual Network and the status will change from creating to created when the process completed

AZR_10  AZR_11


An Azure Local Network is Azure-based references to your on-premise IPv4 address space and is used to automatically create routing rules from Azure to the “on-premise side” of the VPN.


AZR_13  AZR_14

Type name for your “Local Network” and also includes the public IP of your on-premise (Public IP mapped to RRAS external IP)


Specify on-premise network address space (network address space on RRAS “private” network)


Configuring the Azure S2S VPN and Gateway

Virtual network created and Local Network defined in Azure, the next step is to create our site to site VPN in Azure.

Click on virtual Network “vnetAZ02” and then click configure
Then Check “connect to the local network” from site- to- site connectivity
Ensure that “OnPremNet2” is selected in the Local Network drop down box.
Azure will now automatically add an additional subnet in your Azure network address space for the Gateway


Click Save down the bottom of the page and return to the dashboard view of your Virtual Network.
Go ahead and create the actual gateway device by clicking CREATE GATEWAY with Dynamic Routing

AZR_18  AZR_19

Configure the RRAS on your network (not the Internet facing)

Let’s back to configure RRAS VM on premises. Add the “Routing and Remote Access” role from Server Manager. Once installed lets open the “Routing and Remote Access” console to configure VPN server.

Follow steps below it is explanatory to install RRAS,

AZR_20  AZR_21

AZR_22  AZR_23


Right Click the server and select “Configure and Enable Routing and Remote Access”.


Choose to create a Custom Configuration and then Select VPN access and LAN routing from the list.

AZR_26  AZR_27

Once the Wizard completes you will be prompted to start RRAS. Start the service.


Next step is to create Demand-Dial Interface
Click “Network Interfaces” and then right click and select”Demand-Dial Interface”.


Type recognizable name for the interface in my case I typed “AZRGW”.


Select the type of”Demand-Dial Interface” you want to create.


Select the type of VPN you want to create.


Type the Azure VPN Gateway public IP

AZR_34  AZR_33

On the next screen ensure you have NOT selected to “Route IP packets on this interface”. I will show you how to do this later in the case you want to add other routes. Ensure everything else is unselected.


Click Next to finish interface crating


Make sure IPv4 selected on Demand-Dial Interface “AZRGW” network properties


Click IPv4 and add “AZRGW” interface (If it is not already there)

AZR_38  AZR_39

Now we need to obtain the “ pre-shared key”  from the Azure Portal  go to your Virtual Network Dashboard. At the bottom of the page you will have a Manage Key icon which will pop up the window below. Copy this pre-shared key.

AZR_40  AZR_41

Back on RRAS VM, right click on Demand Dial interface “AZRGW”and select Properties. Under Security, enter your pre-shared key.


And now we need to add a static route so RRAS understands what traffic to route to Azure. Under the IPv4 node right click Static Route and select New Static Route. Ensure your “AZGW” interface is selected and specify the network. In my case I have added the 10.0.30.x network and given it a metric of 1 to ensure highest routing priority.


Now check AZRGW interface it will show connected if every thing is successful


Confirm from the Azure dashboard.


We’ve done…

Install virtual machine on Microsoft Azure and then Access servers on your datacenter through VPN.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s