Hybrid Cloud Connectivity: Azure P2S VPN, S2S from Azure to AWS

Point-to-Site VPN Azure AWS

1.  Summary: Hybrid Cloud Connectivity – Azure P2S VPN

This is the fifth blog in the Azure Networking Blog series, and focuses on Azure P2S VPN functionality. Check out other blogs in this series:

  1. Azure Traffic Manager and Load Balancer Design
  2. Third Party Network Devices (Part-1) – Citrix VPX in Azure
  3. Third Party Network Devices (Part-2) – Cisco ASAv in Azure
  4.  BGP Express Route and BGP over IPSec Tunnel

In this blog post we will review various Hybrid Cloud Connectivity Options. The VPN Client allows the remote users to connect to Cloud private network through Internet from anywhere in the world. In Azure, this can be accomplished with a Point-to-Site VPN Gateway (Route-Based) with RADIUS Authentication. Azure P2S is a useful solution instead of a site-to-site when you have a few remote users that need connectivity into Azure. In the first part of this blog post, I will walk you through a use case with Azure P2S VPN using Active Directory Server configured with Radius Server role.

One of our clients recently migrated from AWS to Azure. One way to connect the two clouds together is via an IPSec VPN tunnel.  We ran into compatibility issues between Azure and AWS while setting up the VPN tunnel, due the fact that AWS currently only supports ikev1, and Azure’s Route-Based VPN gateway only supports ikev2.

To address overcoming this limitation, in the second half of the blog post we’ll take a look at a use case to connect AWS Cloud to Azure Cloud using StrongSwan (which serves as a Virtual Appliance on the AWS die) with ikev2 support, and using custom routing.   This can also be accomplished with Windows Server (RRAS on the AWS side)

Note: This blog post assumes general familiarity with Azure cloud constructs (Resource Groups, VNets and Subnets), AWS networking constructs (VPC, Subnet, Instances and Route tables) and common networking concepts. Microsoft has some great documentation to assist with further understanding this process.

This blog post is focused on end-to-end configuration blueprint, reference architecture and in-depth troubleshooting for the above two use cases.  We will use this diagram as a reference architecture.

Azure Point-to-Site (P2S) VPN to AWS
Hybrid Cloud Connectivity

2. Point-to-Site VPN Configuration

Summary:

The VPN Client allows the remote users to connect to a private network through Internet from anywhere in the world. In Azure, this can be accomplished with a Point-to-Site VPN Gateway (Route-Based) with RADIUS Authentication. Azure P2S VPN is a useful solution instead of a site-to-site when you have a few remote users that need connectivity into Azure.

In the first part of this blog post, I will walk you through a use case with Azure P2S VPN using Active Directory Server configured with Radius Server role.

Microsoft Documentation:

https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-configuration-radius

Azure P2S VPN is supported from Windows, MAC OS X and Linux Client devices. This blog post covers Windows Client.

Prerequisites: Azure Resource Group (nn-rg-2), Vnet (nn-vnet) and Subnets Exist in Azure. Active Directory Domain Controller created in Azure Subnet (Windows 2012 R2)

Steps:

  1. Create Route based Virtual Network Gateway
  2. Configure Point-to-Site VPN on Azure VNG
  3. Create VPN Users Group in Active Directory
  4. Setup RADIUS Server and Network Policy Server Security
  5. Download VPN Client
  6. Connect to Azure
  7. Troubleshooting and Verifications
  1. Create Route-Based Virtual Network Gateway

    P2S S2S VPN Azure AWS
    Route-Based Virtual Network Gateway
  2. Configure Point-to-Site VPN on Azure Virtual Network Gateway. The address pool should be something unique on your network.

    P2S S2S VPN Azure AWS
    Point-to-Site VPN on Azure Virtual Network Gateway
  3. Create VPN Users Group in Active Directory. Add VPN users to this group.

    P2S S2S VPN Azure AWS Radius
    VPN Users Group in Active Directory
  4. Install and Setup RADIUS Server and Network Policy Server (Step by Step)

P2S S2S VPN Azure AWS Radius
Install and Setup RADIUS Server and Network Policy Server
P2S S2S VPN Azure AWS Radius
Register Network Policy Server Security

Register Network Policy Server Security

Configure Radius Client on Network Policy Server. Allow traffic from the Azure Gateway subnet(10.6.0.0/24)

P2S S2S VPN Azure AWS Radius

 

Configure security policy to allow conditional RequestsP2S S2S VPN Azure AWS Radius

P2S S2S VPN Azure AWS Radius

6. Download and Install VPN ClientP2S S2S VPN Azure AWS Radius

 

Extract the zip file into a folder and install the client6. P2S S2S VPN Azure AWS Radius

Connect to Azure. The above step will install a new connection “nn-vnet-2” 
Azure Connection

Launch the client and login with your AD domain credentials. Make sure the user is in the VPN Users group.7. P2S S2S VPN Azure AWS Radius

7. Troubleshooting and Verifications

On the Azure side, for the VM in question, check the effective Route in the Azure Portal.P2S S2S VPN Azure AWS Radius

On the client side, veriy the IP and routes.P2S S2S VPN Azure AWS Radius
P2S S2S VPN Azure AWS Radius

3. Azure to AWS Connectivity

Summary:

As noted above, while assisting a client in their migration from AWS to Azure, we ran into compatibility challenges between the two platform, when connecting the two clouds together  via an IPSec VPN tunnel.

AWS currently only supports ikev1, while the Route-Based VPN gateway in Azure only supports ikev2 – this necessitated connect AWS Cloud to Azure Cloud using StrongSwan (which serves as a Virtual Appliance on the AWS side) with ikev2 support and using custom routing.   StrongSWan is an open source tool that requires minimal configuration to get it up and running. This  connection can also be accomplished with Windows Server (RRAS on the AWS side)

Prerequisites: 

AWS: VPC: nn-VPC, Subnets: nn-subnet-1, nn-subnet-2, instances:  vm1 in subnet1 and vm2 in subnet2 exits

Azure: Resource Group: nn-rg-2, vNET: nn-vnet-2, subnet: nn-subnet1, Route-based Virtual Network Gateway: nn-route-based-vng

Documentation Links:

https://docs.aws.amazon.com/AmazonVPC/latest/GettingStartedGuide/ExerciseOverview.html

https://wiki.strongswan.org/projects/strongswan/wiki/AwsVpc

Steps:
  1. AWS: Install a Ubuntu instance and configure StrongSWAN.
  2. AWS: Configure Custom Routes
  3. Azure: Create new Local Network Gateway
  4. Azure: Create a new connection
  5. Verification and troubleshooting
1: AWS: Install a Ubuntu instance and Configure StrongSWAN.

2: AWS: Configure VPC,Subnets and Custom Routes

AWS: VPC

P2S S2S VPN Azure AWS Radius

AWS: Subnet1P2S S2S VPN Azure AWS Radius

AWS: Subnet2

P2S S2S VPN Azure AWS Radius

 

AWS: Intenet Gateway
P2S S2S VPN Azure AWS Radius

AWS : NAT GatewayP2S S2S VPN Azure AWS Radius

3. Azure Create Virtual Network Gateway

P2S S2S VPN Azure AWS Radius

4. Azure: Create Local Network Gateway and a new connection

P2S S2S VPN Azure AWS Radius

P2S S2S VPN Azure AWS Radius

5. Verifications and troubleshooting

VM in Subnet2P2S S2S VPN Azure AWS Radius

VM In Subnet1

P2S S2S VPN Azure AWS Radius

4. Conclusion

This blog came from a real day-in-the-life experience of Navisite’s Solution Engineering team, an element of Navisite’s Elite 5-Star Managed Services team. At Navisite, we partner with our current and prospective clients to bring creative, business-enabling technology solutions to life.

In conclusion, we reviewed Hybrid Cloud Connectivity options. For remote users, we looked at Azure Native P2S solution with Radius Authentication. Other options for Remote user connectivity are using third-party appliances like Cisco ASAv with AnyConnect VPN. For ASAv in Azure check out my earlier blog post.

We also looked at connecting Azure and AWS Cloud using IPSec VPN.  For a short-term migration strategy, we used StrongSWan as an open-source tool, which requires minimal configuration to get it up and running. This can also be accomplished with Windows Server (RRAS on the AWS side), a topic which I will cover in future blog posts.

Note: I’d like to thank my manager John Rudenauer, Navisite Product Management and Marketing team members William Toll, Chris Pierdominici and Carole Bailey for their support.
Nehali Neogi

Nehali Neogi

Principal Cloud Architect at Navisite
Nehali Neogi is a Principal Cloud Architect at Navisite, leading many of their global initiatives on building the next generation of hybrid cloud services. She enjoys designing and architecting reliable and highly available solutions for Navisite’s clients. She is a Cisco, VMware NSX and Azure certified Cloud Architect leading Hybrid Cloud offerings. Her interests are cloud technologies, Software Defined Networking, full stack engineering, and realizing the transition to DevOps and system Automation.Nehali holds an Expert Level Certification in VMware NSX(VCIX-NV) and Microsoft Certified Azure Cloud Architect.She holds Masters in Computer Engineering from UMass, Lowell.
Nehali Neogi