Connecting your on-premises lab to Azure with Azure Site-to-Site VPN

When running VM’s in the cloud you need to consider cost as part of your lab.
And since running compute in Azure and AWS could be costly when you need to run your ADFS, AD Connect, AD and SQL etc 24/7, it’s still practical to have a lab on-prem. This article will go through the steps on how you can get your hybrid lab up and running with site-2-site VPN tunnel to Azure using pfSense.

First, we need to plan our Azure site-to-site VPN requirements for Azure.
The table below shows that the Azure basic sku which cover most needs for a test/dev lab.

Check the latest documentation on Azure vpn gateways if you would like to go into the details.
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways

SKU S2S/VNet-to-VNet

Tunnels

P2S

Connections

Aggregate

Throughput Benchmark

VpnGw1 Max. 30 Max. 128 650 Mbps
VpnGw2 Max. 30 Max. 128 1 Gbps
VpnGw3 Max. 30 Max. 128 1.25 Gbps
Basic Max. 10 Max. 128 100 Mbps

In regards to having only dynamic IP at my Homelab, we can automate this task using Azure Automation
I’m using the script from http://www.deployazure.com/management/automation/azure-automation-update-vpn-local-network-gateway/

I have created a generic design to show the connection from on-prem to Azure or AWS.
For the purpose of this specific guide, I will only show how to connect to Azure. Will cover AWS in another guide 🙂

Steps

  1. Create Resource group – Azure
  2. Create virtual network – Azure
  3. Create virtual network gateway – Azure
  4. Create local network gateway – Azure
  5. Add VPN tunnel – pfSense
  6. Iperf VPN speed test

Step 1 – Create Resource group – Azure

To keep things tidy we are going to have a dedicated resource group for all the vpn resources.

Step 2 – Create a virtual network  – Azure

Add your Address space, Subnet and Address IP range to create the virtual network.

Step 3 – Create virtual network gateway – Azure

We will use Route-based, Basic SKU, Virtual Network and create the new public address of our virtual network gateway.

When we choose to create the virtual network gateway which will kick off our deployment.
This takes exactly 30 min. Yes, exactly spot on 30 min.

Step 4 – Create local network gateway – Azure

When you create local network gateway you must add your WAN/ISP public IP.
Add the Address space of your local address space from the pfSense lab network.

To link things together we must Add the Connections from virtual network gateway and local network gateway.

To find the Public IP of your Virtual network gateway go to the overview.

Step 5 – Add VPN tunnel – pfSense

Go to VPN to add the Tunnel and Add P1 to kick of the wizard.

Add the public IP of your Azure virtual network gateway and give it a proper description.

Add your VPN Pre-shared key.

Set the required Encryption settings and change the Lifetime.

Next, we need to add SA/Key Exchange and Add P2, to add the required settings.

Change the required Encryption and hash Algorithms and save your settings.

Next we need to create the IPsec firewalls in pfSense.  Go to Firewall – Rules – IPsec and ADD.  I recommend allowing all traffic first, and then locking down the firewall ruleset when you are finished with the setup.

We can monitor the IPsec overview to verify that we have Established our connections from both pfSense and Azure.

Overview from Data in/out.

Step 6 – Iperf VPN speed test

Now you can test RDP connection to the Azure VM. If you RDP isn’t working, check your NSG in Azure to see that your ruleset allows RDP.

When connected we want to verify that we are getting the expected speed. Install iperf on the Azure VM and run command.

iperf3.exe -s -p 5001

On the on-prem server install iperf run the command

iperf3.exe -c “Azure VM IP” -t 30 -p 5001 -P 32

I can now conclude that I get the performance as expected from the basic SKU, and my fiber connection is limited to 100 anyway 🙂

Leave a Reply