Planning a Hybrid IT Infrastructure using Windows Azure Infrastructure Services (Part 4)

If you would like to be notified when Deb Shinder releases the next part of this article series please sign up to the WindowsNetworking.com Real time article update newsletter.

If you would like to read the other parts in this article series please go to:

Introduction

In part 3 of this series on building a hybrid IT infrastructure we began the process of creating an Azure Virtual Network. As a reminder, you create Azure Virtual Networks when you want virtual machines from different cloud services to communicate with each other. Once those virtual machines are put on the same Azure Virtual Network, IP addresses will be assigned to them automatically by Azure’s DHCP system. Remember that these IP addresses, while delivered by DHCP, will remain on the hosts they are given to as long as you don’t deallocate the virtual machine by turning it off in the Windows Azure portal.

In other words, if you turn off the virtual machine using the “turn off computer” option within the operating system, it won’t be deallocated and it won’t lose its IP address. But if you turn off the virtual machine in the Windows Azure portal, which is effectively outside of the actual operating system, then the machine will be set into a deallocated state and it might lose its IP address. You might be wondering then, would you ever turn off a virtual machine in the Azure portal? The advantage of deallocating a virtual machine is that you won’t be charged for it when it’s turned off.

If you want to learn more about the deallocated state for virtual machines in Windows Azure, please see Keith Mayer’s article on this.

Understanding cloud services

Something that I didn’t cover in earlier parts of this series that is important for you to understand is the concept of a “cloud service” in Windows Azure. The reason that you need to understand this is that the concept of cloud service for Windows Azure Virtual Machines is a little different from the way that term is used in the PaaS components of Windows Azure. When you create a virtual machine, it automatically puts the virtual machine into a cloud service that has the same name as the virtual machine, as you can see in the figure below.

Image
Figure 1

Virtual machines that are placed in the same cloud service will be able to communicate with each other automatically. This means that if you were to use the web role in Windows Azure, and if you want all machines in the web role to communicate with each other, you’d have to put them in the same cloud service and then they would be able to communicate with each other. You wouldn’t need to put them on an Azure Virtual Network. However, it’s important to understand that they won’t be able to communicate directly with virtual machines that are on other cloud services. In order to allow them to communicate directly, they have to be on the same cloud service.

You can see in the figure below that when you create a new virtual machine, you select what cloud service you want to put the virtual machine onto. That will allow all the virtual machines on the same cloud service to communicate with each other. Also, if the virtual machine that the cloud service is named for is on an Azure Virtual Network, then all machines in that cloud service will be put into the same Azure Virtual Network.

Image
Figure 2

If you find it confusing, it is. It’s an unfortunate fact that a lot of the terminology that found its way into the Azure Infrastructure Service component was ported over from the PaaS components of Windows Azure. What made sense for the PaaS components unfortunately sometimes gets lost in translation when applied to the Azure Infrastructure Services offering. With that said, please let me know if you have questions on this and I will try to answer or I’ll ask Tom to write a post on this issue in the Building Clouds blog that he runs over on TechNet.

Defining the address space

Now that you have an understanding of how cloud services work in Azure Infrastructure Services, let’s go back and pick up where we left off the last time in our step-by-step process. We were creating an Azure Virtual Network and we were at the point where we need to define the address space that the remote access VPN clients will use when they connect to the Azure Virtual Network.

These are the addresses that the VPN clients will be assigned by Windows Azure when they connect to the Azure Virtual Network. Doing this enables you to limit the number of VPN connections that will be allowed to connect to the Azure Virtual Network. Because only administrators should be connected to the Azure Virtual Network through a VPN connection, you are probably going to want to limit the number of connections that you want to allow to the Azure Virtual Network for security purposes.

The figure below shows you the interface for assigning the IP address. You can choose from the usual private address ranges:

  • 10.0.0.0
  • 172.16.0.0
  • 192.168.0.0

After you select the address space, then you need to choose the network mask you want to use to define the number of IP addresses that are in the address space, as shown in the figure below.

Image
Figure 3

In this example, you can see that I have selected an address space with a /28 mask. After you make the selection, it will look something like what you see in the figure below.

Image
Figure 4

Assigning the gateway subnet

After choosing the IP addresses, the next step is for you to assign to the VPN clients, so click the arrow on the bottom right of the page to move on to the next step. Here you will be asked to add a gateway subnet, as seen in the figure below. The gateway subnet is required because the VPN gateway that Azure Infrastructure Services will create needs an IP address, so it will grab IP addresses from the pool you assign to the gateway subnet.

Image
Figure 5

Completing the configuration

At this point, you’re ready to complete the configuration of the virtual network! Click the checkmark on the bottom right hand of the page to complete the configuration of the Azure Virtual Network.

Image
Figure 6

When it’s done you will get the happy news!

Image
Figure 7

When you click the Network’s node in the left pane of the console, you’ll see in the right pane a list of the virtual networks you’ve created.

Image
Figure 8

Click on the name of the Azure Virtual Network you created and it will bring you to the welcome page. This page is very useful and you should take time to read it. There are links to documentation on Azure Virtual Networks and also to the Azure Virtual Machines and Virtual Networks forum. Note that during this early phase of Azure Infrastructure Services, the naming conventions aren’t very “tight” in that you’ll find the same thing referred to in a number of different ways. For example, the forum is called Azure Virtual Machines and Virtual Networks. That’s because that was the name of the service before the name was changed to Azure Infrastructure Services.

Image
Figure 9

Creating the gateway

When you click the DASHBOARD link, you’ll see that the gateway was not created. The reason for this is that you have to create the gateway yourself. If you look at the bottom of the page, you’ll see the CREATE GATEWAY button. Click that. You will be asked whether you want to create the gateway. Click YES. For some reason it can take a really long time to create the gateway, so be patient and go to lunch. By the time you get back, the gateway should be created.

Image
Figure 10

Image
Figure 11

Image
Figure 12

Fine tuning the configuration

You can see in the figure below that at this time there is no data in and no data out, but you do get information on what the public IP address is that the VPN gateway is listening on. You’ll also see that you’ll need to upload a certificate. The reason you need a certificate is that you’ll need to create a SSTP connection to the VPN gateway on Azure Infrastructure Services. We’ll see later where you upload that certificate.

Image
Figure 13

Click the CONFIGURE link on the top of the console page. Notice that it says that the Azure Virtual Network is in use. When the network is in use, you can only add new subnets and change the DNS server settings for the network. If the network is not in use (which means that there are no virtual machines located on the network), then you can change the IP addresses that are used by that Azure Virtual Network.

Do you remember our discussion about DNS servers in part 3 of this series? By default, Azure Infrastructure Services will configure its own DNS service so that the virtual machines on the same Azure Virtual Network will be able to resolve each other’s names. If that’s all you need, then all is well.

If you need the virtual machines to be able to resolve Internet host names, or if you want them to resolve internal network names on your corpnet, then you will need to configure a DNS server here. We’re not creating a site to site VPN in this example (don’t worry; we’ll get to that in a later part of the series), so we don’t need internal network name resolution, but when you create your hybrid IT infrastructure, then you will need to configure the Azure Virtual Network that is connecting to your corporate network to use DNS servers that are on-premises.

Image
Figure 14

Root certificate

Now we’re at the point where we can upload a root certificate to the Azure Infrastructure Services. Click the CERTIFICATES link at the top of the page, as seen in the figure below. Click the UPLOAD A ROOT CERTIFICATE link.

Image
Figure 15

The Upload Certificate interface will come up. Click the BROWSE link and then choose your certificate. Then click the checkmark to upload the certificate.

Image
Figure 16

After the certificate uploads, you’ll see the name of the certificate and the status will be displayed as Created.

Image
Figure 17

VPN client

Click the DASHBOARD link and now you’ll see the gateway’s public IP address and on the right side of the page there are two links. Once for the 64-bit VPN client and one for the 32-bit VPN client. When you click the link, you might see a warning from the browser that says that the file is not a commonly downloaded file and it might harm your computer. Don’t worry about that, just download it.

After you download the file for the VPN client, run the executable. After the install is done, you will see a new icon for the VPN connection that will connect your computer to the Azure Virtual Network. Double click that and run it as you would run any other VPN connectoid.

Image
Figure 18

Summary

In this, part 4 on our series of a hybrid IT infrastructure, we discussed how to complete the configuration of a point to site VPN and how to connect to the Azure Virtual Network through that point to site VPN connection. In the next part of this series, you’ll find out how to create a site to site VPN gateway and how to create a virtual machine and put it on the Azure Virtual Network. See you then! –Deb.

If you would like to be notified when Deb Shinder releases the next part of this article series please sign up to the WindowsNetworking.com Real time article update newsletter.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top