Planning a Hybrid IT Infrastructure using Windows Azure Infrastructure Services (Part 3)

If you would like to read the other parts in this article series please go to:


In the first two parts of this series on planning a hybrid IT infrastructure, we talked about some of the key planning considerations and then some things that you need to know about Azure Virtual Networks and Azure Virtual Machines. In this, part 3 of the article series, we’ll provide you with hands-on instructions on how to create Azure Virtual Networks and Azure Virtual Machines.

We’re going to start by creating an Azure Virtual Network. An Azure Virtual Network is a “place” where you can put your virtual machines onto a network. If you’ve been working with Hyper-V, here’s a good way to understand it: An Azure Virtual Network is similar to a Hyper-V virtual switch. All of the machines that are connected to the same Azure Virtual Network should be able to communicate with each other, as long as they are part of the same cloud service. We’ll talk more about exactly what a cloud service is a little later when we get into creating the virtual machines that we’ll place onto the virtual network.

Let’s get started!

Create an Azure Virtual Network

The first thing that you’ll want to do is to sign up for a trial account with Windows Azure. If you don’t have one yet, head on over to and get a one month trial account where you can run up to 200 dollars of charges without having to worry about paying for anything. Two hundred dollars goes a long way on Azure, so you should be able to test a good number of the scenarios that you want to test. Just make sure that you test them within the first 30 days – or else you’ll have to register for another trial account (or start paying).

After you get your account set up, go into the Azure portal. In the left pane of the portal you’ll see the various components of Windows Azure. Notice that you have access to both the platform as a service and the infrastructure as a service offerings when you have Azure. That means you don’t have to purchase these capabilities separately.

The first thing we’ll do is create an Azure Virtual Network. It’s a good idea to create the virtual network first and after the virtual network is in place, you can then put your virtual machines onto the virtual network. Click on the Network link as seen in the figure below.

Figure 1

After you click on the link, on the right side of the page you’ll see that you have no virtual networks created yet. Let’s get started by clicking on CREATE A VIRTUAL NETWORK.

Figure 2

The first page in the Create a New Virtual Network wizard asks you to give the virtual network a name. In this example, we’ll name the virtual network HybridITtestNetwork1. The second thing we need to do is assign the virtual network to an affinity group. What is an affinity group? Basically, affinity groups provide a way to tell the Windows Azure fabric controller that compute and storage should always be together and close to one another. When the fabric controller is searching for the best suited container to deploy those services, it will be looking for one where it can deploy both in the same cluster, making them as close as possible, thereby reducing the latency and increasing the performance.

Okay, now that we know what they are, let’s make one. We’ll click the down-arrow under AFFINITY GROUP and click the Create New Affinity Group entry.

Figure 3

On the Virtual Network Details page, you’ll see the option to choose a Region. The available regions will be related to where you currently are and perhaps the nature of your account. In general, it’s best to choose a region that is closest to the users who will be using the virtual machines on the virtual network you’ve created. In the Affinity Group Name text box you enter the name of the affinity group you will create. In this example, we’ll name the affinity group HybridITtestNetwork1-AG. Click the arrow on the bottom of the page to move to the next page.

Figure 4

On the DNS Servers and VPN Connectivity page, you can enter the IP addresses of the DNS servers that you want to perform name resolution for the machines that you will place on the Azure Virtual Network. This is an optional setting and you can come back to this later if you want to add DNS servers at that time. There are two scenarios, however, where you might want to add DNS servers addresses here:

  • You would add your DNS servers at this point if you want to manage your own name resolution using your own DNS servers that you’ll place on the Azure Virtual Network. In this case, you would need to create a virtual machine that will be configured as a DNS server and enter the IP address that you plan to assign to the DNS server in the DNS Servers text box, as seen in the figure below.
  • The other common scenario where you would enter your own DNS server address on this page is when you plan to connect your corporate network to the Azure Virtual Network using a site to site VPN. In that case, you might want to enter the IP addresses of DNS servers that are located on your corporate network and optionally, addresses of DNS servers that you place on the Azure Virtual Network.

If you do not enter the IP addresses of any DNS servers on this page, virtual machines on the same Azure Virtual Network will be able to resolve each other’s names using the built-in Azure DNS services. Note, though, that the Azure Virtual Network default DNS server is not very sophisticated – it essentially only supports Host (A) records and can only resolve the names of the machines that you place on the same Azure Virtual Network. Therefore, it will not be able to resolve the names of hosts that are on your corporate network and it also won’t be able to provide Internet hosts name resolution.

You have two options for VPN connectivity into your Azure Virtual Network:

  • Point-to-site connectivity. I’m not sure why they called this option point-to-site connectivity as it makes it seem more complex and exotic than it really is. In this context, point-to-site connectivity is nothing more than a remote access VPN client connection. When you choose this option, Azure will create a Windows based RRAS server on the Azure Virtual Network to which you can connect using the SSTP protocol. Azure will also create a VPN client “package” that you can download and install on your Windows Vista, Windows 7, and Windows 8 client computers (as well as the corresponding Windows Server products that map to these clients). All of the configuration options will be done by Azure, so that once you install the VPN client you will be able to connect to your Azure Virtual Network over a site VPN client/server connection.
  • The second type of connection you can create is a site-to-site VPN connection. A site-to-site VPN connection is a virtual routing connection that is done using the IPsec tunnel mode protocol. IPsec tunnel mode site-to-site VPN connections represent a very mature and secure technology for connecting networks over the Internet without requiring a dedicated WAN link.

It’s important to note at this time that you don’t have to create any kind of VPN connection in order to connect to virtual machines that you’ll place on your Azure Virtual Network. Instead of a VPN connection, you can establish a Remote Desktop Protocol (RDP) connection to each of the virtual machines that you put on your Azure Virtual Network. The reason that you would want to use VPN instead of RDP is that it’s considered more secure, since with a VPN you would have to first establish a VPN connection to the Azure Virtual Network and only after that VPN connection is established would you be able to establish the RDP connection to the virtual machines that are located on your Azure Virtual Network. This also makes it possible for you to disable RDP connectivity to the virtual machines on the Azure Virtual Network, which will prevent the exposure of your virtual machines to the entire Internet for RDP connections.

It’s important to note that if you choose the site-to-site VPN option, you will have to set up a VPN gateway on-premises. You might already have a VPN server or concentrator on your network. However, Microsoft has stated that in order to comply with the SLAs that they provide you, the VPN gateway device that you use must be on the list of supported devices. For a list of supported VPN devices that you can use to establish a site-to-site VPN connection to Windows Azure, please see About VPN Devices for Virtual Networks.

You might want to use Windows Server 2012 as a VPN gateway on premises, which is great for both testing and production. Some of you might be wondering if you can use a TMG firewall to create a site to site VPN connection. Unfortunately, the answer is no. We were able to do this prior to Azure Virtual Networks reaching general availability, but after GA, you can no longer use TMG as your VPN gateway. This has to do with the fact that TMG doesn’t support IKEv2 for the site to site VPN connection.

Figure 5


In this article, we got you started on the basic configuration steps for creating an Azure Virtual Network. You should create the Azure Virtual Network before you create the virtual machines that will go onto that network. At this point, we have named the Azure Virtual Network, created an affinity group, discussed the DNS server options and we went over the virtual networking options that you can use to connect to the Azure Virtual Network. In Part 4 of this series, we’ll finish up with the details of creating the Azure Virtual Network and establishing a VPN connection to the virtual network. See you then! –Deb.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top