#5 VPN with Azure
By Christopher Melendez
Now that we know what our migration strategy is for our customer, what about connectivity to existing workloads that just aren’t cloud ready and need to stay on-premises? What about extending their existing Active Directory? What if your customer’s end users located at the corporate office need to access data that has been migrated to Azure? What if your customer has multiple sites that all need to connect to their data that will now be living in Azure? The solution for this is setting up a site-to-site VPN between your end users and Azure.
Site-to-site VPN tunnels can be created in Azure using two methods. One option is a VPN gateway. A VPN gateway is a virtual network gateway that can send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. They can also be used to encrypt traffic between two Azure VNets, but that’s outside of the scope of your on-ramp into Azure. The second option to create a site-to-site VPN is by using Azure Virtual WAN. Azure Virtual WAN differs from the standard VPN gateway because it’s a networking service that combines several networking, security, and routing functionalities together in a single UI. Some of the features include branch connectivity (via Virtual WAN Partner devices such as SD-WAN or VPN CPE), Site-to-site VPN connectivity, remote user VPN (Point-to-site) connectivity, private (ExpressRoute) connectivity, Azure Firewall, and encryption for private connectivity.
Tutorial: Create a Site-to-Site connection in the Azure portal
When deploying a virtual network gateway, the Azure platform deploys two or more VMs to a subnet that you create called the gateway subnet. The virtual network gateway VMs hold the routing tables and run the gateway services. The process of deploying a site-to-site VPN also includes configuring your local network gateway as well as the connection between those two points in Azure. The local network gateway represents the device that will terminate the VPN in your on-premises environment. Customers generally go with hardware firewalls or VPN devices. Microsoft provides configuration templates for some of industry leaders in that space. This will speed up your configuration of hardware devices and allow you to turn up these connections with minimal effort.
Tutorial: Create a Site-to-Site connection using Azure Virtual WAN
The Virtual WAN architecture is different than the VPN gateway. Virtual WAN is a hub and spoke design with scale and performance included for branches (VPN/SD-WAN devices), users (Azure VPN/OpenVPN/IKEv2 clients), ExpressRoute clients, and virtual networks. AVW enables global transit network architecture by leveraging a cloud hosted network ‘hub’ that enables transitive connectivity between endpoints that may be distributed across ‘spokes’ of different types. One of the best features in Azure Virtual WAN is that you don’t have to build out all of these use cases to start using the feature, you can get started with just one business case, and then adjust as your network evolves.
Virtual WAN partners and virtual hub locations
Introduction to Azure Virtual WAN site with NetFoundry
Partners and customers aren’t locked into using Microsoft Azure features for CPE, they can leverage third-party virtual network appliances such as Fortinet, Palo Alto, or NetFoundry. Some of these vendors can be purchased directly from the Azure Marketplace but require customers to BYOL. When leveraging a 3rd party security device for VPN or SD-WAN termination, the device is considered a NVA or Network Virtual Appliance. For Azure Virtual WAN spoke connectivity with SD-WAN/VPN devices, companies can either manually set it up using Microsoft native services or use the Virtual WAN CPE (SD-WAN/VPN) partner solution to setup connectivity to Azure. Microsoft provides a list of partners that support connectivity automation, which is the ability to export the device info into Azure, download the Azure config and then establish connectivity with AVW.
Tutorial: Create an ExpressRoute association using Azure Virtual WAN
Lastly, I mentioned Azure ExpressRoute earlier. ExpressRoute is a dedicated connection between your datacenter or on-premises network. It provides for a better experience than VPN because it’s not going over the Internet. This type of connectivity is suggested for larger Azure deployments where a lot of traffic is expected to be traversing the link daily and there is little tolerance for latency and poor performance to end users or applications that communicate with other dependencies.