Applies to: Azure Stack integrated systems and Azure Stack Development Kit
You can access resources with security in global Azure and Azure Stack using the hybrid connectivity pattern.
In this tutorial, you will build a sample environment to:
- Keep data on-premises for privacy or regulatory requirements, but have access to global Azure resources.
- Maintain a legacy system while using cloud-scaled app deployment and resources in global Azure.
A few components are required to build a hybrid Connectivity deployment and may take some time to prepare.
An Azure OEM/Hardware Partner may deploy a production Azure Stack, and all users may deploy an ASDK. An Azure Stack Operator must also deploy the App Service, create plans and offers, create a tenant subscription, and add the Windows Server 2016 image.
If you already have some of these components, make sure they meet the requirements before beginning.
This topic also assumes that you have some knowledge of Azure and Azure Stack. If you want to learn more before proceeding, be sure to start with these topics:
- If you don’t have an Azure subscription, create a free account before you begin.
- Create a Web App in Azure. Make note of the new Web App URL, as it is used later.
Before you begin
Verify that you have met the following criteria before beginning your configuration:
- Verify that you have an externally facing public IPv4 address for your VPN device. This IP address cannot be located behind a NAT.
- Ensure all resources are deployed in the same region/location.
The examples in this article use the following values. You can use these values to create a test environment or refer to them to better understand the examples in this article. For more information about VPN Gateway settings in general, see About VPN Gateway Settings.
- VPN type: Route-based
- Connection type: Site-to-site (IPsec)
- Gateway type: VPN
- Azure connection name: Azure-Gateway-AzureStack-S2SGateway (the portal will auto-fill this value)
- Azure Stack connection name: AzureStack-Gateway-Azure-S2SGateway (the portal will auto-fill this value)
- Shared key: Any compatible with VPN hardware, with matching values on both sides of connection
- Subscription: Any preferred subscription
- Resource group: Test-Infra
|Azure/Azure Stack Connection||Name||Subnet||IP Address|
|Azure Stack vNet||ApplicationvNet
|Azure Virtual Network Gateway||Azure-Gateway|
|Azure Stack Virtual Network Gateway||AzureStack-Gateway|
|Azure Public IP||Azure-GatewayPublicIP||Determined at creation|
|Azure Stack Public IP||AzureStack-GatewayPublicIP||Determined at creation|
|Azure Local Network Gateway||AzureStack-S2SGateway
|Azure Stack Public IP Value|
|Azure Stack Local Network Gateway||Azure-S2SGateway
|Azure Public IP Value|
Create a virtual network in global Azure and Azure Stack
You must ensure that there is no overlap of IPs in Azure or Azure Stack vNet address spaces.
To create a vNet in the Resource Manager deployment model by using the Azure portal. Use the example values if you are using these steps as a tutorial. If you are not doing these steps as a tutorial, be sure to replace the values with your own.
- From a browser, navigate to the Azure portal and sign in with your Azure account.
- Click Create a resource. In the Search the marketplace field, enter
virtual network‘`. Locate Virtual network from the returned list and open the Virtual Network page.
- Near the bottom of the Virtual Network page, from the Select a deployment model list, select Resource Manager, and then select Create. This opens the ‘Create virtual network’ page.
- On the Create virtual network page, configure the VNet settings. When you fill in the fields, the red exclamation mark becomes a green check mark when the characters entered in the field are valid.
- Repeat these steps from the tenant portal of Azure Stack.
Add a gateway subnet
Before connecting your virtual network to a gateway, you first need to create the gateway subnet for the virtual network to which you want to connect. The gateway services use the IP addresses specified in the gateway subnet.
In the portal, navigate to the Resource Manager virtual network for which you want to create a virtual network gateway.
- In the Settings section of your VNet page, select Subnets to expand the Subnets page.
On the Subnets page, select +Gateway subnet to open the Add subnet page.
The Name for your subnet is automatically filled in with the value ‘GatewaySubnet’. This value is required for Azure to recognize the subnet as the gateway subnet. Adjust the auto-filled Address range values to match your configuration requirements, then select OK at the bottom of the page to create the subnet.
Create a Virtual Network Gateway in Azure and Azure Stack
- On the left side of the portal page, select + and enter ‘Virtual Network Gateway’ in search. In Results, locate and select Virtual network gateway.
- At the bottom of the Virtual network gateway page, select Create. This opens the Create virtual network gateway page.
On the Create virtual network gateway page, specify the values for your virtual network gateway, as detailed in the Example values plus the additional values detailed below.
Verify the settings.
Click Create to begin creating the VPN gateway. The settings are validated and you’ll see the “Deploying Virtual network gateway” tile on the dashboard. Creating a gateway can take up to 45 minutes. You may need to refresh your portal page to see the completed status.
After the gateway is created, view the IP address that has been assigned to it by looking at the virtual network in the portal. The gateway appears as a connected device. You can select the connected device (your virtual network gateway) to view more information.
- Repeat these steps on your Azure Stack deployment.
Create the local network gateway in Azure and Azure Stack
The local network gateway typically refers to your on-premises location. You give the site a name by which Azure or Azure Stack can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection. You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on-premises network. If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.
- In the portal, select +Create a resource.
- In the search box, enter Local network gateway, then press Enter to search. This will return a list of results. Click Local network gateway, then select the Create button to open the Create local network gateway page.
- On the Create local network gateway page, specify the values for your local network gateway, as detailed in our Example values plus the additional values detailed below.
- IP address: This is the public IP address of the VPN device that you want Azure or Azure Stack to connect to. Specify a valid public IP address. The IP address cannot be behind NAT and has to be reachable by Azure. If you don’t have the IP address right now, you can use the values shown in the example, but you’ll need to go back and replace your placeholder IP address with the public IP address of your VPN device. Otherwise, Azure will not be able to connect.
- Address Space refers to the address ranges for the network that this local network represents. You can add multiple address space ranges. Make sure that the ranges you specify here do not overlap with ranges of other networks that you want to connect to. Azure will route the address range that you specify to the on-premises VPN device IP address. Use your own values here if you want to connect to your on-premises site, not the values shown in the example.
- Configure BGP settings: Use only when configuring BGP. Otherwise, don’t select this.
- Subscription: Verify that the correct subscription is showing.
- Resource Group: Select the resource group that you want to use. You can either create a new resource group, or select one that you have already created.
- Location: Select the location that this object will be created in. You may want to select the same location that your VNet resides in, but you are not required to do so.
- When you have finished specifying the values, select the Create button at the bottom of the page to create the local network gateway.
- Repeat these steps on your Azure Stack deployment.
Configure your connection
Site-to-Site connections to an on-premises network require a VPN device. In this step, you configure your VPN device, known as a Connection. When configuring your Connection, you need the following:
- A shared key. This is the same shared key that you specify when creating your Site-to-Site VPN connection. In our examples, we use a basic shared key. We recommend that you generate a more complex key to use.
- The Public IP address of your virtual network gateway. You can view the public IP address by using the Azure portal, PowerShell, or CLI. To find the Public IP address of your VPN gateway using the Azure portal, navigate to Virtual network gateways, then select the name of your gateway.
Create the Site-to-Site VPN connection between your virtual network gateway and your on-premises VPN device.
- In the portal, select +Create a resource.
- In the search box, enter Connections, then press Enter to search. This will return a list of results. Click Connections, then select the Create button to open the Create Connections page.
- On the Create Connections page, configure the values for your connection.
- Connection type: Select Site-to-site (IPSec).
- Resource Group: (select your test resource group)
- Virtual Network Gateway: Select the Virtual Network gateway you created earlier.
- Local Network Gateway: Select the Local Network Gateway you created earlier.
- Connection Name: This will auto populate with the values from the two gateways.
- Shared Key: the value here must match the value that you are using for your local on-premises VPN device. The example uses ‘abc123’, but you can (and should) use something more complex. The important thing is that the value you specify here must be the same value that you specify when configuring your VPN device.
- The remaining values for Subscription, Resource Group, and Location are fixed.
- Click OK to create your connection. You’ll see Creating Connection flash on the screen.
- You can view the connection in the Connections page of the virtual network gateway. The status will go from **Unknown to Connecting, and then to Succeeded.