Extend Your On-premises Network with Azure Virtual Network

Back to Blog
07Apr2016

Extend Your On-premises Network with Azure Virtual Network

One of my favorite use cases for Azure Virtual Networks and Azure Virtual Machines is to create a secondary (DR) site for a fraction of what it would cost to build your own co-location. With one of the smaller-sized basic or even standard tier VM’s to act as a backup Domain Controller, the basic components of this solution can be had for less than the cost of your home satellite TV subscription.

Whether you want to pair this solution with Azure Site Recovery to host a DR site, or just extend your on-premises network for hosting LOB apps in the cloud, this solution is exactly where you need to start.

Step 1: Create a Virtual Network

If you haven’t already built one as part of setting up an Azure Site Recovery workflow, then begin by navigating to the portal and clicking on New > Networking > Virtual Network. Three items to double-check as you build.

  1. Be sure to select Classic deployment model, if you plan to use this with Azure Site Recovery (update: you can deploy this ARM now also).
  2. The IP Address Space cannot overlap with your on-premises IP scheme.
  3. Ensure that your location choice is consistent with the recovery vault, storage accounts, and other resources you plan to use with this network.

az-vnet-1

Next, navigate to the Settings of this virtual network; you will need to add DNS servers (specify at least one on-premises AD/DNS server IP address). If you do not do this, you will not be able to resolve internal names or join your VM’s to the local domain.

az-vnet-2

Step 2: Create a Classic VM

Now we will switch gears a little bit to deploy a new (Classic) Virtual Machine into the Azure Virtual Network. Navigate to New > Virtual Machines and choose Windows Server. Be sure you select the Classic deployment model again.

az-classvm-1

In the following selections, be sure you make appropriate selections.

  1. Give the VM a name that makes sense for its role in your environment;
  2. Optional Configuration > Network > Virtual Network, and choose the Existing Virtual Network;
  3. You can also choose an existing Resource Group.

Click OK on all of your selections and then Create to complete the build of your VM.

az-classvm-2

Step 3: Connect to the remote Azure Virtual Network via S2S VPN

Switching back to the Azure Virtual Network, we can setup the site-to-site VPN connection. One quick way to accomplish this is by using either the built-in RRAS features in Windows Server, or by creating a connection using the Essentials Dashboard cloud integration features (Windows Server 2016 Essentials Experience role). Otherwise, the recommended configuration would be to use your firewall or other VPN hardware appliance.

Navigate to the Virtual Network, and click on the VPN diagram to get started. Choose Site-to-site as the Connection type, and specify Local site settings (have your firewall’s external IP ready). Be sure to check Create gateway immediately. Click OK.

az-vnet-vpn-1

Note: you may need to specify Static rather than Dynamic for the Routing Type. Verify with the hardware vendor’s documentation.

az-vnet-vpn-2

This will take some time to build the gateway, just be patient. If you are unsure how to proceed at this step, that is okay. Google (or Bing) can be of great help. Search Azure site-to-site VPN and your hardware device make/model.

Some folks find it easier to setup the VPN from the Classic portal. For example, to retrieve the pre-shared key, navigate to your Virtual Network and click Dashboard then Manage Key at the bottom of the screen.

Microsoft also provides scripts for a select few vendors, including themselves (if using RRAS for example). TIP: You can also find the pre-shared key by downloading the RRAS script and searching the text for “SharedSecret”–instead of using the secret for RRAS, you can use it on your hardware-based VPN device.

Once you have connected your VPN successfully, you will see a status similar to this in the portal:

az-vnet-vpn-3

Step 4: Join the Azure Virtual Machine to your Network and Promote

Last phase of deployment! Be sure to verify IP connectivity from your new virtual machine in the cloud to your on-premises servers. Make sure Windows firewalls are not blocking ICMP echo requests.

SUCCESS!  Now, we will want to create a new Site & Subnet object for this network in Active Directory Sites & Services. Open the console on your local Domain Controller. Right-click on Sites > New Site…

az-vnet-join-2

Name the Azure site something descriptive, and choose the default site link. Click OK.

az-vnet-join-3

Once that is created, you need to also create a subnet object to describe the IP space. Right-click on Subnets > New Subnet…

az-vnet-join-4

Specify the remote subnet IP range in CIDR format, choose to associate this object with the new site name you just created, and click OK.

az-vnet-join-5

Next, RDP to the VM and sign in. If you specified your local DNS servers on the virtual network, then you should be able to join the domain.

After it comes back online, you can add the ADDS roles and promote the server!

az-vnet-join-7

Just be sure you add this DC to the correct site when stepping through the wizard.

az-vnet-join-8

All set!  Promotion should be successful, and you should now find your new Domain Controller listed in AD Sites & Services console.

Conclusions

In a relatively short time, you can have a DR site prepped and ready to go. This network is essentially just an extension of your on-premises network with the site-to-site VPN in place, and it can serve many purposes.

  1. In a Disaster Recovery situation, you can use this network to restore virtual machines that have been replicated from your on-premises servers to an Azure Site Recovery Vault.
  2. You might choose to deploy a new hosted LOB database or application server on this network, rather than invest in on-premises hardware upgrades/additions/refreshes.
  3. Consider standing up a DFS file server in the cloud and replicating your file share data to it. Back it up using Microsoft Azure Backup.

Again, these are some of my favorite use cases for Azure IaaS in the SMB. Note: For Site Recovery, I also like to create a separate Virtual Network (without a VPN connection) for performing test restores–that way you do not have to interrupt on-premises services to perform a failover operation. We will do this in an upcoming post, stay tuned!

Technical , , , , 2 Comments
Share:

Comments (2)

  • Dale Reply

    I’d like to see some numbers surrounding your statement “for a fraction of what it would cost to build your own co-location.”

    April 11, 2016 at 1:18 am
    • Alexander Reply

      Absolutely. Keep in mind that what we are discussing here is simply creating an extension of your existing on-premises environment (not replacing it). As of today, basic S2S VPN to an Azure Virtual Network is $27 USD / month. Adding in a single Basic or even Standard A1 VM to run AD/DNS would bring the total cost to just under $100 USD / month to have a platform ready to go in the cloud, and this could be deployed in a single morning or afternoon. Also, when using Azure for DR, you only have to actually run your VM’s when you are testing failover or when you need to failover due to a disaster event–making it super affordable since that should not happen frequently. I believe cost of ASR is currently listed at $54 USD per VM instance. No second firewall, no server/software purchase, and no co-location fees required. See the Azure pricing page for more up-to-date info if you’re reading this in the future. ;)

      Adding more production VM’s to your Virtual Network? Yes, that will add more $, and at some point you will likely hit a break-even with hardware. I have another article on cost comparison–check it out and let me know what you think. Thanks for reading!

      April 11, 2016 at 3:33 am

Leave a Reply

Back to Blog

Related Posts

Limitations with MDB Standalone
02Jun

What are the limitations with Microsoft Defender for Business Standalone?

Most of my readers will already be familiar with Microsoft Defender for Business (MDB), which is included with Microsoft 365 Business Premium. And a majority of those will be deploying MDB as one part of a broader security solution which includes other services within the... read more
22Nov

How to improve Remote Desktop performance for remote users through an RDS Gateway Server

Do you have a Remote Desktop Server (properly) configured with the Gateway Role in your environment? In this configuration, all traffic is secured via SSL (port 443), and clients connecting over the internet to your internal RDS host(s) will be encrypted (and not necessarily identifiable... read more
12Oct

Comparing Single Sign-On Options with Azure AD Connect

Azure AD Connect offers customers a number of ways to enable a "Single Sign-On" (or SSO) experience for users. I think it is important to understand the differences in these options, so that when you deploy Azure AD Connect into customer environments, you can pick... read more
11Feb

Boost your security with Hybrid Azure AD Join: From Zero to Conditional Access in one afternoon

"Alex, I work at a non-profit and I would love to take advantage of the better security in Microsoft 365 Business (we have Business Premium now), but it sounds like it is for "cloud-only" customers? Is that right?? We are using Office 365 for Exchange,... read more
07Mar

Add-ons that are NOT compatible with Microsoft 365 Business (yet)

Update 3/9/2019: I had to update this article. I am moving some former content on Identity & Threat Protection to its own article, and expanding on it there. Microsoft 365 Business is a fantastic value, and contains most of what we would like to see in... read more
14Jan

Protect messages and documents in Microsoft 365 Business with AIP, part 2: AIP labels

Azure Information Protection (AIP) uses “labels” to classify and protect data. Labels are published to end users for eventual consumption and use through a “policy.” In the olden days, applying permissions and restricting access to files was more rudimentary—again, it was based on the concept of the... read more
14Mar

How to Activate Azure Information Protection for Office 365

This is a four-part post on Azure Information Protection (formerly Rights Management) for Office 365. This service is a powerful tool that we can use to prevent data leakage and share information securely with users inside & outside of the organization. Follow along as we explore how to: ... read more
06Jul

More Azure Site Recovery bugs in Windows Server Essentials?

Previously, I wrote about the Azure Site Recovery plugin for Windows Server Essentials Dashboard. One might say that it hasn't been the best product so far, in that getting it to work without hiccups is apparently luck of the draw.  Microsoft Support hasn't been able... read more
19Jul

We never have to deploy folder redirection to a file server, ever again

OneDrive recently announced yet another amazing feature improvement: Known Folder Move. Think of this as folder redirection 2.0--if you have historically redirected things like Desktop and Documents libraries to a file server (which leads to other Offline Files considerations for mobile workers), then this is... read more
15Sep

How-to get started with Microsoft Intune

In previous posts, I have described MDM for Office 365, as well as some key differences between that product and Microsoft's full-blown MDM solution, Intune. Today we're going to begin the Intune set up and configuration process.  If you haven't yet, go obtain a free trial... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me