On Azure, http://azure.microsoft.com/en-us/documentation/articles/virtual-networks-create-site-to-site-cross-premises-connectivity/
the following is stated in relation to site to site connectivity.
A VPN device with a public IPv4 address. You'll need the IP address in
order to complete the wizard.
The VPN device cannot be located behind a network address translator
(NAT) and must meet the minimum device standards.
I'm assuming this is accurate, but could anyone confirm? it seems very limiting, since my peer vpn device can support NAT-T. Does the Azure VPN g/w device support IPsec NAT-T?
Is the same restriction applicable to point to site, where my peer is the point and I want to connect/be connected to by the Azure VPN gateway device with VNet behind the Azure VPN g/w device.
thank you.
I don't see to be limiting at all. And yes, this is the case. It is on the official documentation before all.
When talk about Point-to-Site, I believe you missunderstand the service a bit. Azure Point-to-Site connectivity allows a single computer or laptop (named Point) to connect to Azure VPN Gateway (Site). In that case, the client only has to be connected to the internet.
When you connect to Azure VPN Gateway, you will be part of the whole Azure Virtual Network that Gateway connects.
To tell you the truth I am not sure that the Azure VPN gateway device supports IPSec NAT of any kind at all, whether Point-to-Site or Site-to-Site. Below are my findings. My best lead so far is finding #4.
In all my research over the past week, it seems like it’s presently impossible to achieve this with Azure. See https://social.msdn.microsoft.com/Forums/en-US/19eb5ac0-5fb1-4afa-8081-5afc32cb04fd/is-nat-supported-within-an-ipsec-vpn-connection?forum=WAVirtualMachinesVirtualNetwork. According to this, “At the moment there cannot be a IPSec VPN connection established when either of the devices involve NAT. . .you cannot have an on premise VPN device behind a NAT and this cannot be applied on a VNet gateway since customers will not have access to configuring such rules for a VPN gateway.” That was April 2017.
In fact, in February 2017, Microsoft seemed to discard any chances we have of applying NAT over VPN. On their feedback forum at https://feedback.azure.com/forums/217313-networking/suggestions/5525129-please-make-site-to-site-vpn-avaiable-for-devices, an Azure Networking Team member declines the possibility of Site-to-Site VPN for devices behind a NAT. So Site-to-Site is not expected, which is where it makes the most sense because it would help resolve common subnet overlap issues between a cloud virtual network and an on-premises hardware network. I'm not so sure how NAT over VPN would benefit a Point-to-Site situation (what's the application?)
Then, contradictorily as of December 2017 (later that year), Microsoft seems to announce they’re just now in the planning stages to implement this for Azure (see https://feedback.azure.com/forums/217313-networking/suggestions/15488244-offer-nat-as-a-service).
Only on http://nullsession.com/2015/02/02/connecting-to-your-azure-site-to-site-vpn-over-nat/, I found a method from 2017 that is, “unsupported by Microsoft – but works according to RFC.” I’m still processing this but I’m not convinced I should try it because it’s unsupported.
Let me know what you think because I am personally trying to get a satisfactory solution for this too.
Related
I'm looking for a solution where I need establish another VPN gateway separate to the one I have in hub and spoke Architecture. I would need something like this on the diagram bellow. It seems that Azure does not support that. When I try to deploy extra VPN GW I'm getting message that this is not possible because peering with gateway transit exists. Does any one have Idea how to achieve something like this ? I'm googling for quite some time and can't find anything.
Required Azure Network
Found an MS document that can help you add additional Site-to-Site (S2S) connections to a VPN gateway that has an existing connection. This architecture is often referred to as a "multi-site" configuration. You can add a S2S connection to a VNet that already has a S2S connection, Point-to-Site connection, or VNet-to-VNet connection. There are some limitations when adding connections. Check the Prerequisites section in this article to verify before you start your configuration.
Prerequisites
• You are not configuring a new coexisting ExpressRoute and VPN Gateway configuration.
• You have a virtual network that was created using the Resource Manager deployment model with an existing connection.
• The virtual network gateway for your VNet is RouteBased. If you have a PolicyBased VPN gateway, you must delete the virtual network gateway and create a new VPN gateway as RouteBased.
• None of the address ranges overlap for any of the VNets that this VNet is connecting to.
• You have compatible VPN device and someone who is able to configure it. See About VPN Devices. If you aren't familiar with configuring your VPN device, or are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you.
• You have an externally facing public IP address for your VPN device.
Would suggest you follow this MS document to configure a connection
I received a call from a business owner. One of his services will only license and whitelist one public IP well he has three locations. When I got involved they were trying to spin up an OpenVPN appliance and have site to site vpns to the remote locations. Well the remote locations have Fortigate firewalls and this will not work I believe with the SSL VPN of OpenVPN.
I would like to recommend something with Azure or AWS but I am unclear on the best VPN setup with Azure. Essentially he will need all remote sites exiting to the internet through Azure.
Late last night tried to test with AWS VPC and a VPN back to the fortigate. Client later expressed he would rather not use AWS.
Also recommended this https://forum.fortinet.com/m/tm.aspx?m=148626&p=
but he did not want to bottlekneck one of his locations
All sites exiting Azure out of one IP address
If you have 3 sites in Azure, you can make all 3 sites exiting Azure with one VPN gateway IP for the same destination.
You need to configure VNET to VNET peering and enable Gateway Transit to make it work. Can you also elaborate your ask here with a Network Diagram ?
We have a client who wants to connect their premises to Azure. Their main hindrance at this point is determining the best way to connect to Azure given their current connectivity configuration. They have two redundant ISP connections going to the head office for internet access. They want to be able to configure a VPN connection to Azure that would operate in a similar way i.e. if ISP A went down it would seamlessly use ISP B and vice versa. The normal multi-site VPN configuration does not fit this since there is one local network behind which means the network behind separate VPNs over each ISP would have overlapping IP address ranges which is not supported. Is such a configuration possible? (See diagram below)
Either that or is there a way to abstract the two ISP connections onto one VPN connection to Azure.
They’re currently considering using a Cisco ASA device to help with this. I’m not familiar with the features of this device so I cannot verify if it will solve their issue. I know there is also a Cisco ASAv appliance in the Azure marketplace don't know if that could also be a part of a possible solution if they went with such a device.
required vpn configuration
The Site-to-Site VPN capability in Azure does not allow for automatic failover between ISPs.
What you could do are the following
- Have automation task created that would re-create the local network and gateway connection upon failover. Manual and would take some RTO to get it up and running
- Use the Cisco CSRs to create a DMVPN mesh. You should be able to achieve the configuration you want using that option. You would use UDRs in Azure to ensure proper routing
I havent done it in Azure, but here is what you do in AWS (And I am sure there would be parallel in Azure)
Configure a "detached VGW" (virtual Private gateway) in aws. Use DMVPN cloud to connect CSRs to multi-site on-prem.
Also, for failover between ISPs you could have a look at DNS load balancing via a parallel to AWS's Route 53 in Azure.
Reference thread :
https://serverfault.com/questions/872700/vpc-transit-difference-between-detached-vgw-and-direct-ipsec-connection-csr100
We are looking to setup a Site to Site VPN connection between our internal data center and Azure. We use a CISCO ASA firewall but unfortunately it is behind a NAT. One of the requirements for Azure is that the public facing IP address is not behind a NAT.
There doesn't seem to be interest on our side to change our network topology and was wondering if anyone had any creative solutions to make it work? Couldn't find any creative workarounds on Google or on SO.
The VPN connection appears to be made in the Azure Portal but the connection doesn't work between on prem and Azure VM's. I'd post an image of the Azure Portal showing the connection being made but apparently I don't have enough of a repuptation to post images...
Creative ideas?
Your only choice would be to utilise a Point-to-Site VPN where a device behind your NAT does the termination. https://azure.microsoft.com/documentation/articles/vpn-gateway-point-to-site-create/
You'll be restricted in terms of what you can do with this VPN as it's designed primiarily as a server-to-Azure VPN solution.
There are a few posts floating about around getting VPN working via a NAT'd interface but your mileage may vary in that case and you'll be running an unsupported setup.
We are evaluating moving from a standard host (using dedicated machines) to Azure (using virtual machines).
We have several b2b partners who require us to connect to their VPN via a hardware VPN device. In each case the VPN hardware is either specified by the partner, or further to that they actually send us the VPN device for us to host.
How can we support this scenario using Azure?
I understand Azure has a VPN solution, that relies on the Azure software VPN connecting to an on-site VPN. However in this case we do not option of using a software VPN, and we also do not , I assume, have the option of using our own hardware VPN device in an Azure data center.
Any ideas?
You cannot place your own customer hardware in the Microsoft Datacenters. The intent of the Windows Azure Virtual Network is to allow the cloud hosted software based side of the VN to connect to an onsite VPN (either hardware or software).
So for some of your partners, you could connect Azure to their existing hardware based VPN devices in their own datacenters, or that you are hosting for them in yours.
Note that currently, a Virtual Network is limited to connecting to a single VPN gateway. So "multi-tenant" solutions that require individual VPN gateways for each tenant are not readily supported without some type of intermediary/proxy.