We are evaluating moving from a standard host (using dedicated machines) to Azure (using virtual machines).
We have several b2b partners who require us to connect to their VPN via a hardware VPN device. In each case the VPN hardware is either specified by the partner, or further to that they actually send us the VPN device for us to host.
How can we support this scenario using Azure?
I understand Azure has a VPN solution, that relies on the Azure software VPN connecting to an on-site VPN. However in this case we do not option of using a software VPN, and we also do not , I assume, have the option of using our own hardware VPN device in an Azure data center.
Any ideas?
You cannot place your own customer hardware in the Microsoft Datacenters. The intent of the Windows Azure Virtual Network is to allow the cloud hosted software based side of the VN to connect to an onsite VPN (either hardware or software).
So for some of your partners, you could connect Azure to their existing hardware based VPN devices in their own datacenters, or that you are hosting for them in yours.
Note that currently, a Virtual Network is limited to connecting to a single VPN gateway. So "multi-tenant" solutions that require individual VPN gateways for each tenant are not readily supported without some type of intermediary/proxy.
Related
can anyone explain difference between Azure Application Gateway, Virtual Network Gateway, Virtual WAN, ExpressRoute, Arc and Private Link, please?
It seems to me all services are pretty similar helping with connecting either on-prem to Azure, in-Azure to in-Azure or public to Azure.
They're similar in that they all involve network traffic, but that's pretty much where the similarities end.
Application Gateway is a Layer 7 load balancing service with advanced features like SSL termination. It's used to route client requests to your applications.
Virtual Network Gateway is a VPN gateway for point-to-site (user) and site-to-site (office/datacenter) VPN connections to your own Azure VNETs. This would, for example, allow you to RDP into Azure VMs from your on-prem office using their private IPs.
ExpressRoute is similar to site-to-site, however it doesn't use IpSec tunnels, it's a dedicated, unencrypted connection from your location directly into Microsoft's backbone. (i.e. you don't traverse the public internet). There's no encryption and the connection is faster. This is a service you need to work with a 3rd party internet provider to implement.
Virtual WAN is more like a networking hub where there would be many site-to-site, point-to-site, ExpressRoute, etc... connections spanning a wide area (as the name implies). This would be for large enterpise organizations with many on-prem locations.
Arc is a means of adding your on-prem resources into Azure for management. e.g. you have a physical server somewhere and you want to manage it though ARM/portal.
Azure Private Link is a feature of many Azure services (storage, SQL PaaS, etc..) which allows you to create a private DNS record and assign a private IP address on your internal VNETs. This is used when you want to disable all public network access to a resource and only allow access from within your own VNET.
I have barely scratched the surface of the differences here, but suffice it to say, there are many differences. From this page, you can type the service name into the search and get more specific details on the offering. Hope this helps.
https://learn.microsoft.com/en-us/search/?terms=networking%20in%20azure
I have an application that different clients will connect to on Azure. Each of my customers needs to connect to their Corresponding own Server ONLY in Azure from their local networks.
What kind of connection (P2S,S2S) can i create from each of my customers PC to connect ONLY with their Server in Azure?
According to your scenario, I think P2S is better for you.
Site-to-Site configurations are between your on-premises location and Azure. This means that you can connect from any of your computers
located on your premises to any virtual machine or role instance
within your virtual network, depending on how you choose to configure
routing. This type of connection relies on an IPsec VPN appliance
(hardware or soft appliance), which must be deployed at the edge of
your network. To create this type of connection, you must have the
required VPN hardware and an externally facing IPv4 address.
If my understanding is correct, your customers clients are not in one location, they have different private IP. Based on my knowledge, you could not use S2S VPN.
Point-to-Site configurations let you connect from a single computer
from anywhere to anything located in your virtual network.
P2S VPN does not require a VPN device. It is better for your scenario.
More information about difference between a Site-to-Site connection and Point-to-Site please refer to this link.
this might be a dumb question.
is it possible to restrict the access to my Azure website http://sitename.cloudapp.net so that only the computers connected to my VPN will be able to access the site?
I use cloud services, and i have a vpn on my local computer(for now). the idea is(if possible), to have a connection between my vpn (which is local network) AND my cloudservice. Then allow the site access to only the computers within the vpn
You can set up a VPN and disable the public endpoints, so only machines within the VPN have access, but I think this is only available for VM's and Cloud Services - and not Windows Azure Websites. You don't say which you use.
"Windows Azure Virtual Network provides you with the capability
to extend your network into Windows Azure..."
Channel 9 offers some useful guides
Windows Azure Virtual Machines and Virtual Networks
We have a Virtual Network of VMs, storage accounts and websites hosted and working together in the Azure cloud.
Is it possible to connect my work/home PC to this Virtual Network using some VPN software?
Generally speaking two options exist, you can read about these here -
Windows Azure Connect let's you configure machine-to-machine VPN and is agent based
Configuring a private network let's you create a site-to-site VPN, but it typically requires a VPN appliance. I've seen posts on the internet about people managing to configure their router as the VPN gateway but, at least at this point, this is not easy nor supported.
Also worth reading is this overview of Windows Azure Networking features that covers both (and Traffic Manager) by David Chappel
have a look at using Azure Virtual Networks in conjunction with Azure Virtual Machines: http://www.windowsazure.com/en-us/manage/services/networking/add-a-vm-to-a-virtual-network/
We have a existing application to be migrated to the windows azure.
Currently, it will access another web services in other network, and the firewall in front of the web service, it will trust the IP of it and open the port only for that application.
Which IP should I trust after migrated to Windows Azure? or other approach suggested?
Thanks a lot.
Currently Windows Azure does not offer a fixed IP address, so any IP based filter would be subject to potential risk if the IP address should change (which it can without notice).
I would recommend you explore either leveraging the service bus to create a peer-to-peer connection between the services, or possibly Azure Connect (an ipsec based VPN style connection).