This technical guidance is for Cloud Solution Provider (CSP) partners, who would like to leverage this documented installation and configuration of the site-to-site connectivity needed to connect to Tenant subscriptions from an on-premises environment. This document covers both the manual installation and configuration of a site-to-site link using a provided script that creates the Gateway needed and configures the on-premises RRAS server.
This document assumes that a CSP partner already has an existing Partner Center portal and can manage their existing tenant Azure subscriptions. Some of the critical components and assumptions this procedure depends on have been identified below:
Key Infrastructure Dependencies:
This section covers setting up the on-premises environment to configure site-to-site VPN connection for a unique CSP tenant subscription.
This guidance document walks participants through the creation of site-to-site VPN connection between an existing on-premises CSP provisioned dedicated customer environment and a CSP customer provisioned tenant site in Azure. This process can be leveraged for connecting the CSP environment to a CSP provisioned tenant as well. To ensure success the following preliminary preconditions must be ensured.
The following procedure will assist CSP partners with the setup and configuration using PowerShell. The details below will help partners understand each of the key phases required to successully provision a new Site-to-Site VPN for a unique CSP Tenant Site that is provisioned via the Partner Center portal. Our approach list each command needed with our recommendations to ensure success as part of the end-to-end process.
Process
The following high-level architecture will help you illustrate what we want to achieve with the steps below in setting up the site-2-site. We assume that you have already provisioned a CSP tenant site in Azure and have captured the details called out in the key parameters section below.
Here is some additional supporting details of what we are using in this guidance.
Defining Key Parameters
Note: Items highlighted in the table below need to be updated prior to running the script.
Defining the key parameters needed | |||
Step | Parameter | Example | Description |
1 | $AzureAddressPrefix | "10.0.1.0/24" | The address prefix to use for the Azure(tm) virtual network. |
2 | $AzureGateway | "gate1" | The name for the gateway endpoint on Azure(tm). |
3 | $AzureNetworkName | "VNET01" | The name for the Azure(tm) virtual network. |
4 | $AzurePublicIpName | "gateip" | The name for the Azure(tm) public IP address assignment. |
5 | $GatewayAddressPrefix | "10.0.1.0/29" | The address prefix for the Azure (tm) gateway subnet. |
6 | $GatewaySubnetName | "GatewaySubnet" | The name for the Azure (tm) gateway subnet. |
7 | $LocalAddressPrefix | "10.0.0.0/24" | The address prefix for the on-premises network subnet. |
8 | $LocalGateway | "gate2" | The name for the gateway endpoint on-premises. |
9 | $LocalGatewayIpAddress | "104.169.201.59" | The public IP address for RRAS server. |
10 | $Location | "West US" | The geographic location of the Azure (tm) datacenter hosting the remote services. |
11 | $RemoteAddressPrefix | "10.0.1.100/29" | The address prefix for the on Azure (tm) network subnet. |
12 | $ResourceGroupName | "RGGW01" | The name of the resource group to create to manage the resources created while setting up the gateway. |
13 | $SecretKey | "TBD by each CSP partner" | The password to use encrypt and decript site to site traffic. |
14 | $SkipAzureSetup | Leave Blank | Do not setup the Azure (tm) resources. The resources must already be set up if this switch is used. Not really used by us today but wanted to ensure that the server does not reboot. |
15 | $SubscriptionId | "Identified in CSP Portal" | The CSP tenant subscription id. |
16 | $TenantId | "Identified in CSP Portal" | The CSP tenant id. |
17 | $Credential | GatewayDemoScripts.ps1 -Credential $Credential -SecretKey ""Identified by each CSP partner" | The credentials to use to authenticate with Azure(tm) services. |
Let's first determine what CSP Tenant Site will be used in the CSP Portal.
The following procedures in this section assume that you have already provisioned the both the on-premises environment as well as provisioned the CSP tenant site for a unique customer. This procedure further assumes that it is being implemented for a customer that has a dedicated CSP partner-provisioned environment in the CSP partner environment and will be setting up a site-to-site to a CSP partner-provisioned tenant site.
Note: If needed, go ahead and right click on the new Network Interface created and select Connect.
If needed select to connect as shown.
This covers adding a new Compute Resource and validate that you can join it to your on-premises domain. In the following steps will setup a new VM in the CSP tenant site that will actually use the new Site-to-Site environment. We assume that you have already setup the on-premises environment so that we can use to test communications using ping once the new VM gets built in the CSP Tenant subscription, which will use the recently created Site-to-Site procedure. Once we configure the new VM we will then join it to the on-premises domain.
The following is the script that you can use to create a site-to-site link. You will need the change the highlighted items below to ensure you are setting it up using the right CSP provisioned Azure Tenant Subscription: Note: This script should be run from the RRAS server that is on-premises since it will update the RRAS connection settings as well as create a new Azure Gateway. Ensure you update it for your implementation where needed.
<#
.DESCRIPTION
Creates a VPN gateway connection between Azure (tm) and the on-premises environments.
.EXAMPLE
$credential = Get-Credential
.\GW.ps1 -Credential $Credential -SecretKey "thequickgreycatjumpsoverthelazyf0x"
.PARAMETER Credential
The credentials to use to authenticate with Azure(tm) services.
.PARAMETER AzureGateway
The name for the gateway endpoint on Azure(tm).
.PARAMETER AzureNetworkName
The name for the Azure(tm) virtual network.
.PARAMETER AzurePublicIpName
The name for the Azure(tm) public IP address assignment.
.PARAMETER GatewaySubnetName
The name for the Azure (tm) gateway subnet.
.PARAMETER LocalAddressPrefix
The address prefix for the on-premises network subnet.
.PARAMETER LocalGateway
The name for the gateway endpoint on-premises.
.PARAMETER LocalGatewayIpAddress
The public IP address for RRAS server.
.PARAMETER Location
The geographic location of the Azure (tm) datacenter hosting the remote services.
.PARAMETER RemoteAddressPrefix
The address prefix for the on Azure (tm) network subnet.
.PARAMETER ResourceGroupName
The name of the resource group to create to manage the resources created while setting up the gateway.
.PARAMETER SecretKey
The password to use encrypt and decript site to site traffic.
.PARAMETER SubscriptionId
The CSP tenant subscription id.
.PARAMETER TenantId
The CSP tenant id.
#>
#Target "CSPTERADEMO2.onmicrosoft.com
[CmdletBinding()]
Param([Parameter(Mandatory=$true)][System.Management.Automation.PSCredential]$Credential,
[Parameter()][string]$AzureGateway = "gate1", #Name of GW
[Parameter()][string]$AzureNetworkName = "VNET01", #Name of Network ** update required **
[Parameter()][string]$AzurePublicIpName = "Gateip", # Public IP
[Parameter()][string]$GatewaySubnetName = "GatewaySubnet", #Subnet Name for GW ** update required **
[Parameter()][string]$LocalAddressPrefix = "10.0.0.0/24", #Onpremises Network Range ** update required **
[Parameter()][string]$LocalGateway = "gate2", #Name of Local GW
[Parameter()][string]$LocalGatewayIpAddress = "104.169.201.59", #IP Onpremises GW ** update required **
[Parameter()][string]$Location = "West US", #Region
[Parameter()][string]$RemoteAddressPrefix = "10.1.0.0/16", #Address for the Azure network ** update required **
[Parameter()][string]$ResourceGroupName = "VNET01", #Resource Group name in Azure you defined ** update required **
[Parameter()][string]$Secretkey = "thequickgreycatjumpsoverthelazyf0x", #Secret Key is whatever you make it. ** update required **
[Parameter()][string]$SubscriptionId = "Enter Subscription ID HERE", #** update required **
[Parameter()][string]$TenantId = "Enter Tenant ID HERE",) #** update required **
Import-Module RemoteAccess
Function Invoke-WindowsApi([string] $dllName,
[Type] $returnType,
[string] $methodName,
[Type[]] $parameterTypes,
[Object[]] $parameters)
{
## Begin to build the dynamic assembly
$domain = [AppDomain]::CurrentDomain $name = New-Object Reflection.AssemblyName 'PInvokeAssembly'
$assembly = $domain.DefineDynamicAssembly($name, 'Run')
$module = $assembly.DefineDynamicModule('PInvokeModule')
$type = $module.DefineType('PInvokeType', "Public,BeforeFieldInit")
$inputParameters = @()
for($counter = 1; $counter –le $parameterTypes.Length; $counter++)
{
$inputParameters += $parameters[$counter - 1]
}
$method = $type.DefineMethod($methodName, 'Public,HideBySig,Static,PinvokeImpl',$returnType, $parameterTypes)
## Apply the P/Invoke constructor
$ctor = [Runtime.InteropServices.DllImportAttribute].GetConstructor([string])
$attr = New-Object Reflection.Emit.CustomAttributeBuilder $ctor, $dllName
$method.SetCustomAttribute($attr)
## Create the temporary type, and invoke the method.
$realType = $type.CreateType()
$ret = $realType.InvokeMember($methodName, 'Public,Static,InvokeMethod', $null, $null, $inputParameters)
return $ret
}
Function Set-PrivateProfileString($file,$category,$key,$value)
{
## Prepare the parameter types and parameter values for the Invoke-WindowsApi script
$parameterTypes = [string], [string], [string], [string]
$parameters = [string] $category, [string] $key, [string] $value, [string] $file
## Invoke the API
[void] (Invoke-WindowsApi "kernel32.dll" ([UInt32]) "WritePrivateProfileString" $parameterTypes $parameters)
}
$ErrorActionPreference = "Stop"
Write-Verbose -Message "Authenticating with Azure resource management"
Add-AzureRmAccount –Credential $Credential –SubscriptionId $SubscriptionId –TenantId $TenantId
Write-Verbose –Message "Adding Local Site"
$localgate = New-AzureRmLocalNetworkGateway –Name $LocalGateway -ResourceGroupName $ResourceGroupName -Location $Location -GatewayIpAddress $LocalGatewayIpAddress -AddressPrefix $LocalAddressPrefix
Write-Verbose –Message "Requesting IP address for Azure endpoint"
$azuregateip = New-AzureRmPublicIpAddress –Name $AzurePublicIpName –ResourceGroupName $ResourceGroupName –Location $Location –AllocationMethod Dynamic
Write-Verbose –Message "Setting up gateway ip configuration"
$vnet = Get-AzureRmVirtualNetwork –Name $AzureNetworkName –ResourceGroupName $ResourceGroupName
$snet = Get-AzureRmVirtualNetworkSubnetConfig –Name $GatewaySubnetName –VirtualNetwork $vnet
$ipconfig = New-AzureRmVirtualNetworkGatewayIpConfig –Name gatewayipconfig –SubnetId
$snet.Id -PublicIpAddressId $azuregateip.Id
Write-Verbose -Message "Creating the gateway"
$azuregate = New-AzureRmVirtualNetworkGateway –Name $AzureGateway –ResourceGroupName $ResourceGroupName –Location $Location –IpConfigurations $ipconfig –GatewayType Vpn –VpnType RouteBased
#Import-Module RemoteAccess
Write-Verbose –Message "Creating gateway"
New-AzureRmVirtualNetworkGatewayConnection –Name gateconnect –ResourceGroupName $ResourceGroupName –Location $Location –VirtualNetworkGateway1 $azuregate –LocalNetworkGateway2 $localgate –ConnectionType IPsec –RoutingWeight 10 –SharedKey $SecretKey
Write-Verbose –Message "Get Azure public IP address"
$azuregateip = Get-AzureRmPublicIpAddress –Name $AzurePublicIpName –ResourceGroupName $ResourceGroupName
$ErrorActionPreference
= "Continue"
Write-Verbose
-Message "Add VPN interface to RRAS"
Add-VpnS2SInterface -Protocol IKEv2 -AuthenticationMethod PSKOnly –NumberOfTries 3 –ResponderAuthenticationMethod PSKOnly –Name $azuregateip.IpAddress -Destination $azuregateip.IpAddress -IPv4Subnet @("${RemoteAddressPrefix}:100") -SharedSecret $SecretKey
Write-Verbose –Message "Configuring encryption in RRAS"
Set-VpnServerIPsecConfiguration –EncryptionType MaximumEncryption
Set-VpnServerIPsecConfiguration –SADataSizeForRenegotiationKilobytes 33553408
New-ItemProperty –Path HKLM:\System\CurrentControlSet\Services\RemoteAccess\Parameters\IKEV2 -Name SkipConfigPayload -PropertyType DWord -Value 1
Set-PrivateProfileString $env:windir\System32\ras\router.pbk "$($azuregateip.IpAddress)" "IdleDisconnectSeconds" "0"
Set-PrivateProfileString $env:windir\System32\ras\router.pbk "$($azuregateip.IpAddress)" "RedialOnLinkFailure" "1"
Write-Verbose -Message "Restarting RRAS"
Restart-Service RemoteAccess
Write-Verbose -Message "Connect to the gateway"
Connect-VpnS2SInterface -Name $($azuregateip.IpAddress)