Skip to content

1. Networking

Jump to bottom
Richard "Dick" Tracy edited this page Dec 16, 2022 · 1 revision

Networking (simple)

This section will show you how to build [one] virtual subnet. This is the easiest setup but may not allow your use S2S VPN gateway or test hybrid scenarios; follow the this instead Networking (Hybrid scenario)

  1. In Azure Portal, navigate to Virtual Networks
  2. Click Next: IP Addresses
    1. Add CIDR Address (eg. 10.100.0.0/16)

[NOTE]: Any IP range can be used but make sure it does not conflict with on-prem lab or other networks.

  1. Click Add Subnet, fill in data
  2. Name (eg. Subnet1)
  3. Address Range (eg. 10.100.0.0/24).

[NOTE]: this must match the CIDR address first two octets; recommend use a /24.

  1. Click Review + Create, then click Create
  2. If you designing this environment to connect using a Site2Site VPN, follow the step for creating a Virtual network gateway.

Networking (Hybrid scenario)

The networking portion can be complex if you're setting it up as production like environment (hub and spoke) with hybrid support. There is a script that will allow you to build the network setup automatically. You can get it here ([Hyper-V Lab Setup with Azure Site 2 Site VPN]). Follow the README.md.

This scenario sets up a Site-to-Site VPN gateway that connects your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This is one of the options for Azure VM's to communicate to Hyper-V VM's over the internet securely. The other option is using an Express gateway which is not discussed or used in this lab; because it is costly and requires a dedicate connection to an ISP.

Hub and Spoke Networking

Build [two] vNets (repeat the process from Simple Networking), label them as hub and the other as spoke. When adding subnets to each, make sure each CIDR and subnet are different.

After both vNets are created, a Virtual network gateway will needed along with vNet Peering.

Create a Virtual network gateway

A virtual gateway is the connection point for the VPN gateway. You must first create the gateway, then create the connection.

  1. Navigate to Virtual network gateway
  2. Click Create
  3. Give the gateway a name (eg. LabGw)
  4. Select region (same as vnet)
  5. SKU: VpnGw1 or VpnGw2 (VPNGw1 is cheaper but less bandwidth)
  6. Generation: v1
  7. Virtual network: Select Hub virtual Network.
  8. Public IP Name (eg. ngw1-pip)
  9. Configure BGP: Disabled.

[NOTE]: this can be enabled but will require advanced settings.

  1. Click Review + Create, then Create
  2. Once the Gateway is created, the next step is to create a Connection and a local network gateway to provide routing for the on-premises environment.

Create a Local Network Gateway

A Local Network Gateway defines the public IP and subnets of the LOCAL network. This is referring to the On-premises network, not local to Azure. These settings will build routes for the vnets to properly communicate with local subnets.

[NOTE]: This must be created before a VPN connection can be established.

  1. Search for Local Network Gateways in Azure portal.
  2. Click Create
  3. Give the LNG a name. (ex. labLNG)
  4. Select IP Address for Endpoint
  5. Type in your home public IP. This can be retrieved from the checklist or by going to https://ipinfo.io/json\
  6. Add the subnets used in your on-premises network. You must specify individual network segments like 10.100.1.0/24, 10.100.2.0/24.
  7. Do not check BGP. This is an advanced setting and can be used but not covered in this document.
  8. Select Subscription and Resource Group
  9. Select a location.
  10. Click Create

Create the Azure VPN Connection (Hybrid only)

A Connection builds the VPN Configurations. Be sure to follow Create a Virtual network gateway and Create a Local Network Gateway prior to creating this connection resource.

  1. Search for Connections in Azure portal or click on Connections within the Virtual Network Gateway created earlier.
  2. click Create
  3. Select Subscription and Resource Group
  4. Select Site-To-Site (IPsec) for Connection Type
  5. Give the connection a name (eg. LabConnectionToOnprem)
  6. Select the same region as LNG.
  7. Click Next: Settings >
  8. Select the recently created VNG for Virtual network gateway
  9. Select the recently created LNG for Local network gateway
  10. Generate a Shared key (PSK). This can be anything; its bed to keep it secure. You can also use this PowerShell commands to generate one:
$AESCryptoObject = new-object System.Security.Cryptography.AesCryptoServiceProvider
$AESCryptoObject.GenerateKey()
$AESKey = new-object System.Text.StringBuilder
foreach (\$b in \$AESCryptoObject.Key) {
   $AESKey = \$AESKey.AppendFormat(\[System.Globalization.CultureInfo\]::InvariantCulture, \"{0:X2}\", \$b)
}
$AESCryptoObject.Dispose()
#return the random key
$AESKey.ToString().ToLowerInvariant()
  1. Select IKEv2 for IKE protocol
  2. Leave all other settings default. BGP is not covered in this document but can be used. Be sure to use the same Location as LNG and VNG.
  3. Click Review + Create, then Create

[NOTE]: This sometimes fails. Another easier method is to create it from the Virtual Network Gateway. If you receive this error, go to the next steps.

  1. Open the Virtual Network Gateway.
  2. Under Settings, click Connections.
  3. Click Add
  4. Give the connection a name (ex. LabConnectionToOnprem)
  5. Select Site-To-Site (IPsec) for Connection Type
  6. Select the recently created LNG for Local network gateway
  7. Generate a Shared key (PSK).
  8. Click OK

Once the Connection is created, the Status will show not connected or unknown. This is because the IPsec tunnel must be created on the On-premise side. Follow the Setup IPsec tunnel on Hyper-V Router

Create VNet Peering within Tenant Resource's

Vnet peering allows two networks to talk; think of them as combining networks. In the Hub, and Spoke design, they both can't talk to one another until peering is created. This also allows the VNG to be attached to the Hub and allow the spoke to communicated through it.

  1. In Hub vNet select Peering, Click Add
  2. This Peering Link name. (eg. HubToSpoke)
  3. Select "Use this virtual network's gateway or Route Server"
  4. Remote Peering Link name. (eg. SpokeToHub)
  5. Virtual network: Select Spoke VNET
  6. Click Add
  7. Check Peering Status and Gateway Transit on Hub. Make sure Peering status is Connected and Gateway transit is Enabled.\
  8. The SpokeVNET will have the peering setup. It also should be connected but the Gateway transit will be Disabled.

Create VNet Peering between Azure Tenants

A peering can be made from one tenant to the another. This is ideal when tenants are providing different services but need to be connected to share network resources. If AVD or Windows365 is planned to be used and you don't have a VPN to a DC, this will allow network connectivity to the vNet the DC is connected to.

Setup Networks in Hyper-V

To make a simulated network for Server and Workstations, two private networks will need to be setup. This is a straightforward setup. Also, if the Hyper-V host has both wireless and physical connection, its recommended configure an external network for the physical connection. The default external connection can cause issues with vyos router.

  1. Open HyperV Manager
  2. In right pane, click Virtual Switch Manager...
  3. In Virtual Switch Manager window:
  4. Select New virtual network switch
  5. Select type: Private
  6. Click Create Virtual Switch
  7. Select the New Virtual Switch
  8. Give it a name (eg. Server Subnet)
  9. Repeat for Workstation Subnet
  10. Hit OK when finished.

Setup Router in Hyper-V

Download vYOS router from here (https://s3.amazonaws.com/s3-us.vyos.io/vyos-1.1.8-amd64.iso). The router is used for hybrid setup. The router will be used to provide a isolated network for the virtual machines while providing a site to Site VPN connection to the Azure environment.

  1. Create Hyper-V Virtual Machine using these settings.
  2. Give it a name that reflects the lab (eg. DTOLAB-Router)
  3. Generation**: 1**
  4. Assign Memory: 512mb with Dynamic Memory off
  5. Network: Connect to External network.
  6. Virtual Hard Disk: 2 GB
  7. Installation Options: Select vyos iso
  8. Before starting the VM, additional network will be added to the VM.
  9. Right click router VM and click settings.
  10. Under Add Hardware, select Network Adapter, click Add.
  11. Repeat so there are 2 additional adapters (not including theExternal Adapter)
  12. Select first Adapter and change the virtual switch to internal server switch (created in section Setup Networks in Hyper-V)
  13. Select second Adapter and change the virtual switch to internal workstation switch (created in section Setup Networks in Hyper-V)
  14. Under Management
  15. Disable Checkpoints
  16. Set Automatic Start Action to: Always start this virtual machine automatically.
  17. The VM settings should look something like this:
  18. Hit OK to close window.
  19. Right click the VM and select Connect....
  20. In the Virtual Machine Connection window, click the power button to start the VM

[NOTE]: At any point you need to get out of the VM after its started, you need to press: CTRL+ALT+LEFT ARROW on the keyboard to release the mouse.

  1. Once the VM starts, it will start the setup process for the router immediately. When setup process is completed, you will be presented with a login.
  2. Login to the vyos router using default credentials:
  3. Login: vyos
  4. Password: vyos
  5. Run command: Install image This will trigger several prompts. Typically, the defaults are correct. Click enter through each prompt, leaving defaults.
    1. Would you like to continue? (Yes/No) [Yes]: Hit Enter
    2. Partition (Auto/Parted/Skip) [Auto]: Hit Enter
    3. Install the image on? [sda]: Hit Enter
    4. Continue? (Yes/No) [No]: Yes
    5. How big of a root partition should I create? (1000MB - 2147MB)[2147]MB: Hit Enter
    6. What would you like to name this image? [1.1.8]: Give it a name and Hit Enter (eg. LabRouter)
  6. Which one should I copy to sda? [/config/config.boot]: Hit Enter
  7. Enter password for user 'VyOS': Type in a password
  8. Retype password for user 'VyOS': Retype the password
  9. Which drive should GRUB modify the boot parttion on? [sda]: Hit Enter
  10. In VM window menu, click Menu > DVD Drive > Eject vyos-1.1.8-amd64.iso)
  11. Reboot VM to ensure the router boots without ISO.
  12. Log back into router, run these commands to setup SSH and initialize network for external. Run these commands:
configure
set interfaces ethernet eth0 address dhcp
set service ssh port 22
commit
save
exit

Run command: show int

Take note of the IP address for eth0 when running show int

The next commands will configure the Internal adapters (eth1 and eth2). These adapters will use internal IP address subnets specified by you. [WARNING]: If you plan on connecting to Azure using the site-2-site VPN, these subnets cannot be the within the same address space as the Azure subnets

Next Run these commands:

configure
set system host-name labrouter
set system domain-name labdomain
set system time-zone US/Eastern
set interfaces ethernet eth0 description 'external'
set service dns forwarding cache-size '0'
set interfaces ethernet eth1 address 10.100.1.0/24
set interfaces ethernet eth1 description 'server subnet'
set service dns forwarding listen-on 'eth1'
set interfaces ethernet eth2 address 10.100.2.0/24
set interfaces ethernet eth2 description 'workstation subnet'
set service dns forwarding listen-on 'eth2'
set service dhcp-relay relay-options relay-agents-packets discard
set service dns forwarding name-server 10.100.1.1
set nat source rule 100 outbound-interface eth0
set nat source rule 100 source address 10.100.0.0/16
set nat source rule 100 translation address masquerade
commit
save
reboot now

[NOTE]: The areas in blue can be modified based on your lab environment. The provided configs should work if you are using the same IP subnets.

DHCP is needed for the server and workstation subnets unless you plan on statically assigning IP's to each endpoint. There are two ways to setup DHCP. This guide will discuss each way.

[WARNING]: DO NOT do both; this may cause a conflict during IP assignment.

  1. Setup DHCP on Setup DHCP Server (Hybrid)
  2. Setup DHCP on VYOS router. Run these commands in VYOS router (DHCP Relay --- VyOS 1.4.x (sagitta) documentation https://docs.vyos.io/en/latest/configuration/service/dhcp-relay.html).)
configure
remove service dhcp-relay relay-options replay-agents-packets discard

#Interface 1 Configuration
set interfaces ethernet eth1 address 10.100.1.254/24
set interfaces ethernet eth1 description 'LAN for Server Subnet'
set service dns forwarding listen-on ' eth1'
# Enable DHCP Configuration for eth1

set service dhcp-server disabled 'false'
set service dhcp-server shared-network-name ETH1_Pool subnet 10.100.1.0/24 start 10.100.1.1 stop 10.100.1.253
set service dhcp-server shared-network-name ETH1_Pool subnet 10.100.1.0/24 dns-server <Eth0 IP>
set service dhcp-server shared-network-name ETH1_Pool subnet 10.100.1.0/24 dns-server 10.100.1.254
set service dhcp-server shared-network-name ETH1_Pool subnet 10.100.1.0/24 default-router 10.100.1.254
set service dhcp-server shared-network-name ETH1_Pool subnet 10.100.1.0/24 lease '86400'

#Interface 2 Configuration
set interfaces ethernet eth2 address 10.100.2.254/24
set interfaces ethernet eth2 description 'LAN for Workstation Subnet'
set service dns forwarding listen-on 'eth2'
# Enable DHCP Configuration for eth2

set service dhcp-server disabled 'false'
set service dhcp-server shared-network-name ETH2_Pool subnet 10.100.2.0/24 start 10.100.2.1 stop 10.100.2.253
set service dhcp-server shared-network-name ETH2_Pool subnet 10.100.2.0/24 dns-server <Eth0 IP>
set service dhcp-server shared-network-name ETH2_Pool subnet 10.100.2.0/24 dns-server 10.100.2.254
set service dhcp-server shared-network-name ETH2_Pool subnet 10.100.2.0/24 default-router 10.100.2.254
set service dhcp-server shared-network-name ETH2_Pool subnet 10.100.2.0/24 lease '86400'


#Set internal dns
set service dns forwarding name-server ' <IP of DNS server or Google (8.8.8.8)>'
#Enable NAT Configuration
set nat source rule 100 outbound-interface eth0
set nat source rule 100 source address ' 10.100.0.0/16'
set nat source rule 100 translation address masquerade
commit
save

Setup IPsec tunnel on Hyper-V Router (Hybrid Only)

The vyos Router in Hyper-V will be used to establish a Site-2Site VPN tunnel to Azure Gateway. This will allow any HyperV VM's that are connected to any internal switch to communicate to Azure VM's.

To set this up, there are a few things that need to be done prior:

  • Same Pre-shared Key secret used in Create the Connection section
  • Azure Public IP Address (get from Azure gateway)
  • Home Router IP (eg: 192.168.1.1)

Run theses commands in vYOS router to create an IPSec tunnel route.

[NOTE]: Anything with <> needs to be replaced appropriately.

configure
set vpn ipsec esp-group azure compression 'disable'
set vpn ipsec esp-group azure lifetime '3600'
set vpn ipsec esp-group azure mode 'tunnel'
set vpn ipsec esp-group azure pfs 'disable'
set vpn ipsec esp-group azure proposal 1 encryption 'aes256'
set vpn ipsec esp-group azure proposal 1 hash 'sha1'
set vpn ipsec ike-group azure-ike ikev2-reauth 'no'
set vpn ipsec ike-group azure-ike key-exchange 'ikev2'
set vpn ipsec ike-group azure-ike lifetime '10800'
set vpn ipsec ike-group azure-ike proposal 1 dh-group '2'
set vpn ipsec ike-group azure-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group azure-ike proposal 1 hash 'sha1'

set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer <azure public ip> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <azure public ip> authentication pre-shared-secret '<preshared key>'
set vpn ipsec site-to-site peer <azure public ip> connection-type 'initiate'
set vpn ipsec site-to-site peer <azure public ip> default-esp-group 'azure'
set vpn ipsec site-to-site peer <azure public ip> description 'Gateway to contoso SiteA in Azure'
set vpn ipsec site-to-site peer <azure public ip> ike-group 'azure-ike'
set vpn ipsec site-to-site peer <azure public ip> ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer <azure public ip> local-address '<Eth0 IP Address>'
set vpn ipsec site-to-site peer <azure public ip> tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer <azure public ip> tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer <azure public ip> tunnel 1 local prefix '<Hyper-V CIDR>'
set vpn ipsec site-to-site peer <azure public ip> tunnel 1 remote prefix '<Azure Spoke CIDR>'
set protocols static route 0.0.0.0/0 next-hop '<Home Router Internal IP>'

commit
save
exit

Once this is set, restart the VPN by running the command:

restart vpn

If everything is done correctly, the Azure gateway connection will show connected and the VYOS router will show Up when the command:

show vpn ipsec sa

NOTE: the Bytes Out/In may not show data transfer, but in Azure it should. Also, it's good to check connectivity by pinging a VM in Azure from a Hyper-V VM.

Create Network Security Groups

This section covers the basics on how to create a NSG for the environment. NSG's can either be attached to a virtual network or to Network Interfaces. Since we have common connections, the NSG will be attached to the VM's NIC as either public or private. One will be configured for Public VM's and the other for non-Public (private) VM's. Each VM can have its own NSG for more granularity, but it is not covered in this guide.

  1. In Azure Portal, search for
  2. Resource Group: Select the resource group you initially created.
  3. Supply a descriptive name (eg. lab-SiteA-public-nsg)
  4. Click Review + Create, then Create
  5. Repeat for additional NSG

Once both are created, the Inbound ports must be configured. Internal ports for both NSG should be allowed, but no external ports will be allowed except for public NSG, but this will be done by using the Just-In-Time access.

  1. Click on a NSG
  2. Click Inbound security rules
  3. Click Add
    1. Source: Select IP Addresses.

[NOTE]: The Source IP should include your networks CIDR ranges.

  1. Source port Ranges: *
  2. Destination: Select IP Addresses.

[NOTE]: The Destination IP Addresses should include your networks CIDR ranges.

  1. Services: Custom
  2. Destination port ranges: *
  3. Protocol: Aany
  4. Action: Allow
  5. Priority. Give anything from 100-5000
  6. Name: Use a name that is verbose (ex. AllowInternalPortsInBound)
  7. Click Save
  8. Reboot for
  9. Click Onbound security rules

Network Checklist

This checklist is to be used during the networking configuration. Values that are prefilled in can be used, but they can be changed if needed; make sure you read the comments.

Name Values Comment
Lab Name Lab
Domain Name It is best to create a unique domain
Azure Hub Name Lab-Hub-Subnet1
Azure Hub CIDR 10.10.0.0/16
Azure Hub Subnet 1 10.10.0.0/24 Specify a space within Hub's CIDR
Azure Hub Gateway 10.10.200.0/26 Specify a space within Hub's CIDR Subnet but does not conflict with subnet 1
Azure Spoke Name Lab-Spoke-Subnet1
Azure Spoke CIDR 10.20.0.0/16
Azure Spoke Subnet 1 10.20.0.0/24 Specify space within Spoke's
Azure Spoke Subnet 2 10.20.1.0/27 Bastion Subnet
Azure VPN ASN Port 65010
IPSec Shared Key This will be generated when setting up VYOS router.
Azure Gateway Public IP This can be retrieved once a gateway has been created in Azure.
Home Public IP The home network where the device connected to will be hosting Hyper-V guests, go to: https://ipinfo.io/json .
Hyper-V Subnet 1 10.100.1.0/24 Cannot conflict with Azure subnets
Hyper-V Subnet 2 10.100.2.0/24 Cannot conflict with Azure subnet
Azure VM: Domain 10.20.0.1 Use this to configure Azure
Controller IP subnets internal DNS. If multiple DC's are created, each IP will need to be added.
Clone this wiki locally