To keep the costs of my Azure subscription down I still wanted to run some resources on my existing home lab rather than shift everything into AWS or Azure as I found this would be quite an expensive thing to do!!
The solution I have put in place is to extend my home lab into Azure by configuring a site to site VPN. This allows me to deploy resources into Azure but integrate them into my existing environment. The term people use for this is “Hybrid Cloud”. So let’s get cracking. It is a multistep process which involves:
- Creating Azure virtual network
- Creating a gateway subnet
- Creating a VPN gateway
- Creating a local network gateway
- Configuring the Draytek router
- Creating the VPN Connection
Step 1 – Create Azure virtual network
So the first step will be to create a virtual network. Head over to the Azure portal and go to Virtual Networks – Create virtual network . Populate the fields as required. I chose to create a 10.2.0.0/22 network and assign to to a Resource Group containing all my HomeLab resources.
Step 2 – Create Gateway subnet
Now that we have created our subnet we need to define the Gateway subnet. The gateway subnet is used by VPN Resources. To create one Select the +Gateway subnet button on the Subnets tab and populate it. I chose to use 10.2.1.0/24. After doing so we should have 2 subnets defined. One for the VM’s and one for the Gateway Subnet.
Step 3 – Create VPN Gateway
Now that we have defined the virtual network we can create the virtual network gateway. We need to configure the following settings:
- Name – Select a friendly name to call your gateway. I just called mine HomeLabGW
- VPN Type – For this example choose VPN.
- SKU – The SKU is the subscription type. You can view the different options here https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways. I left it at VpnGw1 but Basic will be enough for most people.
- Virtual Network – Select the Virtual network we created in Step 1
- First IP Configuration – Leave at default
- Subscription – Select the subscription you want to use
The Gateway will take up to 45 minutes to create and after doing so you should have a Public IP address
Step 4 – Create Local Network Gateway
The local network gateway contains the subnets and WAN IP Address of your on-prem environment. We need to configure the following settings:
- Name – Give a friendly name to easily identify the resource
- IP Address – This is your WAN IP Address on your network that the Azure Gateway will connect to
- Address space – Define your address space here
- Subscription – Select the subscription you want to use
- Resource Group – As per previous examples I have deployed everything into the same resource group
- Location
Step 5 – Add connection
So now we have defined all of our subnets, we have a WAN IP address to connect to we need to create a connection between our local WAN and the Azure WAN.
- Name – Give a friendly name to easily identify the resource
- Connect type – Select Site-to-site (IPSec)
- Virtual network gateway – Select the network gateway we created in Step 3
- Local network gateway – Select the network gateway we created in Step 4
- Shared key – this will be shared key between Azure and your local router which will be used for authentication
Step 6 – Configure local router
OK now that we have all the resources setup in Azure, we need to configure our router to connect. Log into the Draytek admin page and head over to LAN to LAN configuration settings and select a new profile.
For sections 1 & 2 configure the following settings:
- Profile name – Enter a friendly name
- Call Direction – Both
- IP Sec Tunnel – Make sure this is set to IKEv2
- Pre-Shared Key – Enter the key here that we configured in Step 5
- IPSec Security Method – Make sure this is AES with Authentication
- Server ip/Hostname for VPN – Enter the Public IP Address that was created in Step 3
For sections 3 & 4 configure the following settings:
Ensure IPsec Tunnel is selected
- Under Remote VPN Gateway enter the Public IP Address that was created in Step 3
- Pre-Shared Key – Enter the key here that we configured in Step 5
For Section 5:
- My WAN IP – This is your local WAN IP
- Remote Gateway IP – Enter the Public IP Address that was created in Step 3
- Remote Network IP – This is the virtual network we created in Step 2
- Remote Network Mask – subnet
- Local Network IP – This is your local LAN network
- Local Network Mask- subnet
And hopefully after doing all that we should successfully have a connection!
To test this try creating a VM in Azure into your new subnet and then ping that VM from your local network. In the example below I have created a VM with an IP address of 10.2.0.4 and can successfully ping it from my local network.
I hope this post has been useful to you and if you have any queries then please let me know!
I Followed your guide, the connection is live, but i can’t reach the on premise location to the first subnet that i created. ( where the vm’s are)
Do i configure the routing? Because i see nothing of routing configuration in your guide?
hello it seems something is wrong here. you say “•Remote Network IP – This is the virtual network we created in Step 2”
but you have added step 1. do you need to add the routing 10.2.0.0 /24 or 10.2.1.0/24 ?
because in the draytek picture it looks like the remtoe network ip is 10.2.0.0/24
Did anyone manage to resolve the issue of not being able to reach the on premise systems. I am experiencing this too and wonder if anyone can share the solution.
A bit later … but if anyone else has any problems. The remote network mask is wrong. It is created as /22. That should resolve it.