SALES 800-‐1301-‐963

MY ACCOUNT (﴾/EN-‐US/ACCOUNT/)﴿

PORTAL (﴾HTTPS://MANAGE.WINDOWSAZURE.COM)﴿

(﴾/en-‐us/)﴿
Features

FREE TRIAL
Pricing

Documentation (﴾/en-‐us/documentation/)﴿

Gallery (﴾/en-‐us/gallery/)﴿

Community

Downloads (﴾/en-‐us/downloads/)﴿

Support

Like

0

(﴾/en-‐us/pricing
/free-‐trial/)﴿
Tweet 0

Discover more resources for these services: Virtual Network (﴾/en-‐us/documentation/services/virtual-‐network/)﴿

Create a Virtual Network for Site-‐to-‐Site Cross-‐
Premises Connectivity
This tutorial walks you through the steps to create a cross-‐premises virtual network. The type of connection we will create is a
site-‐to-‐site connection. If you want to create a point-‐to-‐site VPN by using certificates and a VPN client, see Configure a Point-‐
to-‐Site VPN in the Management Portal (﴾http://go.microsoft.com/fwlink/?linkid=296653&clcid=0x409)﴿.
This tutorial assumes you have no prior experience using Azure. It's meant to help you become familiar with the steps required
to create a site-‐to-‐site virtual network. If you're looking for design scenarios and advanced information about Virtual Network,
see the Azure Virtual Network Overview (﴾http://msdn.microsoft.com/en-‐us/library/windowsazure/jj156007.aspx)﴿.
After completing this tutorial, you will have a virtual network where you can deploy your Azure services and virtual machines,
which can then communicate directly with your company's network.
For information about adding a virtual machine and extending your on-‐premises Active Directory to Azure Virtual Network,
see the following:
How to Custom Create a Virtual Machine (﴾http://go.microsoft.com/fwlink/?linkid=294356&clcid=0x409)﴿
Install a Replica Active Directory Domain Controller in Azure Virtual Network (﴾http://go.microsoft.com/fwlink
/?linkid=299877&clcid=0x409)﴿
For guidelines about deploying AD DS on Azure Virtual Machines, see Guidelines for Deploying Windows Server Active
Directory on Azure Virtual Machines (﴾http://msdn.microsoft.com/en-‐us/library/windowsazure/jj156090.aspx)﴿.
For additional Virtual Network configuration procedures and settings, see Azure Virtual Network Configuration Tasks
(﴾http://go.microsoft.com/fwlink/?linkid=296652&clcid=0x409)﴿.

Objectives
In this tutorial you will learn:
How to setup a basic Azure virtual network to which you can add Azure services.
How to configure the virtual network to communicate with your company's network.

Prerequisites
Windows Live account with at least one valid, active subscription.
Address space (﴾in CIDR notation)﴿ to be used for the virtual network and subnets.
The name and IP address of your DNS server (﴾if you want to use your on-‐premises DNS server for name resolution)﴿.
A VPN device with a public IPv4 address. You'll need the IP address in order to complete the wizard. The VPN device cannot
be located behind a NAT and must meet the minimum device standards. See About VPN Devices for Virtual Network
(﴾http://go.microsoft.com/fwlink/?linkid=248098&clcid=0x409)﴿ for more information.
Note: You can use RRAS as part of your VPN solution. However, this tutorial doesn't walk you through the RRAS
configuration steps.
For RRAS configuration information, see Routing and Remote Access Service templates (﴾http://msdn.microsoft.com/library
/windowsazure/dn133801.aspx)﴿.
Experience with configuring a router or someone that can help you with this step.
The address space for your local network (﴾on-‐premise network)﴿.

High-‐Level Steps
1. Create a Virtual Network
2. Start the gateway and gather information for your network administrator

Type YourAffinityGroup. Affinity groups are a way to physically group Azure services together at the same data center to increase performance. LOCAL NETWORK: Select Specify a New Local Network from the drop-‐down list. N NO OTTEE It's possible to select both **Point-‐To-‐Site** and **Site-‐To-‐Site** configurations on this page concurrently. select Create a new affinity group. Typically this would be a DNS server that you use for on-‐premises name resolution. 7. In the lower left-‐hand corner of the screen.microsoft. Configure Site-‐To-‐Site VPN: Select checkbox. For more information about the settings on this page. Configure SALES 800-‐1301-‐963 your VPN device MY ACCOUNT (﴾/EN-‐US/ACCOUNT/)﴿ PORTAL (﴾HTTPS://MANAGE. 11.microsoft. 6.COM)﴿ Create a Virtual Network -‐us/)﴿ Pricing To create a virtual network that connects to your company's network: Documentation (﴾/en-‐us/documentation/)﴿ /en-‐us/gallery/)﴿ Downloads (﴾/en-‐us/downloads/)﴿ 1. 10. This setting does not create a DNS server. Type YourDNS for the name and 10.com/fwlink/?linkid=248092&clcid=0x409)﴿.3.1. Your virtual network will be created at a datacenter located in the specified region. enter the following information. Click Custom Create to begin the configuration wizard. 4. In the navigation pane. For the purposes of this tutorial. see the Virtual Network Details section in About Configuring a Virtual Network using the Management Portal (﴾http://go. Log in to the Azure Management Portal (﴾http://manage. select the desired region. 5. and then click the next arrow on the lower right. On the DNS Servers and VPN Connectivity page. we will select to configure only **Site-‐To-‐Site**. enter the following information. On the Virtual Network Details page.com/fwlink/?linkid=248092& clcid=0x409)﴿. Community Support FREE TRIAL (﴾/en-‐us/pricing /free-‐trial/)﴿ 2. and then click the forward arrow on the lower right.com/)﴿.WINDOWSAZURE. 9.4 for the IP address. For more information about the settings on the details page. Type YourVirtualNetwork. and then click Virtual Network. click Networks. 8.0. AFFINITY GROUP: From the drop-‐down list. click New. NAME: Name your virtual network. DNS SERVERS: Enter the DNS server name and IP address that you want to use for name resolution.windowsazure. Only one virtual network can be assigned an affinity group. Configure Point-‐To-‐Site VPN: Leave this field blank. 12. AFFINITY GROUP NAME: Name the new affinity group. 3. . see the **DNS Servers and VPN Connectivity** page in About Configuring a Virtual Network using the Management Portal (﴾http://go. REGION: From the drop-‐down list.

.0 CIDR: /16 20. enter the information below.1. enter the information below.4.0/24. On the Site-‐To-‐Site Connectivity page. and then click the checkmark in the lower right of the page. Verify that you now have three subnets and a gateway subnet created. 19. see Virtual Network Address Spaces page in About Configuring a Virtual Network using the Management Portal (﴾http://go. Add subnet: Enter the following: Rename Subnet-‐1 to FrontEndSubnet with the Starting IP 10. For more information about the settings on this page. 18.0.4.168.4.2.com/fwlink/?linkid=248092& clcid=0x409)﴿. Add address space: This tutorial does not require additional address space.0/24. Note that your VPN device cannot be behind a NAT.0. Address Space: Click CIDR in the upper right corner. For more information about the settings on this page.com/fwlink/?linkid=248092& clcid=0x409)﴿. add a subnet called ADDNSSubnet with the starting IP 10.0/16 (﴾as specified by RFC 1918)﴿.0/12.3. then enter the following: Starting IP: 10. Address space must be a private address range.1. 14.com/en-‐us /library/windowsazure/jj156075. For more information about VPN devices. ADDRESS SPACE: Type 10.COM)﴿ -‐us/)﴿ FREE TRIAL Pricing Documentation (﴾/en-‐us/documentation/)﴿ /en-‐us/gallery/)﴿ Community Downloads (﴾/en-‐us/downloads/)﴿ Support (﴾/en-‐us/pricing /free-‐trial/)﴿ 13. see About VPN Devices for Virtual Network (﴾http://msdn. and then click add subnet.microsoft. and then click the checkmark on the lower right to configure your network. If you don't have this information.0.0/16.4.4. and then click the checkmark on the lower right to create your virtual network. On the Virtual Network Address Spaces page.aspx)﴿.0/24.0/8.SALES 800-‐1301-‐963 MY ACCOUNT (﴾/EN-‐US/ACCOUNT/)﴿ PORTAL (﴾HTTPS://MANAGE. 172.microsoft. 16.0.16.0/24.0.WINDOWSAZURE.microsoft. or 192.4. 15.0. NAME: Type YourCorpHQ. VPN DEVICE IP ADDRESS: Enter the public IP address of your VPN device. specified in CIDR notation 10. Add gateway subnet with the starting IP 10. 17. you'll need to obtain it before moving forward with the next steps in the wizard. see the Site-‐to-‐Site Connectivity page section in About Configuring a Virtual Network using the Management Portal (﴾http://go. add a subnet called BackEndSubnet with the starting IP 10.

use the following procedure to configure the virtual network gateway in order to create your site-‐to-‐site VPN. 2.COM)﴿ -‐us/)﴿ FREE TRIAL Pricing Documentation (﴾/en-‐us/documentation/)﴿ /en-‐us/gallery/)﴿ Community Downloads (﴾/en-‐us/downloads/)﴿ Support (﴾/en-‐us/pricing /free-‐trial/)﴿ 21. on the bottom of the page.microsoft.WINDOWSAZURE. When the system prompts you to confirm that you want the gateway created. To start the gateway: 1. Start the Gateway After creating your Azure Virtual Network.com/fwlink/?linkid=248098&clcid=0x409)﴿. 3. This procedure requires that you have a VPN device that meets the minimum requirements. Select either Dynamic Routing or Static Routing for the type of Gateway that you want to create. click CREATE GATEWAY. your virtual network will begin to create. Note that if you want to use this virtual network for point-‐to-‐site connections in addition to site-‐to-‐site. . you must select Dynamic Routing as the gateway type. you will see Created listed under Status on the networks page in the Management Portal. When your virtual network has been created. After clicking the checkmark. Click DASHBOARD at the top of the page. On the Dashboard page. see About VPN Devices for Virtual Network (﴾http://go. click YourVirtualNetwork to open the dashboard. In the NAME column.microsoft. See About VPN Devices for Virtual Network (﴾http://go. Before creating the gateway. the networks page will show Created as the status for your virtual network. click YES. When your virtual network has been created. you will see a message letting you know that the gateway has been started.SALES 800-‐1301-‐963 MY ACCOUNT (﴾/EN-‐US/ACCOUNT/)﴿ PORTAL (﴾HTTPS://MANAGE. For more information about VPN devices and device configuration. When the gateway creation starts.com/fwlink /?linkid=248098&clcid=0x409)﴿. verify that your VPN device will support the gateway type that you want to create.

On the Download a VPN Device Configuration Script dialog box. and then copy the key displayed in the dialog box. To acquire the Shared Key -‐ The shared key is located on the virtual network DASHBOARD page. Pricing 5. . Download the VPN device configuration script template. click Download VPN Device Script. 11.WINDOWSAZURE. On the dashboard. MY to ACCOUNT (﴾/EN-‐US/ACCOUNT/)﴿ 4. Click the checkmark button and save the file. Click Manage Key at the bottom of the screen. VPN device configuration script template (﴾/en-‐us/pricing /free-‐trial/)﴿ The next steps walk you through this process. you'll need to gather the following information that will be used to configure the -‐us/)﴿ FREE TRIAL VPN device. To locate the Gateway IP Address -‐ The Gateway IP address is located on the virtual network DASHBOARD page. 8. platform. Gateway IP address Documentation (﴾/en-‐us/documentation/)﴿ /en-‐us/gallery/)﴿ 6. and operating system for your company's VPN device.COM)﴿ created. select the vendor. 9. 10. Shared key Community Downloads (﴾/en-‐us/downloads/)﴿ Support 7.It may SALES 800-‐1301-‐963 take up 15 minutes for the gatewayPORTAL to be (﴾HTTPS://MANAGE. After the gateway has been created.

Configure the VPN Device (﴾Network Administrator)﴿ Because each VPN device is different.com /fwlink/?linkid=248098&clcid=0x409)﴿ in the MSDN library for additional script templates. these steps do not walk through device configuration at a granular level. Security policies b. For additional information about configuring a virtual network gateway. Check here (﴾http://go. Test your connection by running one of the following commands: -‐ CISCO ASA CISCO ISR/ASR JUNIPER SSG/ISG JUNIPER SRX/J CChheecckk m maaiinn m mooddee SSA Ass show crypto isakmp sa show crypto isakmp sa get ike cookie show security ike security-association CChheecckk qquuiicckk m mooddee SSA Ass show crypto ipsec sa show crypto ipsec sa get sa show security ipsec security-association Next Steps . Run the modified VPN configuration script to configure your VPN device.com/fwlink/?linkid=299878&clcid=0x409)﴿ and consult your VPN device documentation.COM)﴿ -‐us/)﴿ FREE TRIAL Pricing Documentation (﴾/en-‐us/documentation/)﴿ /en-‐us/gallery/)﴿ Community (﴾/en-‐us/pricing /free-‐trial/)﴿ Downloads (﴾/en-‐us/downloads/)﴿ Support If you don't see your VPN device in the drop-‐down list. Incoming tunnel c. Modify the VPN configuration script.microsoft. The device that you have selected to use is compatible with virtual network.WINDOWSAZURE.microsoft.com/fwlink/?linkid=248098&clcid=0x409)﴿. This procedure assumes the following: The person configuring the VPN device is proficient at configuring the device that has been selected. You can get the VPN configuration script from the Management Portal or from the About VPN Devices for Virtual Network (﴾http://go.SALES 800-‐1301-‐963 MY ACCOUNT (﴾/EN-‐US/ACCOUNT/)﴿ PORTAL (﴾HTTPS://MANAGE. see Configure the Virtual Network Gateway in the Management Portal (﴾http://go. this is only a high-‐level procedure. 3. To configure the VPN device: 1. it's important that the person configuring the device is familiar with the device and its configuration settings.microsoft. This procedure should be done by your network administrator. You will configure the following: a. Therefore. which also explains routing types and the devices that are compatible with the routing configuration that you select to use.com/fwlink /?linkid=248098&clcid=0x409)﴿ for device compatibility. see About VPN Devices for Virtual Network (﴾http://go. Outgoing tunnel 2.microsoft. Due to the number of devices that are compatible with virtual network and the configurations that are specific to each device family.

com/en-‐us/library/windowsazure /jj156097.com/library/windowsazure/dn133803.COM)﴿ the virtual network you just created.microsoft.microsoft.aspx)﴿ Add a Virtual Machine to a Virtual Network (﴾http://www. . See Also Azure virtual network (﴾http://msdn.microsoft.com/fwlink /?linkid=299880&clcid=0x409)﴿.microsoft.com/fwlink/?linkid=294356&clcid=0x409)﴿ Pricing Install a Replica Active Directory Domain Controller in Azure Virtual Network (﴾http://go.In order to SALES 800-‐1301-‐963 extend on-‐premises Active Directory to (﴾HTTPS://MANAGE.WINDOWSAZURE.microsoft.microsoft. see Export Virtual Network Settings to a Network Configuration File (﴾http://go. continue with the following MYyour ACCOUNT (﴾/EN-‐US/ACCOUNT/)﴿ PORTAL tutorials: -‐us/)﴿ FREE How to Custom Create a Virtual Machine (﴾http://go.md)﴿ using GitHub.com/en-‐us/library/windowsazure/jj156075.com/en-‐us/manage/services/networking/add-‐a-‐ vm-‐to-‐a-‐virtual-‐network/)﴿ About VPN Devices for Virtual Network (﴾http://msdn.microsoft.microsoft.com/Azure/azure-‐content/blob/master/articles/virtual-‐networks-‐create-‐site-‐to-‐site-‐cross-‐ premises-‐connectivity.com/fwlink (﴾/en-‐us/pricing Community Support /free-‐trial/)﴿ If you want to export your virtual network settings to a network configuration file in order to back up your configuration or to Documentation (﴾/en-‐us/documentation/)﴿ /en-‐us/gallery/)﴿ TRIAL /?linkid=299877&clcid=0x409)﴿ Downloads (﴾/en-‐us/downloads/)﴿ use it as a template.aspx)﴿ Azure Name Resolution Overview (﴾http://go.com/en-‐us/library/windowsazure/jj156007.com/fwlink/?linkid=248097&clcid=0x409)﴿ Contribute to this article Want to edit or suggest changes to this content? You can edit and submit changes to this article (﴾https://github.aspx)﴿ Virtual Network FAQ (﴾http://msdn.windowsazure.aspx)﴿ Configuring a Virtual Network Using Network Configuration Files (﴾http://msdn.

I created virtual network using site to site connectivity between Azure VM and my on premise network. the address of DNS server that the DHCP server on the Azure virtual network will hand out? Is it safe to assume that this info will NOT be a part of VPN device config script. It really helped a lot.WINDOWSAZURE. 3. Create Virtual Network. Thanks for any help. because that comes in Step 6. 4. When the cross premise tunnel is established. The virtual n/w on Azure portal shows as connected. Cheers! • Reply • Share › Zbyněk Zahradník • 7 months ago I do not understand parts of the tutorial. Start the Gateway. in fact. Tells me to locate the Gateway Address. Step 6. I have a supported VPN device that will be configured for me. Step 4 . and give the right info to the person who will configure the VPN device. I have solution for all you network doubts on windows azure. but even that is not working. What could be the issue ? • Reply • Share › Frank 9 months ago • Can we add our name to the list of users wanting an Azure server to be capable of having more than 1 site-to-site VPN? If so. where? • Reply • Share › Krishna • 9 months ago Hi All. it does allocate an internal IP address to the Azure VM. the machine cannot be located. But I am struggling with following: 1. Can somebody explain what this is used for? Is it. Step 5 . Start the Gateway. • Reply • Share › DotNetCoE • 8 months ago Hi. Please reach me on manikrishna05@yahoo. What address space? Should that be my existing. It does not tell me what to do with it then.com or mobile no +91 9500174175 • Reply • Share › objectivecyd • 10 months ago I understand detailed instructions can't be given for all devices but shouldn't they be included for RRAS on Server 2012? • Reply • Share › hrvivar • a year ago I am trying to connect a DLink VPN DI-808HV and the connection doesn't Works. on-premises address space? It does not appear to be the address space of the newly created virtual network. Tells me to acquire the Shared Key. I think the tutorial can do better in explaining these. Create Virtual Network. And. so I just need to properly configure the Azure part.Address Space.SALES 800-‐1301-‐963 -‐us/)﴿ MY ACCOUNT (﴾/EN-‐US/ACCOUNT/)﴿ 41 Comments Pricing Community FREE TRIAL Login Azure Site Sort by Newest Documentation (﴾/en-‐us/documentation/)﴿ /en-‐us/gallery/)﴿ PORTAL (﴾HTTPS://MANAGE. It does not tell me what to with it then (except to "copy it"). in case I want to change it later? 2. I also tried accessing IIS on Azure VM from on-prem machine using internal IP address of Azure VM. Step 5. • Reply • Share › .DNS Servers. but it does not give any IP addresses to the machines in my on-prem n/w. If I try to access the on-prem machine from Azure VM using their existing IP addresses.COM)﴿ d Downloads (﴾/en-‐us/downloads/)﴿ Support Join the discussion… RemoteServer Management • Share ⤤ Favorite ★ (﴾/en-‐us/pricing /free-‐trial/)﴿ 5 months ago Thank you for sharing this post.

microsoft.com Profile Pricing (﴾/en-‐us/pricing/overview/)﴿ Events (﴾/en-‐us/community (﴾https://account.com/fwlink/p/?linkid=131004&clcid=0x409)﴿ Feedback (﴾http://feedback.com /fwlink/?linkid=306393& clcid=0x409)﴿ Hello from Seattle.cn/zh-‐cn/)﴿ Support (﴾/en-‐us/support/options/)﴿ /trust-‐center/)﴿ Trust Center (﴾/en-‐us/support (﴾http://go.microsoft.com Security (﴾/en-‐us/support/trust-‐ /fwlink/?linkid=306392& center/security/)﴿ Privacy (﴾/en-‐us/support/trust-‐ clcid=0x409)﴿ center/privacy/)﴿ Compliance (﴾/en-‐us/support Newsletter /trust-‐center/compliance/)﴿ (﴾http://go.microsoft.com/)﴿ .windowsazure.com/fwlink/p/?linkid=222682&clcid=0x409)﴿ Privacy & Cookies (﴾http://go.com)﴿ Services (﴾/en-‐us/services/)﴿ /?linkid=394285&clcid=0x409)﴿ Regions (﴾/en-‐us/regions/)﴿ Blogs (﴾/blog/)﴿ Case Studies (﴾/en-‐us/case-‐ Service Updates (﴾/en-‐us/updates/)﴿ /subscriptions/)﴿ studies/)﴿ Forums (﴾/en-‐us/support/forums/)﴿ Downloads (﴾/en-‐us/downloads/)﴿ (﴾http://go.microsoft.COM)﴿ -‐us/)﴿ FREE TRIAL Pricing Go Social /en-‐us/gallery/)﴿ Community Facebook Support (﴾http://go.microsoft.SALES 800-‐1301-‐963 MY ACCOUNT (﴾/EN-‐US/ACCOUNT/)﴿ PORTAL (﴾HTTPS://MANAGE. English USD (﴾http://www.azure.com/)﴿ /?sdk=net)﴿ Forums (﴾/en-‐us/support/forums/)﴿ Gallery (﴾/en-‐us/gallery/)﴿ Service Dashboard Microsoft Azure in China (﴾http://status.WINDOWSAZURE.azure.com)﴿ © 2014 Microsoft Contact Us (﴾http://support.windowsazure.windowsazure.com Calculator (﴾/en-‐us/pricing /profile/)﴿ /events/)﴿ /calculator/)﴿ Twitter (﴾/en-‐us/pricing Subscriptions /free-‐trial/)﴿ Microsoft Azure (﴾/en-‐us/)﴿ Documentation (﴾/en-‐us/documentation/)﴿ Preview Features (﴾/en-‐us/services Documentation (﴾/en-‐us /preview/)﴿ /documentation/)﴿ Support (﴾/en-‐us/support Management Portal Downloads (﴾/en-‐us/downloads /options/)﴿ (﴾https://manage.com/fwlink (﴾https://account.com/contactus/?ws=mscom)﴿ Trademarks (﴾http://go.microsoft.com /fwlink/?linkid=306390& clcid=0x409)﴿ Community Account Features (﴾/en-‐us/solutions/)﴿ (﴾http://go.microsoft.windowsazure.com /fwlink/?linkid=306391& clcid=0x409)﴿ Rss (﴾https://account.microsoft.microsoft.com)﴿ (﴾http://windowsazure.