Home Lab Secrets: Building the Killer Home Lab Part 1 (Azure to On-Premise VPN)


I’ve always kept a fairly extensive home lab which I use for testing purposes.  This lab started out as with Windows NT and had involved itself to Windows 2012 R2.  A few lingering issues from over the years prompted me to rebuild my lab from the ground up recently, so I decided to document the journey.  This prompted me to build upon my old “Home Lab Secrets” Series.

This new series will cover areas from the initial build out of an On-Premise Lab that is connected via VPN to an Azure Subscription all the way up to deploy an internet ready Exchange 2016 Server running in Hybrid Configuration Mode with Office 365.  During this journey we will cover some of the technologies listed below:

  • Deploying On-Premise Infrastructure
  • Azure to On-Premise VPN Deployment
  • Active Directory
  • Certificate Authority
  • Remote Desktop
  • Exchange 2016
  • ADFS/Web Application Proxy

Since this is a lab you will likely be deploying your servers on a Virtual Platform.  For my lab I used Hyper-V 2012 R2, but this article can definitely be leveraged regardless of the Virtual Platform.

 

Deploying On-Premise Infrastructure

Lets get started with deployment of our On-Premise Router.  The requirements to complete this lab are listed below:

 

  • Multi-Homed Windows 2012 R2 Server with at least 1GB of RAM (On-Premise Router)
  • On-Premise Windows 2012 R2 VM (On-Premise Domain Controller)
  • Azure Windows 2012 R2 VM (Azure Domain Controller)

 

The Router should have 1 NIC joined to the Internal Network which will be on the same subnet as your servers and workstations and 1 NIC joined to the External Network connected to your ISP.

The first thing we will need to do is configure our Internal NIC with an Internal IP Address.  For this lab we will be using 192.168.1.x for the internal network as shown in the image above.  Follow the steps below to configure your Internal IP address.

  1.  Right-click on the Windows Logo and click on Run.
  2. Enter ncpa.cpl then click OK.
  3. Right-click on Ethernet 2 then click Rename and enter Internal.
  4. Right-click on Ethernet then click Rename and enter External.
  5. Right-click on Internal then click Properties.
  6. Under the This connection uses the following items: section highlight Internet Protocol Version 4 (TCP/IPv4) then click Properties.
  7. Select Use the following IP address: and enter the following:

 

8.  Click OK, then Close.

9.  Right-click on External then click Properties.

10. Under the This connection uses the following items: uncheck the following options then click OK, Close:

  • Client for Microsoft Networks
  • File and Print Sharing for Microsoft

Next need to identify the Public IP Address provided by your ISP on your external adapter.  Since this lab is based on your External Connection being directly bound to your Windows 2012 R2 router, you can obtain this by running an ipconfig on your router:

For this lab my ISP has given me the 98.172.27.234 address so this will be my Endpoint for my On-Premise Machines.

 

Creating Azure Networks

We will now need to login to our Azure Subscription.  If you do not already have an Azure Subscription you can sign up for a free trial using the link below:

https://azure.microsoft.com/en-us/free/

 

Once you get an Azure Subscription we need to login to the portal by accessing the URL listed below from your On-Premise Router:

 

https://manage.windowsazure.com

 

We will now need to create our VIRTUAL NETWORK within Azure.  An VIRTUAL NETWORK within Azure is a network grouping of Azure VM’s that you would like to communicate with each other but isolate for other Azure VM’s. Let’s get started and create our first VIRTUAL NETWORK.

  1. On the bottom bar click NEW.
  2. From the menu select NETWORK SERVICES | VIRTUAL NETWORK | CUSTOM CREATE.

3.  At the Virtual Network Details under NAME enter VPNLAB then under LOCATION make sure East US is selected then click Next.

4.  At the DNS Servers and VPN Connectivity screen click Next.

5.  At the Virtual Network Address Spaces screen enter the following then click Complete:

  • STARTING IP:                                     192.168.111.0
  • CIDR (ADDRESS COUNT):              /24 (256)

Next we will now need to create our LOCAL NETWORK within Azure.  An LOCAL NETWORK within Azure defines a set of On-Premise IP Ranges that can use the VPN we will be establishing later in the article.  Let’s get started and create our first LOCAL NETWORK.

 

  1. On the bottom bar click NEW.
  2. From the menu select NETWORK SERVICES | VIRTUAL NETWORK | ADD LOCAL NETWORK.

      3.  At the Specify your local network details screen enter the following then click Next:

  • NAME:                                              OnPremise-Lab
  • VPN DEVICE IP ADDRESS:              98.175.27.234

4.  At the Specify the address space screen enter the following then click Complete:

  • STARTING IP:                                     192.168.1.0
  • CIDR (ADDRESS COUNT):              /24 (256)

At this point we have created both our VIRTUAL and LOCAL NETWORKs within Azure.  In order to establish the VPN tunnel between Azure and your On-Premise servers we must perform 3 additional steps:

  • Linking the VIRTUAL and LOCAL NETWORKS
  • Establish a Dynamic Gateway within Azure
  • Configure our On-Premise Router

 

Linking the Virtual and Local Networks

  1. Log onto your On-Premise Router.

***Note:  Your router should have Internet Access via your ISP issued IP

  1. On the Left-Pane click on NETWORKS.
  2. On the middle-pane click on VPNLAB.
  3. Under vpnlab click on CONFIGURE.
  4. Under site-to-site connectivity select Connect to the local network then use the LOCAL NETWORK pull-down menu to select OnPremise-Lab.
  5. On the bottom bar click Save.

     

    Establishing a Dynamic Gateway within Azure

  1. On the Left-Pane click on NETWORKS.
  2. On the middle-pane click on VPNLAB.
  3. Under vpnlab click on DASHBOARD.
  4. In the bottom menu click CREATE GATEWAY | Dynamic Routing.
  5. At the Confirmation click YES.

     

This process can take upwards or 30 minutes, so this might be a good time to go grab some coffee or drink of your choice. J

Once the Gateway is created and an IP assigned look in the left-side of the screen and click on Download VPN Device Script.


 

  1. At the Download a VPN Device Configuration Script pop-up use the pull-down menu’s to select the following options then click OK:

     

    VENDOR:                                             Microsoft Corporation

    PLATFORM:                                        RRAS

    OPERATING SYSTEM:                      Windows Server 2012 R2

     

  2. At the download pop-up click Save | Save As.
  3. At the Save As pop-up enter VPNLAB under File name: then click Save the file to C:\VPN.

 

Now we will open the VPNLAB.cfg file using notepad and copy its contents and then paste them into an Elevated Command Prompt.  The contents of this file doe the following high level items:

  • Install RRAS
  • Add a Site-to-Site VPN Interface
  • Restart the RRAS Service
  • Create a Dial-In to Azure Gateway

Once the script is completed we should now be able to go back to the Azure Portal and see that our connection has been established between Azure and our On-Premise Router.

  1. On the Left-Pane click on NETWORKS.
  2. On the middle-pane click on VPNLAB.
  3. Under vpnlab click on DASHBOARD.

Now that we have established our VPN between Azure and our On-Premise network, we have the ability to deploy Azure and On-Premise VM’s that can communicate directly via the VPN.

The first thing we have to do to allow On-Premise Servers to reach the VPN is Configure their IP’s on the same subnet as the On-Premise Router.  We will also need to make its Default Gateway uses the Internal IP Address of the On-Premise router.

Let’s configure our IP settings on our On-Premise Server.  Follow the steps below to do this:

  1. Log onto your Spare On-Premise.
  2. Right-click on the Windows Logo and click on Run.
  3. Enter ncpa.cpl then click OK.
  4. Right-click on Ethernet then click Properties.
  5. Under the This connection uses the following items: section highlight Internet Protocol Version 4 (TCP/IPv4) then click Properties.
  6. Select Use the following IP address: and enter the following:

7.  Click OK, then Close.

Let’s head to Azure now and deploy our 1st Azure VM by logging into the portal by accessing the URL listed below from your On-Premise Server:

 

https://manage.windowsazure.com

 

Once we are within the portal follow the steps below to create our 1st Azure VM

 

  1. On the Left-Pane click on NEW.
  2. From the menu select COMPUTE | VIRTUAL MACHINES | FROM GALLERY.

3.  At Choose an image screen select in the Middle-Pane select Windows Server 2012 R2 Datacenter then click Next.

4.  At the Virtual machine configuration screen use the table and information below to create the following VM’s then click Next:

 

VIRTUAL MACHINE NAME

SIZE

REGION/AFFINITY Group /Virtual network

KHL-DC

A1 (1 core, 1.75 GB memory)

VPNLAB

***Note:  The virtual machine name will need to be unique since it’s a hostname within cloudapp.net.  So KHL-DC is no longer available. J

 

      5.  Use the following as a temporary Username and Password then click Next

  • NEW USER NAME:                                       khl-admin
  • NEW PASSWORD:                                        blueberries
  • CONFIRM:                                                      blueberries

6.  At the next screen click Complete.

 

Sit back and wait for you Azure VM to be created.  It normally takes about 5-10 minutes.

 

Once the VM is complete we will need to reserve its IP address.  Since Azure VM’s are given DHCP addresses, we will to set ours to Static since it is going to be a domain controller.  I have already posted an article on how to set a Azure VM’s IP to static.  It can be found here:

 

http://blogs.technet.com/b/elliottf/archive/2015/06/12/assigning-static-ip-s-to-azure-vm-s.aspx

 

By default, Windows 2012 R2 Servers block ping request from IP’s that are not from the Local Subnet.  Since this is a lab we will be disabling the state of the Windows Firewall on both Servers.  This can be accomplished by running the command below on both the On-Premise and Azure VM:

 

Netsh advfirewall set allprofiles state off

 

Now we should have connectivity between our Azure VM and On-Premise VM as shown below:



 

In Part 2 of this series we will configure our Azure VM and On-Premise VM as Domain Controllers and establish 2 Active Directory Sites J

 

Enjoy,

Elliott


Comments (2)

  1. laxman says:

    Do we need have to 2 NICS on 2012 machine with RRAS installed ?

  2. Hello Laxman,

    Yes you will need 2 NICs. One for your internal connection to your On-Premise Server(s) and One for your external connection that will be used to establish your VPN with your Azure Network.