Home Lab Secrets: Building the Killer Home Lab Part 1 (Azure to On-Premise VPN)(New Azure Portal)

I've always kept a fairly extensive home lab which I use for testing purposes.  This lab started out as with Windows NT and had involved itself to Windows 2012 R2.  A few lingering issues from over the years prompted me to rebuild my lab from the ground up recently, so I decided to document the journey.  This prompted me to build upon my old "Home Lab Secrets" Series.  This Series is the newer version of my original "Killer Home Lab" and leverages the use of the New Azure Portal.  In addition to the New Portal, the lab has been restructured to minimize the amount of VM's needed within Azure to keep your Home Lab cost down, by leveraging azure or only Edge Services (Remote Desktop Gateway, OCSP, Mail Flow)

This new series will cover areas from the initial build out of an On-Premise Lab that is connected via VPN to an Azure Subscription all the way up to deploying an internet ready Exchange 2016 Server running in Hybrid Configuration Mode with Office 365.  During this journey we will cover some of the technologies listed below:

  • Deploying On-Premise Infrastructure
  • Azure to On-Premise VPN Deployment
  • Active Directory
  • Certificate Authority
  • Remote Desktop
  • Exchange 2016
  • ADFS/Web Application Proxy

Since this is a lab you will likely be deploying your servers on a Virtual Platform.  For my lab I used Hyper-V 2012 R2, but this article can definitely be leveraged regardless of the Virtual Platform.


Deploying On-Premise Infrastructure

Lets get started with deployment of our On-Premise Router.  The requirements to complete this lab are listed below:


  • Multi-Homed Windows 2012 R2 Server with at least 1GB of RAM (On-Premise Router: AZURE-VPN)
  • On-Premise Windows 2012 R2 VM (On-Premise Domain Controller: OP-DC)
  • Azure Windows 2012 R2 VM (Azure Domain Controller: KHL-DC)


The Router should have 1 NIC joined to the Internal Network which will be on the same subnet as your servers and workstations and 1 NIC joined to the External Network connected to your ISP.

The first thing we will need to do is configure our Internal NIC with an Internal IP Address.  For this lab we will be using 192.168.1.x for the internal network as shown in the image above.  Follow the steps below to configure your Internal IP address.

  1.  Right-click on the Windows Logo and click on Run.
  2. Enter ncpa.cpl then click OK.
  3. Right-click on Ethernet 2 then click Rename and enter Internal.
  4. Right-click on Ethernet then click Rename and enter External.
  5. Right-click on Internal then click Properties.
  6. Under the This connection uses the following items: section highlight Internet Protocol Version 4 (TCP/IPv4) then click Properties.
  7. Select Use the following IP address: and enter the following:


8.  Click OK, then Close.

9.  Right-click on External then click Properties.

10. Under the This connection uses the following items: uncheck the following options then click OK, Close:

  • Client for Microsoft Networks
  • File and Print Sharing for Microsoft

Creating Azure Networks

We will now need to login to our Azure Subscription.  If you do not already have an Azure Subscription you can sign up for a free trial using the link below:



Once you get an Azure Subscription we need to login to the portal by accessing the URL listed below from your On-Premise Router:




The first thing we will want to do is create a Resource Group.  Resources Groups are used to group Azure Resources such as Virtual Machines, Virtual Networks, Network Security Groups to name a few.  The object we will create within our Azure Subscription is our Resource Group.  To do this follow the steps below:

1.  In the Left-Pane click on the Menu Expander then click on  Resource groups.


2.  In the Top-Pane click on + Add.


3.  At the Resource group screen enter a name under Resource group name and select a Resource group location of your choice then click Create as shown below:


We will now need to create our Virtual network within Azure.  An Virtual network within Azure is a network grouping of Azure VM’s that you would like to communicate with each other but isolate for other Azure VM’s. Let’s get started and create our first Virtual network.

1.  In the Left-Pane click + | Networking | Virtual network.


2.  At the Virtual network screen click Create.


3.  At the Create virtual network screen enter the details shown below then click Create.


4.  In the Left-Pane click + | Networking then scroll down and select  Virtual network gateway.


11.  At the Create virtual network gateway enter KHL-Azure-GW under Name then click on Virtual network and select KHL-Azure.


12.  Click on Public IP address, under Choose public IP address select Create new, under Create public IP address click OK, then Create.

!!!Note:  This process can take up to 30-45 minutes.


13.  In the Left-Pane click + | Networking | Local network gateway.


14.  At the Create local gateway network screen enter the following Name, IP address, Address space and select Killer-Home-Lab as the Resource Group then click Create as shown below:

!!!Note:  The IP address (Public IP) shown below can be retrieved by running an ipconfig on your On-Premise Windows Server 2012 R2 router:


15.  In the Left-Pane click + | Networking then scroll down and select  Connection.


16.  Under Basics under Connection type select Site-to-site (IPsec), then select Killer-Home-Lab for the Resource group then click OK.


14.  Under Settings click on Virtual network gateway and select KHL-Azure-GW.


15.  Under Settings click on Local network gateway and select KHL-OnPrem.


16.  Under Settings under Shared key (PSK) enter a key that matches they description then click OK.


17.  At the Summary screen click OK.


Now that we have created our Azure side of our VPN we will need to go to our On-Premise Router and configure the other half of the VPN.  Let's head over to our On-Premise Windows Server 2012 R2 Router and install/configure RRAS following the steps below:

1.  Log-onto On-Premise Router.

2.  On the Taskbar click on Server Manager.

3.  At the Server Manager windows click on Add roles and features.

4.  At the Before you begin screen click Next.

5.  At the Select installation type screen click Next.

6.  At the Select destination server screen click Next.

7.  At the Select server roles screen select Remote Access then click Next.

8.  At the Select features screen click Next.

9.  At the Remote Access screen click Next.

10. At the Select role services screen select Routing and at the pop-up click Add Features then click Next.

11.  At the Web Server Role (IIS) screen click Next.

12.  At the Select role services screen click Next.

13.  At the Confirm installation selections screen click Install.

14.  When setup is complete click Close.

15.  Within Server Manager click on Tools and select Routing and Remote Access.

16.  In the right-pane right-click AZURE-VPN (local) and select Configure and Enable Routing and Remote Access.

17.  At the Welcome to the Routing and Remote Access Server Setup Wizard click Next.

18.  At the Configuration screen select Custom configuration then click Next.


19.  At Custom Configuration select the following then click Next, then Finish:


20.  At the Routing and Remote Access pop-up click Start service.

21.  In the Left-Pane expand AZURE-VPN (local) | IPv4 then right-click NAT and select New Interface.

22.  At the New Interface for Network Address Translation select the External adapter and click OK.

23.  At the next screen select Public interface connected to the Internet then select Enable NAT on this interface.

24.  Click on the Services and Ports tab then under Services: select Secure Web Server (HTTPS).

25.  At the Edit Service window for Private address: enter (Future Exchange Server) then click OK, OK.

26.  From the Taskbar right-click on the Powershell Icon and select Run as administrator.


27. Within the Elevated Powershell enter the following commands:

Import-Module RemoteAccess
Install-RemoteAccess -VpnType VpnS2S
Add-VpnS2SInterface -Protocol IKEv2 -AuthenticationMethod PSKOnly -NumberOfTries 3 -ResponderAuthenticationMethod PSKOnly -Name [KHL-Azure-GW-IP] -Destination [KHL-Azure-GW-IP] -IPv4Subnet @("") -SharedSecret [SHAREDKEY]
Set-VpnServerIPsecConfiguration -EncryptionType MaximumEncryption
Set-VpnS2Sinterface -Name  [KHL-Azure-GW-IP] -InitiateConfigPayload $false -Force
Connect-VpnS2SInterface -Name  [KHL-Azure-GW-IP]

!!!Note:  [KHL-Azure-GW-IP] can be determined by navigating to + | Resource Groups | Killer-Home-Lab and then clicking on the  KHL-Azure-GW Public IP address object as shown below:



Next we need to identify the Public IP Address provided by your ISP on your external adapter.  Since this lab is based on your External Connection being directly bound to your Windows 2012 R2 router, you can obtain this by running an ipconfig on your router:

For this lab my ISP has given me the address so this will be my Endpoint for my On-Premise Machines.  This address is a Dynamic IP Address that is provided by my ISP so it will change from time to time.  In order to update our Azure VPN we will need to use an Azure PowerShell script that will update our "Local Gateway Network" IP Address when it changes.  We will need to leverage an Dynamic DNS Service to make this script work automatically.

The first thing we will need for our script to work is to gather some information from our Azure Subscription.  Lets follow the steps below to get this information:

Getting the TenantID

1.  Log onto your On-Premise Windows 2012 R2 Router.

2.  On the Taskbar right-click the Powershell and select Run as administrator.


3.  At the PowerShell Prompt enter mkdir C:\AzureConfig

4.  At the PowerShell Prompt enter Login-AzureRMAccount.

5.  At the Microsoft Azure logon screen enter your Azure Credentials and then when redirected to the Enter password page enter a valid password and click Sign in.


6.  Once you are back at the PowerShell Prompt take a note of the TenantID as shown below.  We will be using it later in the post:


7.  Copy and paste the following script in order to create an Azure AD Application.  This is required in order to create the Service Principal Logon that is needed to fully automate our script:

$Tenant = Get-AzureRMSubscription
$Password = "<enter a strong password here>"
$AzureADApplication = New-AzureRmADApplication -DisplayName "KHL AD App" -Password $Password -HomePage "http://www.<domainname>.com" -IdentifierUris "http://www.<domainname>.com"
New-AzureRmADServicePrincipal -ApplicationID $AzureADApplication.ApplicationID
New-AzureRmRoleAssignment -RoleDefinitionName Owner -ServicePrincipalName $AzureADApplication.ApplicationID.Guid

8.  Notate the ApplicationID as shown below since we will need it later in the post:


I used the website below as a guide to create the above Azure AD Application script:


Getting the Azure Domain Name

1.  Open Server Manager.

2.  In the Left-Pane click on Local Server then under the Properties section click on the IE Enhanced Security Configuration toggle.


3.  At the Internet Explorer Enhanced Security Configuration screen under Administrators select Off.

4.  Launch Internet Explorer 11.

5.  In the Top-Right corner select the Settings gear then select Internet Options.


6.  At the Internet Options window select the Security tab then click on Custom level.


7.  At the Security Settings window make sure the File download settings is set to Enable then click OK, OK.


8.  Open Internet Explorer and navigate to http://portal.azure.com.

9.  Once you are redirected to the Microsoft Azure logon page click on your account.


10. Once you are redirected to the Enter password screen enter your password then click Sign in.


11.  Once logged in move your mouse over your username in the top-right corner and take a note of the Domain Name as shown below:


!!!Note:  Just note the portion before .onmicrosoft.com.  I my case it is khlazure.

Now we will need to get our Dynamic DNS Application.  This application will provide a mechanism to tie our ISP's Dynamic Public IP Address to a name that will be used in our PowerShell Script.  Follow the steps below to sign-up, download, install and configure our Dynamic DNS application.

1.  Launch IE and navigate to ddns.net and once you get to the page click on Sign Up Now.


9.  At the Create My Free Account page enter the following then click on Create My Free Account.


10.  Log into the email address that was used above and click on the link shown below:


11.  If successful you will be presented with the page shown below:


12.  Navigate to http://www.noip.com/download and once your at the page click on the Download Now button then click Save at the File Download pop-up.


13.  Navigate to the Downloads folder and launch DUCSetup_v4_1_1.exe.

14.  At the User Account Control click Yes.

15.  At the License Agreement click I Agree.

16.  At the Choose Install Location screen click Install.

17.  When setup is complete click Finish.

18.  At the No-IP DUC (Dynamic Update Client) screen enter you credentials then click Sign In.


19.  At the Edit Group/Hosts select the name you registered under Manage Existing Hosts then click Save.


20.  Close the DUC window. (It will continue to run in the background)

Now we will create our PowerShell script that will make all these pieces work together.  You will need to have the following Values which we collected earlier in the post:

  • TenantID
  • Azure Domain Name (tenantname.onmicrosoft.com)
  • ApplicationID

For convenience I have provided a copy of the script below that can be copied and pasted into notepad and the file should be saved as Azure.ps1.  Please modify all values in red to match your Azure Tenant Values:

# Create Account
$Password = "[Enter a Secure Password]"
$AccountID = "[Enter your Application ID]"
$TenantID = "[Enter your TenantID]"
$Login = $AccountId.ToString()+"@khlazure.onmicrosoft.com"
$Pass = ConvertTo-SecureString $password -AsPlainText -Force
$Cred = New-Object -TypeName pscredential -ArgumentList $Login, $Pass
# Login
Login-AzureRmAccount -Credential $Cred -ServicePrincipal -TenantID $TenantID
$DynDNS = "[Enter Dyn DNS Name].ddns.net"
$ResourceGroup = Get-AzureRmResourceGroup
$Connection = Get-AzureRmVirtualNetworkGatewayConnection -ResourceGroupName $ResourceGroup.ResourceGroupName
$LocalGateway = Get-AzureRmLocalNetworkGateway -ResourceGroupName $ResourceGroup.ResourceGroupName
$VGateway = Get-AzureRmVirtualNetworkGateway -Name KHL-Azure-GW -ResourceGroupName $ResourceGroup.ResourceGroupName
#Get IP based on the Domain Name
[string]$IP = ([System.Net.DNS]::GetHostAddresses($DynDNS)).IPAddressToString
$LocalNetworkGateway = Get-AzureRmLocalNetworkGateway -ResourceGroupName $ResourceGroup.ResourceGroupName
$AzureIP =  $LocalNetworkGateway.GatewayIpAddress
#Check if the IPs are still the same
if($IP -ne $AzureIP)
#IP Changed, we need to update
Write-host "IP Update In Progress..."
Remove-AzureRmVirtualNetworkGatewayConnection -ResourceGroupName $ResourceGroup.ResourceGroupName -Name $Connection.Name
  Remove-AzureRmLocalNetworkGateway -Name $LocalGateway.Name -ResourceGroupName $ResourceGroup.ResourceGroupName -Force
  New-AzureRmLocalNetworkGateway -Name $LocalGateway.Name -ResourceGroupName $ResourceGroup.ResourceGroupName -Location 'East US' -GatewayIpAddress $IP -AddressPrefix @('')
$local = Get-AzureRmLocalNetworkGateway -Name $LocalGateway.Name -ResourceGroupName $ResourceGroup.ResourceGroupName
New-AzureRmVirtualNetworkGatewayConnection -Name Connect-To-OnPremise -ResourceGroupName $ResourceGroup.ResourceGroupName -Location 'East US' -VirtualNetworkGateway1 $VGateway -LocalNetworkGateway2 $LocalGateway -ConnectionType IPsec -RoutingWeight 10 -SharedKey '[Enter Pre-shared Key]'
Write-host "IP Updated Successfully"
Write-host "IP Update Failed"
#IP didn't change, nothing to do
Write-host "IP Already Up To Date"

Once the Azure.ps1 file has been saved we must test it out to make sure it works.  Launch an Elevated PowerShell Prompt and navigate to C:\AzureConfig then enter .\Azure.ps1 .  The results should appear as shown below:


Once we have confirmed that our script is operating correctly we will need to make sure that it runs automatically based on a pre-defined interval.    You can make this interval any time that you would like, but understand that this time will be how long you have to wait for the VPN to be re-established if you are remote and your ISP Changes your Public IP.  Using the steps below we will configure our Task Scheduler to run the script every 10 minutes:

1.  From the On-Premise Windows Server 2012 R2 router click on the Windows Logo then click the Down Arrow.

2.  Scroll to the Left then under Administrative Tools click on Task Scheduler.

3.  In the Left-Pane right-click Task Scheduler Library and select Create Task.

4.  On the General tab under Name enter KHL Azure IP Update.

5.  Click on the Triggers tab and click New.

6.  At the New Trigger window under Settings select Daily and under Advanced settings select Repeat task every: and select 15 minutes then click OK.

7.  Click on the Actions tab and click New.

8.  At the New Action window under Program/script enter powershell.exe and under Add arguments (optional): enter C:\AzureConfig\Azure.ps1 then click OK, OK.


Now that our connection has been configured on both sites and set to automatically update our Local Network Gateway IP we will be creating our second On-Premise Server OP-DC.

The first thing we have to do to allow On-Premise Servers to reach the VPN is Configure their IP’s on the same subnet as the On-Premise Router.  We will also need to make its Default Gateway uses the Internal IP Address of the On-Premise router.

Let’s configure our IP settings on our On-Premise Server.  Follow the steps below to do this:

  1. Log onto your Spare On-Premise.
  2. Right-click on the Windows Logo and click on Run.
  3. Enter ncpa.cpl then click OK.
  4. Right-click on Ethernet then click Properties.
  5. Under the This connection uses the following items: section highlight Internet Protocol Version 4 (TCP/IPv4) then click Properties.
  6. Select Use the following IP address: and enter the following:

7.  Click OK, then Close.

By default our local Administrator account is "Administrator".  If we were to promote this server as the 1st Domain Controller in our forest this account would become our 1st Domain Admin.  Since we don't want any of our Domain Admin accounts to be "Administrator", lets change it before we move on.

1.  Right-click on the Windows Logo and click on Run.

2.  Enter compmgmt.msc then click OK.

3.  In the Left-pane Expand Computer Management | System Tools | Local Users and Groups then select Users.

4.  In the Right-Pane right-click Administrator and select Rename.

5.  Enter khl-admin then hit Enter.

Let’s head to Azure now and deploy our 1st Azure VM by logging into the portal by accessing the URL listed below from your On-Premise Server:




Once we are within the portal follow the steps below to create our 1st Azure VM

1.  In the Left-Pane click + | Compute | Windows Server 2012 R2 Datacenter


2.  At the Windows Server 2012 R2 Datacenter screen click Create.


3.  At the Basics screen enter the following then click OK.


***Note:  The virtual machine name will need to be unique for your lab since it’s a hostname within eastus.cloudapp.azure.com.  So KHL-DC is no longer available.

4.  At the Choose a size screen select DS1_V2 Standard VM (Best Bang for Buck) then click Select.


6.  At the Settings screen accept the defaults then click OK.


7.  At the Summary screen review your settings then click OK.


Once the VM is finished being created (About 5-10 minutes), we will need to make a few modifications to the VM to make sure we can access it consistently remotely.  This will involve, setting Static IP's for the VM (Internal/External) as well as an external DNS name for the computer, that can be used to access it via Remote Desktop.  Follow the steps below to make these change

     1.  In the Left-Pane click on Virtual Machines then click on KHL-DC.


2.  At the KHL-DC screen click on the Public IP address as shown below:


3.  At the KHL-DC-ip - Configuration screen under Assignment click Static, under DNS name label enter khl-dc, then click Save.


4.  In the top-right corner click on the Bell to confirm the public ip addres change has been saved.


5.  Scroll back to the Left-Side of the screen then click on Virtual Machines | KHL-DC.


6.  Under KHL-DC click on Network interfaces.


7.  At the KHL-DC - Network interfaces screen click on the Network Interface as shown below:


8.  Under the Network Interface click on IP configurations.


9.  At the IP configurations screen click on ipconfig1 as shown below:


10.  At the ipconfig1 screen under Assignment select Static then click Save.


By default, Windows 2012 R2 Servers block ping request from IP’s that are not from the Local Subnet.  Since this is a lab we will be disabling the state of the Windows Firewall on both Servers.  Follow the steps below to connect to KHL-DC.

     1.  In the Left-Pane click on Virtual Machines then click on KHL-DC.


2.  At the KHL-DC screen click on Connect.


3.  At the Pop-up click Save.


4.  At the next pop-up click on Open Folder.


5.  Under the Downloads double-click on KHL-DC then at the pop-up click Connect, and enter your Credentials.


6.  Right-click on the Windows Logo and select Command Prompt (Admin).

7.  At the Elevated Command Prompt enter the command below:

Netsh advfirewall set allprofiles state off

8.  Repeat steps 6-7 on your On-Premise Spare Server (OP-DC)

 Now we should have connectivity between our Azure VM and On-Premise VM as shown below:



In Part 2 of this series we will configure our Azure VM and On-Premise VM as Domain Controllers and establish 2 Active Directory Sites J




Comments (4)

  1. Felix B says:

    Hi Elliot, do you have subscribe to static IP's from ISP?
    Thank you

    1. Hello Felix. I do not have a Static IP address. I currently have a Dynamic IP but am using a script along with DynDNS that updates the IP used within Azure representing my Public IP. I have updated this post and the script is actually included now. It will allow you to keep your VPN connected even if your ISP changes your IP.

  2. tamangketa says:

    Hi Elliot,

    This is awesome. I have a question. I have MSDN subscription. Is $99 a month enough to cover this lab in Azure?


    1. Hello tamangketa. $99 would be enough to set it up, however it would not be enough to keep it running continually. You could stand it up and then make sure to Shutdown the VM's if you do not need them for lab work.

Skip to main content