Azure Connect - a vpn between Azure and your machines

Azure Connect is a service that lets you establish a vpn tunnel (for want of a better word) between a virtual machine running in Azure and another running on premises. The connection is point-to-point, meaning that you will need to configure it on every machine involved. Nonetheless, it is a valuable tool when you need to access resources within your network from Azure and viceversa.

To set up Azure connect, you will need:

1. An activation token. Open the management portal. If you are on the Connect beta program, you'll see a "connect" icon on the main ribbon. Click on it and then on your subscription name. Select "Get Activation Token" in the top ribbon. Your token will be displayed. Copy it and save it.

2. A local endpoint, i.e. a communication service. To install it on the local machine, click on "Install Local Endpoint" in the top ribbon, copy the link provided (note that it contains the token) and use it to open another browser tab. When asked, click "run" to download and install the endpoint. This is a service running as LocalSystem; it uses the HTTPS protocol, so make sure that TCP port 443 outbound is open.

3. An endpoint group. This is made of local endpoints and azure roles (including VMs) amongst which connectivity is authorized.

Local machines will register with Azure Connect after you install the endpoint.

For Azure roles, you need to modify in Visual Studio:

- The configuration file .cscfg and include the following line under "Settings"

<Setting name="Microsoft.WindowsAzure.Plugins.Connect.ActivationToken" value="_token_" />

where _token_ is the activation token string that you copied in step 1.

- The service definition file .csdef and include the following line under "Imports"

<Import moduleName="Connect" />

The same can be done via the GUI. Right-click on the role name, select properties and then "Virtual Network". Select "Activate Windows Azure Connect", then paste the token in the relevant field.

When you publish the project to Azure with Visual Studio, Azure Connect will be activated for those roles.

Virtual Machines are the exception: you have complete control of what the VM contains, no endpoint agent will be installed for you. You must install it in the base image for the vm role before uploading it to Azure. You can obtain the package at

https://waconnect.blob.core.windows.net/client/latest/x64/wacendpointpackagefull.exe

This is not the same URL that you get by clicking "install local endpoint". Also make sure that IPv6 is enabled in your template (it is by default).

You must enable Azure Connect in the configuration files as before for the VM role as well. Installing the endpoint package in the template is not sufficient. If you have a running VM where you forgot to install the agent, you can still log into it and perform the installation manually. Alas, this change won't be persisted to the stored template.

Firewall ports on the local machines and on Azure roles (except VMs) will be configured automatically during the endpoint installation. If you enforce firewall policies, please make sure to:

- allow TCP 443 outbound.

- allow IPv6 protocol, ICMPv6 type 133 and 134 messages (router solicitation and advertisement).

In the end, you will see a list of the activated machines and roles in your management portal.

You can then create a group and specify which local machines and Azure roles are allowed to connect.

The most common use of Azure virtual networks is domain connectivity. To join an azure role to a corporate domain, you must install a local endpoint on a domain controller that is also a DNS server, then include both role and DC in the same endpoint group (other servers can be included too). In the configuration for the role, you must set specific parameters to enable the domain join. You'll find them in the settings for the role.

Powered by Qumana