Windows Azure Virtual Network with between regions

Windows Azure Virtual Network with between regions

Japan Windows Azure User GroupKentaro Aoki

@kekekekentaOctober 24, 2013

Virtual Networks

2

vn-asia-gw.cloudapp.net(207.46.134.21)

vn-us-gw.cloudapp.net(168.61.66.238)

vn-asia(10.20.0.0/16)

vn-asia-vmUbuntu VM10.20.0.5

GATEWAY(static routing)207.46.137.55

vn-us(10.10.0.0/16)

vn-us-gwUbuntu VPN GW

10.10.0.4

vn-us-vmUbuntu VM10.10.0.5

internet

Windows AzureEast Asia

Windows AzureWest US

GATEWAY(static routing)168.61.64.182

vn-asia-gwUbuntu VPN GW

10.20.0.4

Using Network Address Translation

3

vn-asia-gw.cloudapp.net(207.46.134.21)

vn-us-gw.cloudapp.net(168.61.66.238)

vn-asia(10.20.0.0/16)

vn-asia-vmUbuntu VM10.20.0.5

GATEWAY(static routing)207.46.137.55

vn-us(10.10.0.0/16)

vn-us-gwUbuntu VPN GW

10.10.0.4

vn-us-vmUbuntu VM10.10.0.5

internet

Windows AzureEast Asia

Windows AzureWest US

GATEWAY(static routing)168.61.64.182

vn-asia-gwUbuntu VPN GW

10.20.0.4NAT (Masquerading)

NAT (Masquerading)

Virtual Network Settings

4

Windows AzureEast Asia

Windows AzureWest US

VPN Configurations for the vn-asia-gw (1)

• Create New Virtual Machine from Azure Portal– Ubuntu Server 12.04 LTS

• Install IP-Sec Software on Ubuntu– $sudo apt-get install openswan

• Setup IP-Sec Nat-Traversal– $sudo vi /etc/ipsec.conf

• Config setup

• protostack=netkey

• nat_traversal=yes

• virtual_private=%v4:10.20.0.0/16

• oe=off

• include /etc/ipsec.d/*.conf

5

VPN Configurations for the vn-asia-gw (2)

• Setup VPN Information– $sudo vi /etc/ipsec.d/azure-us.conf

• conn azure-us• authby=secret• auto=start• type=tunnel• left=10.20.0.4• leftsubnet=10.20.0.0/16• leftnexthop=%defaultroute• right=168.61.64.182• rightsubnet=10.10.0.0/16• ike=aes128-sha1-modp1024• esp=aes128-sha1• pfs=no

6

VPN Configurations for the vn-asia-gw (3)

• Setup Secret Key– $sudo vi /etc/ipec.secrets

• 10.20.0.4 168.61.64.182 : PSK "krOurXxXX6…XXX“

• Enable ipv4 forwarding– $sudo vi /etc/sysctl.conf

• net.ipv4.ip_forward=1

– $sudo sysctl -p /etc/sysctl.conf

• Enable IP-Sec– $sudo service ipsec restart

7

VPN Configurations for the vn-asia-gw (4)

• Setup Firewall for SSH

– $sudo ufw allow proto tcp to any port 22

• Setup Firewall for IP-Sec NAT Traversal

– $sudo ufw allow proto udp to any port 500

– $sudo ufw allow proto udp to any port 4500

• Enable ipv4 forwarding for NAT

– $sudo vi /etc/default/ufw

• DEFAULT_FORWARD_POLICY="ACCEPT“

8

VPN Configurations for the vn-asia-gw (5)

• Setup NAT Rule– $sudo vi /etc/ufw/before.rules (add following rule to the top)

• # nat Table rules

• *nat

• :POSTROUTING ACCEPT [0:0]

• # Forward traffic from eth1 through eth0.

• -A POSTROUTING -s 10.10.0.0/16 -o eth0 -j MASQUERADE

• # don't delete the 'COMMIT' line or these nat table rules won't be processed

• COMMIT

9

VPN Configurations for the vn-asia-gw (6)

• Enable ufw (aka iptables)

– $sudo ufw disable && sudo ufw enable

10

Ping through the VPN tunnel

11

Windows AzureEast Asia

Windows AzureWest US

Articles

• VPN connection in the region between the Windows Azure

– http://kentablog.cluscore.com/2013/10/windows-azurevpn.html

• Research ed.

– http://kentablog.cluscore.com/2013/10/creating-site-to-site-vpn-with-regions.html

12