Prerequisites to connect an on premise network to Azure:
* A Microsoft Azure account with spending limit or a subscription
* A router that is supported by Microsoft to connect to Azure, in my situation I used the Cisco ASA 5505. A full list can be found here: https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/
* A fixed IP address from your internet provide. A dynamic (DHCP) IP address wil work but when you get a new IP address from your provider the connection will be broken and some configuration changes must be made on the Azure site of the network. I will explain later what needs to be changed.
* To make a full Domain Network with on premise (virtual) machines and Azure virtual machines it would be nice to have a Domain Controller on the on premise site.
* Java Runtime 6.39 to configure the Cisco ASA 5505 (if you are a die hard you can use the console but because my Surface Pro 3 and my work laptop do not have a serial port available I went for the dummy easy way with a GUI)
To configure your Cisco ASA device it turned out that you need to have Java Runtime 7.51 installed. Do not use higher then the ASDM software may not work. An old and not supported version anymore from the date of 15th of April 2015. After you installed Java and the ASDM software you probably need to change the first part of the target in the shortcut to “C:\Program Files\Java\jre6\Bin\javaw.exe”, do not use “C:\Program Files (x86)\Java\jre6\Bin\javaw.exe” because than you keep stuck in “Contacting the device”. But when you use the x64 version of javaw.exe you get the error: “Unable to launch Device Manager from 192.168.1.1”. If you keep using the original first part of the target in the shortcut at “C:\Windows\SysWOW64\javaw.exe” you also keep stuck in “Contacting the device”
On Premise network: 192.168.1.0/24
On Premise network gateway (Cisco ASA 5505 router): 192.168.1.1
My (old) public IP address from my internet provider: 220.127.116.11
My On Premise network DNS Server name and IP address: HYP01 – 192.168.1.31
First you need to create a Virtual Network in Azure:
Click on +, Network Services, Virtual Network, Custom Create
Image 1: Custom Create Virtual Network
In the Virtual Network Details screen fill in the name for your Virtual Network (any name that describes you virtual network will do) and choose the location for your Virtual Network (West Europe for me because I live in West Europe). You will see the name you entered appear in the Network Preview image and click on the right pointed arrow in the lower right corner of the screen.
Image 2: Create Virtual Network (Details)
In the ‘DNS Servers and VPN Connectivity’ screen you need to fill in the name and IP address of you local DNS Server and optional a second (or third) DNS Server (for example a public DNS Server if you need to get to the Internet from the Virtual Network. Next you need to select ‘Configure a site-to-site VPN’ under ‘Site-to-site Connectivity’ The ‘Network Preview’ should display the network on Azure and On Premise with the DNS Servers. Click on the right pointed arrow in the lower right corner of the screen.
Image 3: DNS Server and VPN Connectivity
In the ‘Site-to-Site Connectivity’ screen the name for the On Premise network, the public IP address from your internet provider and the address space of your On Premise network must be filled in. Click on the right pointed arrow in the lower right corner of the screen.
Image 4: Site to Site Connectivity
In the ‘Virtual Network Address Spaces’ screen the information for your virtual Azure network must be specified. In my case I am using a 10.10.0.0/22 address space with three subnets; 10.10.1.0/24, 10.10.2.0/24 and a gateway subnet 10.10.3.0/29. You can use only one subnet for your Virtual Machines but just to be able to test with different subnets I created two. The third, the gateway subnet, is mandatory to be able to route through the networks to you on premise network. Click on the ‘V’ in the lower right corner of the screen.
Image 5: Virtual Network Address Spaces
In the Azure website under ‘Networks’ and then the Network you just created you would see an almost finished network. There is still missing a public gateway. To create the gateway click on the bottom of the screen on ‘Create Gateway’ and choose a ‘Static Routing’. The Cisco ASA series do not support ‘Dynamic Routing’. Click on ‘Yes’ at the question if the gateway should be created for the virtual network. Creating a gateway may take some time. Just sit it out and behold! When you get the message ‘Succesfully created a gateway for virtual network Azure_Network’ you are ready to go.
Image 6: Completed Azure Network overview
Next step is to configure the Cisco ASA 5505. To do so you need to download the VPN Device script from the ‘azure_network’ page. Click on the link ‘Download VPN Device Script’ Because in this situation I am using this type of router I select in the screen ‘Download a VPN Device Configuration Script’ for ‘Cisco Systems, Inc.’ at Vendor, ‘ASA 5500 Series Adaptive Security Appliances’ at Platform and ‘ASA Software 8.3’ at Operating System and click on the ‘V’. Save the script in your downloads location.
Image 7: Download a VPN Device Configuration Script
Next you can configure the ASA with this script so the connection can be established.