Connecting Azure Virtual Machine to Vendor VPN and the Internet


I am going to address yet another problem commonly encountered when Azure VM meets vendor security requirements.
Also, this would be a great alternative to installing physical routers in your office.

Here goes.
It is quite common for data vendors to require you to connect to their on-site VPN in order to start pulling data from their production machines.
In order to do so, they advise you to install a VPN client.
During development phase, it would be as simple as copy-pasting the shared key, username and password, and you start seeing their data on your local development machine.

It was not until you are ready to move your solution to Azure VM you realize that once the Virtual Machine connects to the VPN, it lost connection to the rest of the web.
Your Remote Desktop Connection desperately tries to reconnect, and you have to restart the VM in order to regain the connection.

The data vendor give you an alternative solution: to install a hardware solution.
This is the horrors that comes along with that solution:
- You need to Purchase a router
- You need to register a Public IP for your router
- The router needs to be connected to a dedicated PHYSICAL machine on YOUR site
 So now, the maintenance and availability of your service falls to your site.

There must be a way to configure this in Azure right? One that does not involve you installing and maintaining extra hardware on your end?
The answer is to use Windows azure Virtual Network Site-to-Site connection.
Here's what you need to do:

  1. 1. Use the azure management portal to create a new Site-to-Site Virtual Network.
    - Under the DNS, include windows Azure default DNS 168.63.129.16 and 168.62.167.9 in addition to your vendor's VPN IP.
    - Create a Site-to-Site connection to your vendor VPN IP.
    - You might want to include google DNS 8.8.8.8 and 8.8.4.4, too.
  2. 2. Now, you may create a new Gateway to your Vendor's VPN. This may take quite some time.
  3. 3. The gateway will attempt to connect to your vendor's router. For now, we will leave it in its perpetual Connecting state.
  4. 4. Move your VM to the Virtual Network.
    - Some vendor require a 'Host IP' for your network. You can configure the internal IP in the new portal when the VM is running.
  5. 5. Connect to your VM, make sure that it is connected to the internet through the DNS server.
    - It might be a good idea to enable ICMP on your VM, so your Vendor can ping ur machine.
  6. 6. Now, you can tell your vendor that they need to whitelist your 'router'. Here are a list of things to tell them:
    - Your 'hardware' IP -- Your Gateway IP
    - Shared Key -- Your Virtual Network's Shared Key
    - Host IP -- Your VM's Internal IP address
  7. 7. Once they whitelist your Virtual Network the gateway will successfully connect, and you will be connected to the Vendor VPN and the internet at the same time!

Of course, there will be extra costs incurred by Azure for creating a Site-to-Site Virtual Network.
However, considering the amount of cash you saved from having to purchase a router and a public IP, not to mention maintenance, you might seriously want to consider this approach.

Here are resources for the technical details in setting up Azure Site-to-Site connections:
Step by Step guide to create your Site-to-Site VNet
Configuring DNS for Azure VNet
Azure Pricing for Virtual Networks