The Azure Website Application (WebApp) to VPN is used to
allow a publicly facing WebApp to connect securely to back-end on primes local
resources without exposing them to the public internet.
The configuration options for the WebApp to Virtual Network
(VNet) to Virtual Private Network (VPN) are continuously evolving as Microsoft
improves and adds new functionality.
In
2014 Azure introduced resource management as a way to manage, automate, and scale
objects. This is now in general release and is called Azure Resource Management
or
ARM.
As of March 2016 Azure has two web portals. The Classic portal using the “manage” url and
the ARM portal using the “portal” url. There is also an extensive collection of
PowerShell scripting tools to manage and automate Azure. These PowerShell tools
also have some different capabilities between the classic and ARM portal. At
some point the classic portal will go away.
Microsoft has documented all the Azure functionality of the
classic and ARM portals. Also Microsoft has some free structured training on
the Microsoft Virtual Academy (MVA) site.
Links and Resources:
The below diagram shows the main parts of WebApp to VNet to
VPN configuration. There are two VPN technologies used; From the Azure WebApp a
Point to Site (P2S) VPN is used to connect to the VNet. From the Azure VNet to
the local on premise network a Site to Site (S2S) VPN is used.
<<Diagram Here>>
Azure virtual network or VNet is a cloud based networking
technology with its foundation in Ethernet and the internet protocol version 4
(IPv4).
IPv4 can be represented in the
standard doted notation ie 192.168.24.3 with a gateway of 192.168.24.1 and the
subnet mask of 255.255.255.0. To help with routing and to simplify the setup
Azure VNet uses the
Classless Inter-Domain Routing (CIDR) format to define the networks and address
spaces. Azure VNets can only use the IPv4 private network address spaces; 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.
<<Diagram Here>>
With
the Azure VNet you can fully
control the IP address blocks, DNS settings, security policies, and route
tables.
A VNet can have multiple address spaces and multiple
subnets. Each VNet can have only one gateway.
Address spaces and Subnets are defined with CIDR notation.
10.21.0.0/16 defines a “10.21” address space. With this
space multiple subnets can be defined.
Subnet 1: 10.21.1.0/24
Subnet 2: 10.21.2.0/24
There are three ways to connect to the Azure Cloud; Point to
Site VPN, Site to Site VPN and ExpressRoute.
ExpressRoute
is not a VPN but another method to connect a local corporate enterprise or Colo
network to the Azure cloud. Azure limits the VPN to around 100Mbps where ExpressRoute
is a high speed network connection exceeding 1Gbps. ExpressRoute will not be
covered in this document.
Azure VPN Gateway FAQ:
Point to Site (P2S) is a client based VPN technology where
each client connects to the network with a shared certificate. This is how the
WebApp connects to the VNet and the (S2S) VPNs.
Site to Site (S2S) is a router based VPN technology where
networks are joined via routers using IP security (IPsec) (IKEv1/IKEv2) and
pre-shared key security.
There are two types of S2S VPN technologies: Policy Based
and Route Based
Route Based (IKeV2) VPN more
secure dynamic routing technology using IKEv2
Supported with
WebApp to VPN Integration
Policy based (IKeV1) VPN is
an older Static Routing technology using IKEv1
(Not Supported with WebApp to VNet integration)
When configuring S2S VPN refer to the latest compatible/validated
devices at the Azure website.
Microsoft
PowerShell is a powerful scripting language that extends the task automation
and configuration management capabilities of the Microsoft windows desktop and
server operating systems. PowerShell is built on top of the Microsoft .net
programing framework using the Windows Component Object Model (COM)
binary interface and the Windows Management Instrumentation (WMI)
interface objects are used to access the computer’s hardware and the interworking
of the windows operating system. PowerShell uses cmdlets (pronounced command-lets).
These are pre-built tools used in the PowerShell scripting language to perform many
tasks and functions. These cmdlets exposed most common .net functions and
tools. When a specific function is not available the user can directly access
the complete .net framework, WMI, and COM objects.
Microsoft
has extended PowerShell into Azure with an ever growing set of command line scripting
tools to manage and automate the Azure cloud service.
These
tools are not part of PowerShell and must be downloaded from Microsoft.
Microsoft is always adding new functionality so update when needed. But also be
aware some updates can break any scripts you have built, so test the new
updates on a sandbox system before updating your automation server.
Azure
PowerShell command-line tools download and documentation:
After
you have downloaded the tools you can access your Azure environment. There are two login process depending on if
you are using the classic or ARM portal tools.
1.
Open your PowerShell terminal as administrator.
2.
Login to Azure with the classic or ARM method.
This will pop up an Azure login window.
3.
Change Subscription if needed.
PowerShell
Prompt: PS C:\>
PowerShell
Classic Portal login
Add-AzureAccount
Get-AzureSubscription
Select-AzureSubscription
"MySubscription"
PowerShell ARM Portal login
Login-AzureRmAccount
Get-AzureRmSubscription
Set-AzureRmContext
-SubscriptionId 'xxxx-xxxx-xxxx-xxxx'
