Azure Stack integration into the corporate

network

Overview
Once Microsoft Azure Stack has been deployed and configured in your environment, most likely you
have already deployed some resources within Azure Stack, such as virtual machines, SQL databases or
web apps. But as part of your Azure Stack adoption, you may now have a need to connect to and
integrate those Azure Stack resources or workloads into your corporate network, so that for example,
you may want to validate end-to-end connectivity for applications with components deployed on the
corporate network (for example, domain controllers) and components deployed on Azure Stack (for
example, a domain-joined VM running a specific application).

This article will describe the network integration options available in Azure Stack, and then, it will
describe how to perform the network integration for each of those options. Please note that this article
applies to Azure Stack multi node solutions only.

Network integration options in Azure Stack

There are two network integration options in Azure Stack:

1) Connecting through the Public Virtual IP network also referred to as Public VIPs network – this is
a network that is routable in the corporate network. This network is represented in blue in
picture 1 below.
2) Routing directly to tenant virtual networks through site to site VPN connections – IPSec tunnels
are required to provide external connectivity to virtual networks (VNets) within Azure Stack. The
VPN tunnel is represented in green in picture 1 below, while the red arrow represents the traffic
flow between a VM in Azure Stack and a service in the corporate network via the VPN tunnel.

1
Picture 1 – Network connectivity options in Azure Stack

The following sections will describe in detail how to integrate Azure Stack into the corporate network
using the two options described above.

Public Virtual IP Addresses in Azure Stack

Azure Stack uses the same concept of a Public Virtual IP Address (VIPs) as public Azure. In public Azure
adding a VIP enables you to configure access to your resource from the Internet. The principle is the
same in Azure Stack, adding a VIP enables you configure access to your resource from an external
location. The distinction is subtle yet important, in public Azure external always means the Internet but
in Azure Stack the scope of external will depend on your deployment choices:

• If Azure Stack was deployed using public routable address space for the external network (also
referred to as Public VIPs network), the scope for the external access will be the Internet (the
same as public Azure)
• But if Azure Stack was deployed using a private address range reserved in RFC 1918 (10.0.0.0/8,
172.16.0.0/12 or 192.168.0.0/16) for the external network, the scope for the external access will
be determined by your corporate network design.

2
Azure Services and tenant VIPs
When Azure Stack is deployed, several VIPs are used for the Azure Stack environment itself (for
example, for the Portals or ARM endpoints). The remainder of the Public VIPs address range is available
for tenants when they create resources that require a VIP (for example, adding a VIP to a virtual
machine). Picture 2 below depicts the VIPs that are used by Azure Stack endpoints, and the VIP that are
available for tenants. All VIPs in Picture 2 come from the same Public VIP Address range:

Picture 2 – Azure Stack Public VIPs

How to manage VIPs in Azure Stack

Azure Stack service administrators can manage and monitor Public IP addresses or VIP usage, by logging
in the Azure Stack Admin Portal, and then to go Region Management -> [RegionName] -> Resource
Providers -> Network. Among other relevant information, the Service Administrator will be able to track
the Public IP address usage as depicted in picture 3 below:

3
Picture 3 – Public IP Address Usage in Azure Stack

If an Azure Stack service administrator clicks on the Public IP pools usage control, a new blade will be
opened, which will display the list of current Public IP pools, and also, provides the possibility to add
additional IP pools (for example, when the existing pool is getting exhausted) just by clicking Add IP pool
as depicted in picture 4 below:

Picture 4 – Adding a VIP pool

4
Connecting to VIPs in Azure Stack
Azure Stack VIPs (both service VIPs and tenant VIPs) are advertised using the Border Gateway Protocol
or BGP between the Azure Stack Software Load Balancer (SLB) and the Top of the Rack (TOR) switches
that are part of the Azure Stack multi node solution. As soon as Azure Stack has been successfully
deployed, only Azure Stack service VIPs are advertised to the TORs, but a soon as additional PaaS
services are deployed (for example, App Service) or tenants creates VIPs (like adding a public IP address
to a VM), those VIPs get advertised to the TORs. All these VIPs can then be exchanged dynamically with
customer’s border devices via BGP, or alternatively, customer can configure the border device with
static routes. This is depicted in the picture 5 below:

Picture 5 – VIPs being advertised to TORs and routes exchanged between TORs and border devices

As customers own the border devices, they can propagate the routes to the Azure Stack VIPs internally
in the corporate network when using private IP addresses (RFC 1918) for the Public VIPs network.
Alternatively, they need to ensure that routes are exchanged between their internet facing routers and
the border devices when using public routable IP addresses for the public VIPs network.

Thus, a tenant can connect directly to Azure Stack services that are available on a VIP, such as the Azure
Stack Portal, a SQL database, or a Function in App Service. For virtual machines is slightly different, as
virtual machines in Azure Stack are connected to a virtual network using their dedicated IP (DIP), which
is isolated within an Azure Stack virtual network. However, a user could provide external access to a
virtual machine by just adding a VIP to it, but please note that in this case, a NAT operation takes place
as there is a translation from the virtual machine VIP to its DIP This is depicted in the picture 6 below.

5
Picture 6 – Accessing VIPs in Azure Stack

Connect to Virtual Networks in Azure Stack

Similar to Microsoft Azure, a Virtual Network (VNet) in Azure Stack is a representation of your own
network in Azure Stack. Resources connected within a VNet can communicate to each other. You can
implement multiple VNets within each Azure Stack subscription. Each VNet is isolated from other VNets.
For each VNet you can:

• Specify you own address space for your VNet in Azure Stack. The resources connected to the
VNet get an IP address from the address space you defined.
• Segment the VNet into one or more subnets and allocate a portion of the VNet address space to
each subnet.

All VMs connected to a VNet have outbound connectivity to the Internet by default through a source
network address translation (SNAT) to an IP from the VIP of the Azure Stack infrastructure. We reviewed
previously on this article how a VIP can talk to your corporate network. However please note that this
has a NAT in its path and it may have an undesired effect for some application. Alternatively, it’s
possible to have a simple routing between your corporate network and the VNet. This can be achieved
by using a Site to Site (S2S) VPN connection through the Azure Stack multitenant gateway and a VPN
device in your corporate network. The connection is an IPSec/IKE VPN that provides encrypted
communication between the Azure Stack multitenant gateway and your VPN device.

6
Considerations
Before implementing this scenario, please bear in mind the following considerations:
• There cannot be overlapping network address spaces on the Azure Stack VNet and on the
corporate network that you want to connect.
• Please note that any traffic over the VPN tunnel can add additional overhead affecting the
bandwidth due to the IPsec encryption done inside the VPN tunnel

Advantages
Doing a site-to-site VPN connection between a virtual network in Azure Stack and a VPN device on
customer’s corporate network allows a fully routed connection between all the virtual machines
deployed in an Azure Stack virtual network and the corporate network behind the VPN device. Once the
VPN tunnel is established, any virtual machine deployed in the virtual network can have connectivity
with the corporate network via the VPN tunnel. There is no need to add public IP addresses (or VIPs) to
the VMs as there is direct connection via the VPN tunnel.

When you connect a VNet with your corporate network via the VPN tunnel, there is a simple routing
between them without any NATing in the path. For example, one common scenario is that you would
like the VMs deployed in the VNet to join an existing Active Directory Domain, with the domain
controllers located in the corporate network, and as there is a routed network between the corporate
network and the Azure Stack VNet, you could even deploy some domain controllers inside the VNet.

Design
Azure Stack implements the multitenant gateway based on Windows Server 2016 to allow VPN
connections into Azure Stack virtual networks. The multitenant gateway uses one VIP and it is used for
all VPN connections within Azure Stack. Picture 1 above depicts this design, where the VPN connections
from all the virtual networks use the same multitenant gateway VIP.

The following resources are required within a virtual network in order to be able to use the Azure Stack
multitenant gateway to initiate and establish VPN connections with VPN devices outside Azure Stack:

• Virtual Network Gateway, a networking resource in Azure Stack that allows to establish VPN
connections.
• Local Network Gateway, a networking resource that indicates the IP address of the external
VPN device, as well as the IP address space of the corporate network that must be reachable
from the virtual network
• Connection, a networking resource that initiates and stablishes the VPN tunnel with the external
VPN device and where the pre-shared key is indicated

The following picture depicts a sample implementation using the resources described above to
implement a site-to-site VPN connection between a virtual network gateway in Azure Stack and a VPN

7
device on the corporate network. This will allow communication between the virtual machines located
in that virtual network and the machines on the corporate network.

The same design would apply if other virtual networks require connectivity to the corporate network via
a VPN tunnel. The picture below depicts a second virtual network connected also to the corporate
network via VPN tunnel.

8
Creating a VPN connection to a virtual network using the Azure Stack portal
The following steps assume that the Azure Stack service administrator has created an offer with plans
that include the Compute, Storage and Network resource providers and quotas configured to allow
tenants to deploy IaaS resources in their Azure Stack subscription.

Sign in as a tenant
1. Sign in to the Azure Stack portal as a tenant
2. Make sure the tenant has a subscription that has the Compute, Storage and Network services,
and the quotas allow them to create resources.

Create the virtual network and VM subnet

1. Use a tenant account to sign in to the user portal.
2. In the user portal, select New.

9
 3. Go to Marketplace, and then select Networking.
4. Select Virtual network.
5. For Name, Address space, Subnet name, and Subnet address range, use the values that are
adequate for your environment.
6. In Subscription, the subscription that you created earlier appears.
7. For Resource Group, you can either create a resource group or if you already have one, select
Use existing.
8. Verify the default location.
9. Select Pin to dashboard.
10. Select Create.

Create the gateway subnet

1. On the dashboard, open the virtual network resource that you created earlier.
2. On the Settings blade, select Subnets.
3. To add a gateway subnet to the virtual network, select Gateway Subnet.

4. By default, the subnet name is set to GatewaySubnet. Gateway subnets are special. To function
properly, they must use the GatewaySubnet name.
5. In Address range, verify that the address for the subnet.
6. Select OK to create the gateway subnet.

Create the virtual network gateway

1. In the Azure Stack portal, select New.
2. Go to Marketplace, and then select Networking.
3. From the list of network resources, select Virtual network gateway.
4. In Name, provide a name for the virtual network gateway (for example, GW1).

10
 5. Select the Virtual network item to choose a virtual network. Select the virtual network that you
created previously.
6. Select the Public IP address menu item. When the Choose public IP address blade opens, select
Create new.
7. In Name, enter a name (for example, GW1-PiP), and then select OK.
8. By default, for VPN type, Route-based is selected. Keep the Route-based VPN type.
9. Verify that Subscription and Location are correct. You can pin the resource to the dashboard.
Select Create.

Create the local network gateway

In an Azure deployment, a local network gateway represents an on-premises (at the tenant) physical
device, that you use to connect to a virtual network gateway in Azure. In Azure Stack it is a similar
concept, as it represents a physical device on the corporate network that you connect to a virtual
network gateway in Azure Stack.

1. In the Azure Stack portal, select New.

2. Go to Marketplace, and then select Networking.
3. From the list of resources, select Local network gateway.
4. In Name, provide a name for the local network gateway.
5. In IP address, enter the IP address of the VPN device that is in the corporate network.
6. In Address Space, enter the subnets from the corporate network that you would like to reach
via the VPN connection from the Azure Stack virtual network.
7. Verify that your Subscription, Resource Group, and location are correct, and then select Create.

Create the connection

1. In the Azure Stack portal, select New.
2. Go to Marketplace, and then select Networking.
3. From the list of resources, select Connection.
4. On the Basics settings blade, for the Connection type, select Site-to-site (IPSec).
5. Select the Subscription, Resource Group, and Location, and then select OK.
6. On the Settings blade, select Virtual network gateway, and then select the virtual network
gateway that you created earlier.
7. Select Local network gateway, and then select the local network gateway that you created
earlier.
8. In Connection Name, enter a name for the connection.
9. In Shared key (PSK), enter the same shared key that you entered in your VPN device in the
corporate network and then select OK.
10. On the Summary blade, select OK.

11
Obtain the multitenant gateway VIP
1. In the Azure Stack portal, click on More services, and under Networking, select Virtual network
gateways.
2. Select the virtual network gateway that you created earlier.
3. In the overview page you’ll see the public IP address or VIP that was assigned to the multitenant
gateway. Take note of this IP as you will need it when configuring your VPN device in your
corporate network

Create a VM
To validate the data that travels through the VPN connection, you need a virtual machine to send and
receive data Azure Stack. Create a virtual machine now, and then in your virtual network, put it on a VM
subnet.

1. In the Azure Stack portal, select New.

2. Go to Marketplace, and then select Compute.
3. In the list of virtual machine images, select the Windows Server 2016 Datacenter Eval image.
4. On the Basics blade, in Name, enter a name for the VM (for example, VM01).
5. Enter a valid username and password. You use this account to sign in to the VM after it's
created.
6. Provide a Subscription, Resource Group, and Location, and then select OK.
7. On the Size blade, for this instance, select a virtual machine size, and then select Select.
8. On the Settings blade, accept the defaults. Ensure that the virtual network you created earlier is
selected. Verify that the subnet is set to the one where you would like the VM to be connected
to. Then select OK.
9. On the Summary blade, review the settings, and then select OK.

12
Configure the VPN device
You need to configure your VPN device in your corporate network to terminate the Site-to-Site VPN
connection from Azure Stack. You can use any VPN device that supports IKEv2 protocol. When
configuring your VPN device, you will need the following information from the Azure Stack environment:

1. Target VPN device: provide the Public IP address of the Azure Stack multitenant gateway that
you obtained earlier on this document.
2. Address space: provide the address space of the virtual network that you created in Azure Stack.
3. Azure Sack Multitenant gateway uses the following VPN IKE policy settings for the S2S VPN
connections

IKE Phase 1 (Main Mode) parameters

IKE Version IKEv2
Diffie-Hellman Group Group 2
Authentication Method Pre-Shared Key
Encryption & Hashing Algorithms GCMAES256
SA Lifetime 28,800 seconds
IKE Phase 2 (Quick Mode) parameters
IKE Version IKEv2
Encryption & Hashing Algorithms GCMAES256
SA Lifetime (Time) 3,600 seconds
SA Lifetime (Bytes) 819200
Perfect Forward Secrecy (PFS) PFS 2048
Dead Peer Detection (DPD) Supported

Note – Make sure your router supports these settings in order to establish the VPN connection

Validate the connection

After completing these steps, the VPN connection between the Azure Stack virtual network gateway and
the VPN device should be stablished. Assuming ICMP traffic has been allowed on firewalls, you should
be able to ping between virtual machines in the Azure Stack virtual network and machines on the
corporate network. Also, to verify the connection status in the Azure Stack portal, locate and select the
virtual network gateway, click on Connections, click on the connection created previously, and in the
Essentials blade you should see the status listed as Connected and you the Data in and Data out fields
should contain bytes:

13
14