Set Up VPN from Endpoints to Microsoft Azure
You can use Veeam PN to set up a VPN connection from remote user machines to private clouds in Microsoft Azure. This scenario can be helpful if you have moved some of your application and services to Microsoft Azure. In this case, you can provide company users with access to VMs in Microsoft Azure.
This how-to assumes that your company environment is distributed between two sites:
- Microsoft Azure: part of your applications and services are hosted in Microsoft Azure.
- Local company site: users who need to gain access to Microsoft Azure VMs are working on a local company site or remotely.
In this scenario, you will deploy Veeam PN components in the following way:
- The network hub will be hosted in Microsoft Azure.
- You will configure VPN settings on user machines with the help of OpenVPN.
Whenever users need to access VMs in Microsoft Azure, they will establish a VPN connection from their machines to the network hub in Microsoft Azure, that, in its turn, will route requests to Microsoft Azure VMs.
To follow instructions of this how-to, check the following prerequisites:
- You must have a user account in Microsoft Azure.
- You must use the Azure Resource Manager model to configure the network hub in Microsoft Azure. The classic deployment model is not supported.
To set up a VPN connection from user machines to Microsoft Azure, you will:
- Deploy the network hub in Microsoft Azure.
- Register clients for user machines in the Veeam PN portal.
- Configure OpenVPN on user machines.
- Establish a VPN connection from user machines to the network hub in Microsoft Azure.
The network hub is the core of the VPN infrastructure. If you want to set up a VPN connection from user machines to VMs in Microsoft Azure, you must deploy the network hub in Microsoft Azure.
To deploy the network hub:
- Sign in to the Microsoft Azure portal at https://portal.azure.com.
- In the menu on the left, click New.
- In the marketplace, search for the 'Veeam PN for Microsoft Azure' template.
- Select the template and click Create.
- On the Basics blade, specify basic VM settings: VM name, user credentials for the network hub administrator account, subscription, resource group and location.
- On the Veeam PN settings blade, specify basic settings for the network hub appliance: VM size (A1 size is minimum), storage account, public IP address, domain name, virtual network and subnet.
- On the Security settings blade, specify parameters for the self-signed SSL certificate that Veeam PN will use to secure connection in the VPN: the certificate key length.
- On the VPN Information blade, make sure that Yes is enabled in the Enable Point-to-Site field. In the Specify a protocol and Specify a port fields, leave default settings.
- On the Summary blade, click OK.
- On the Buy blade, click Purchase.
Veeam PN will deploy the network hub from the Microsoft Azure template. The deployment process typically takes several minutes. Wait for this process to complete.
- In the Microsoft Azure portal, open properties of the deployed VM and get its IP address.
- In a web browser, access the Veeam PN portal by the following address: https://<networkhubIP>.
The browser will display a warning notifying that the connection is untrusted. Ignore the warning and agree to proceed to the portal.
- At the Welcome screen, log in to the portal under the network hub administrator account. You specified credentials for the network hub administrator account on the Basic blade.
- Click Login.
- On the welcome screen of the Azure Setup wizard, click Next.
- The Azure Setup wizard will display the https://aka.ms/devicelogin link and an authentication code. Copy the code to the Clipboard, open the https://aka.ms/devicelogin link in a web browser and enter the code in the code field.
- Click Next. Veeam PN will assign the Network Contributor role on the routing table in the Microsoft Azure network to the network hub administrator account. Wait for the process to complete and click Finish.
To provide remote users with access to VMs in Microsoft Azure, you must register clients for these users in the Veeam PN portal. Veeam PN will generate configuration files for users. You will use these configuration files to set up a VPN connection on user machines.
To register a client for user machines:
- In the Veeam PN portal, in the configuration menu on the left click Clients.
- At the top of the clients list, click Add.
- At the Type step of the wizard, select Standalone computer.
- At the Client step of the wizard, enter a name for the user machine.
- Select the Use HUB server as a default gateway check box.
- At the Summary step of the wizard, click Finish.
Veeam PN will generate an XML file with VPN settings for the user. The XML file will be automatically downloaded to the default downloads folder. Save the downloaded file in a network shared folder accessible from the user machine.
- Repeat steps 1-5 for all users to whom you want to provide access.
To let a user access VMs in Microsoft Azure over the VPN, you must configure VPN settings on the user machine. To do this, you must use OpenVPN software and a configuration file generated by Veeam PN.
To configure OpenVPN on user machines:
- Download the OpenVPN setup file for the user machine OS from: https://openvpn.net/index.php/open-source/downloads.html.
- Run the OpenVPN setup file and install the product with default installation settings.
- Place the configuration file generated by Veeam PN in a folder where OpenVPN configuration files are stored: C:\Program Files\OpenVPN\config.
- Repeat steps 1-3 for all users to whom you want to provide access.
To establish a VPN connection from user machines to Microsoft Azure:
- On a user machine, create a batch file with the following command:
"openvpn-gui.exe" --connect "C:\Program Files\OpenVPN\config\client.ovpn"
where C:\Program Files\OpenVPN\bin\openvpn-gui.exe is a path to the OpenVPN product folder and C:\Program Files\OpenVPN\config\client.ovpn is a path to the user machine configuration file.
- Run the batch file. Veeam PN will establish a connection from the user machine to the network hub.
- Repeat steps 1-2 for all users to whom you want to provide access.
You have set up a VPN connection from user machines to VMs to Microsoft Azure. VMs running in Microsoft Azure are now accessible to users working remotely.