Build a Hybrid Cloud Lab into Microsoft Azure with VyOS

Build a Hybrid Cloud Lab into Microsoft Azure with VyOS

Build a Hybrid Cloud Lab into Microsoft Azure with VyOS

This post has already been read 4853 times!

Last week whilst attending the Automation Framework Masterclass in London (check the link for more details and to register) run by Eric from Xenapp Blog we started chatting about the configuration of the virtual VyOS Router and what extra functionality we could bring to the table.

In my lab I use Microsoft Routing and Remote Access to segregate my networks and also provide connectivity to my Azure vNet, I wanted to see if I could replace this with VyOS and save precious resources.

Eric has already written a great post on Configuring the VyOS Router on Nutanix CE and goes into the setup and config well on that post, with that in mind what I am going to build for you here is a 3 Node VyOS Router with a Site to Site VPN Connection to an Azure Resource Manager vNet.  This will give you connectivity from your on-premises environment to the Azure Public Cloud over a secure VPN.

Desired Configuration

First lets take a look at the network setup I want to achieve

Looking at the above I have the following:

  • 192.168.0.0/16 CIDR Block allocated for on-premises use
  • 192.168.0.0/24 for my Home Network – Note to self – Don’t touch this or you will have an angry wife and kids when the internet breaks!
  • 192.168.85.0/24 for my Lab LAN Network
  • 192.168.86.0/24 for my Lab DMZ Network
  • 10.0.0.0/16 CIDR Block allocated for Azure Networks
  • 10.0.1.0/24 for Azure Infrastructure
  • 10.0.2.0/24 for Azure Citrix Worker Servers

Azure Configuration

Ok, so lets start with the Azure Configuration.  Log into your Azure Resource Management Portal

Go to Virtual networks and add a new network in the region that you want the Site to Site VPN to be established

Once created go to the overview

2 things to note here.  The Address space for the entire vNet is 10.0.0.0/16 and the DNS servers are set to my on-premises DNS Server as well as the Google DNS Servers.

When adding the vNet make sure to specify your infrastructure and any additional subnets you want to have.  In my case I have added 10.0.1.0/24 for Infrastructure and 10.0.2.0/24 for Citrix Worker Servers

Next you need to head over to Virtual network gateways and create a new gateway for your vNet

When creating the gateway be sure to use “Route Based”

Once done (and this can take up for 1/2 an hour) click on the overview

You should see your Gateway created.  Take a note of the Public IP Address you assigned during the gateway creation as you will need this later during the VyOS configuration

Next you need a Local network gateway to define your on-premises networks.  Make sure you add the address space for your entire on-premises network, in my case 192.168.0.0/16.  When prompted for the local network public IP enter the Public IP Address for your on-premises router

Once created click on the overview

You will see the public IP Address of your on-premises environment and the address space that resides behind that IP address

Finally you need a Connection to link the Azure Gateway and the Local network gateway

Create a new Connection and select the 2 networks to link (Azure and Local)

Clicking Overview will show you both ends of the connection

Take a note of the Pre-Shared key you assigned as you will also need this during your VyOS configuration

Deploying the VyOS Virtual Router

I am using XenServer in my lab currently and the following article will explain to you how to build and import your own VyOS Template for XenServer.  Once done you can deploy it to your environment.

When asked about CPU and Memory set it to the following

Finally make sure your interfaces are set as below

  • Eth0 – WAN – 192.168.0.0/24
  • Eth1 – LAN – 192.168.85.0/24
  • Eth2 – DMZ – 192.168.86.0/24

Deploy and power on the virtual router

Configuring the VyOS Router

Copy and Paste the below script into the VyOS Router once logged in (vyos and vyos are the default username and password)

Some things to change:

  • <YOUR_DOMAIN_NAME> – your fwdn domain name e.g bretty.me.uk
  • Eth0 Address – Address on your local WAN Network
  • Eth1 Address – The Address you will use for the default gateway on your LAN
  • Eth2 Address – The Address you will use for the default gateway on your DMZ
  • <DNS_SERVER_IP_ADDRESS> – On-Premises DNS Server IP
  • <AZURE_GATEWAY_PUBLIC_IP> – Public IP Address for the Azure Gateway
  • <YOUR_PRE_SHARED_KEY_FOR_THE_CONNECTION> – The pre-shared key you defined when creating the Azure to Local Connection
  • IP ADDRESSES – When refering to IP Address blocks make sure to use the entire CIDR block for the destination network e.g. 10.0.0.0/16 for Azure and 192.168.0.0/16 for on-premises

Once this has been configured and rebooted the VyOS router is attempting to create a VPN Tunnel with Azure

configure

set system host-name vyos
set system domain-name <YOUR_DOMAIN_NAME>

set interfaces ethernet eth0 address '192.168.0.101/24'
set interfaces ethernet eth0 description 'wan'
set interfaces ethernet eth1 address 192.168.85.1/24
set interfaces ethernet eth1 description lan
set interfaces ethernet eth2 address 192.168.86.1/24
set interfaces ethernet eth2 description dmz

set service ssh port 22

set system name-server <DNS_SERVER_IP_ADDRESS>
set system time-zone <TIMEZONE e.g. Europe/London>

set protocols static route 0.0.0.0/0 next-hop 192.168.0.1

set vpn ipsec ike-group IKE-POLICY lifetime '28800'
set vpn ipsec ike-group IKE-POLICY proposal 1 encryption 'aes128'
set vpn ipsec ike-group IKE-POLICY proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group '2'

set vpn ipsec esp-group ESP-POLICY lifetime '3600'
set vpn ipsec esp-group ESP-POLICY pfs disable 
set vpn ipsec esp-group ESP-POLICY proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP-POLICY proposal 1 hash 'sha1'

set vpn ipsec ipsec-interfaces interface 'eth0'

set vpn ipsec site-to-site peer <AZURE_GATEWAY_PUBLIC_IP> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <AZURE_GATEWAY_PUBLIC_IP> authentication pre-shared-secret '<YOUR_PRE_SHARED_SECRET_FOR_THE_CONNECTION>'
set vpn ipsec site-to-site peer <AZURE_GATEWAY_PUBLIC_IP> connection-type respond 
set vpn ipsec site-to-site peer <AZURE_GATEWAY_PUBLIC_IP> default-esp-group 'ESP-POLICY'
set vpn ipsec site-to-site peer <AZURE_GATEWAY_PUBLIC_IP> ike-group 'IKE-POLICY'
set vpn ipsec site-to-site peer <AZURE_GATEWAY_PUBLIC_IP> local-address '192.168.0.101'
set vpn ipsec site-to-site peer <AZURE_GATEWAY_PUBLIC_IP> tunnel 1 local prefix '192.168.0.0/16'
set vpn ipsec site-to-site peer <AZURE_GATEWAY_PUBLIC_IP> tunnel 1 remote prefix '10.0.0.0/16'

set nat source rule 5 source address '192.168.0.0/16'
set nat source rule 5 destination address '10.0.0.0/16'
set nat source rule 5 outbound-interface 'eth0'
set nat source rule 5 'exclude'
set nat source rule 20 source address '10.0.0.0/16'
set nat source rule 20 destination address '192.168.0.0/16'
set nat source rule 20 outbound-interface 'eth0'
set nat source rule 20 'exclude'
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 192.168.85.0/24
set nat source rule 10 translation address masquerade
set nat source rule 11 outbound-interface eth0
set nat source rule 11 source address 192.168.86.0/24
set nat source rule 11 translation address masquerade

commit
save
exit
reboot
yes

The Local Firewall

The final thing to do is to set up the rules on your local firewall to point VPN traffic to the IP Address of your VyOS routers WAN Interface

Create rules for UDP Port 500, UDP Port 4500 and TCP_UDP Port 50

Testing

Once the firewall rules are in place you should see the status of the connection in Azure change to Connected

You can now ping from the LAN to the DMZ and Azure

You can also ping from the DMZ to the LAN and Azure

And finally you can ping from Azure to the DMZ and the LAN

I know you will have to put firewall rules onto the VyOS router to secure communications but that is for another post.  At this stage you should now have a Hybrid Cloud lab to play with.

Laters,

b@m

One thought on “Build a Hybrid Cloud Lab into Microsoft Azure with VyOS

  1. Pingback: Build a Hybrid Cloud Lab into Microsoft Azure with VyOS

Leave a Reply

Your email address will not be published. Required fields are marked *