1
00:00:05,440 --> 00:00:08,720
Alright, so let's configure RRAS in Azure.

2
00:00:08,720 --> 00:00:11,500
So here we are in the Azure portal,

3
00:00:11,500 --> 00:00:15,820
and I am in the resource group where I have deployed an Azure

4
00:00:15,820 --> 00:00:19,440
Virtual Machine running Windows Server 2022,

5
00:00:19,440 --> 00:00:23,650
and the VPN server configuration is identical to that

6
00:00:23,650 --> 00:00:25,480
that we did in the earlier lessons.

7
00:00:25,480 --> 00:00:28,190
So we won't go over the configuration here,

8
00:00:28,190 --> 00:00:30,680
I don't want to rehash that, but fundamentally,

9
00:00:30,680 --> 00:00:36,310
I just want to point out the things that are unique to deploying RRAS in Azure.

10
00:00:36,310 --> 00:00:41,550
So I've deployed a virtual machine, I also needed to assign a public IP address,

11
00:00:41,550 --> 00:00:46,080
so I've created a public IP address and a network security group.

12
00:00:46,080 --> 00:00:49,740
Now the public IP address, let we demonstrate this here real quick.

13
00:00:49,740 --> 00:00:52,950
If I go to the IP address and then go to Configuration,

14
00:00:52,950 --> 00:00:56,630
by default, I've just selected a dynamic IP address here,

15
00:00:56,630 --> 00:00:59,680
and you'll see that it has this particular IP address,

16
00:00:59,680 --> 00:01:00,970
at least right now.

17
00:01:00,970 --> 00:01:05,830
If I maintain this service state and keep it up and running perpetually,

18
00:01:05,830 --> 00:01:08,040
this will probably never change,

19
00:01:08,040 --> 00:01:11,810
but it's a good idea to provide a DNS name label here,

20
00:01:11,810 --> 00:01:15,030
it says it's optional, but for our purposes we really want to do this.

21
00:01:15,030 --> 00:01:21,650
So we're going to give this a name, and we'll make sure that that name is valid,

22
00:01:21,650 --> 00:01:22,820
it has to be unique,

23
00:01:22,820 --> 00:01:26,410
and then what we're going to do is we'll save this and then

24
00:01:26,410 --> 00:01:30,760
we will create a DNS record that is a CNAME record that

25
00:01:30,760 --> 00:01:35,540
resolves our public host name, so like vpn.example.com,

26
00:01:35,540 --> 00:01:40,400
that will, instead of resolving to the IPv4 address in an A resource record,

27
00:01:40,400 --> 00:01:44,040
we're actually going to resolve it to this name or translate it

28
00:01:44,040 --> 00:01:46,580
to this name as an alias or a CNAME record,

29
00:01:46,580 --> 00:01:51,430
and then Azure essentially manages this mapping for us.

30
00:01:51,430 --> 00:01:54,210
So if this IP address ever changes on us,

31
00:01:54,210 --> 00:01:58,200
Azure will update this so we don't have to make any changes to DNS.

32
00:01:58,200 --> 00:02:00,240
Azure does that for us.

33
00:02:00,240 --> 00:02:02,340
The other option here, of course,

34
00:02:02,340 --> 00:02:05,990
is just to simply choose a static IP address and then you would

35
00:02:05,990 --> 00:02:10,520
create an A resource record and map this particular IP address

36
00:02:10,520 --> 00:02:12,670
because then obviously it would never change.

37
00:02:12,670 --> 00:02:17,200
The choice to do a static or dynamic is entirely up to you.

38
00:02:17,200 --> 00:02:20,300
A static IP address may have some additional costs,

39
00:02:20,300 --> 00:02:23,370
I don't know for sure, but either one will work.

40
00:02:23,370 --> 00:02:25,880
Certainly the simplest way is to do a static address

41
00:02:25,880 --> 00:02:28,420
assignment in an A resource record, but again,

42
00:02:28,420 --> 00:02:29,680
if you choose dynamic,

43
00:02:29,680 --> 00:02:32,960
just make sure you assign a name and then map this name

44
00:02:32,960 --> 00:02:36,660
via CNAME to whatever public host name you plan to use for

45
00:02:36,660 --> 00:02:39,040
your clients to connect to.

46
00:02:39,040 --> 00:02:42,830
So the next thing I want to demonstrate here is the network security group.

47
00:02:42,830 --> 00:02:43,600
So obviously,

48
00:02:43,600 --> 00:02:45,780
we have a public IP address, and we don't want to

49
00:02:45,780 --> 00:02:48,310
allow all traffic in from everywhere.

50
00:02:48,310 --> 00:02:51,960
So here, what I have done, is I've created a network security group,

51
00:02:51,960 --> 00:02:55,740
and I have created three rules, and you'll see these here.

52
00:02:55,740 --> 00:03:01,000
So I have allowed HTTPS, which is TCP port 443,

53
00:03:01,000 --> 00:03:04,750
that's our protocol and port required for SSTP,

54
00:03:04,750 --> 00:03:08,670
and then I've allowed UDP 500 and 4500 inbound.

55
00:03:08,670 --> 00:03:14,140
Those are the only three ports that should be open on the NSG.

56
00:03:14,140 --> 00:03:17,960
Next, if we take a look at the Azure virtual machine,

57
00:03:17,960 --> 00:03:24,470
I want to go over to the Networking tab and then go to the Network Interface.

58
00:03:24,470 --> 00:03:26,940
So I'm going to select Network Interface,

59
00:03:26,940 --> 00:03:30,240
and here, let's go to IP configurations,

60
00:03:30,240 --> 00:03:33,190
and we need to enable IP forwarding.

61
00:03:33,190 --> 00:03:37,200
So in order for this to work, we need to enable IP forwarding.

62
00:03:37,200 --> 00:03:42,140
So once we've done that, we'll click Save,

63
00:03:42,140 --> 00:03:44,510
and then the last thing that we'll need to do is if we

64
00:03:44,510 --> 00:03:46,320
go back to our resource group here,

65
00:03:46,320 --> 00:03:51,250
we will need to create a route table because we need to tell the

66
00:03:51,250 --> 00:03:54,050
Azure infrastructure where to route this traffic.

67
00:03:54,050 --> 00:04:03,640
So I'm going to click Create, I'm just going to enter route table here,

68
00:04:03,640 --> 00:04:10,400
and then select Route table, click Create,

69
00:04:10,400 --> 00:04:20,340
and then we will assign it a region, give it a name,

70
00:04:20,340 --> 00:04:24,140
we'll select No for Propagate gateway routes,

71
00:04:24,140 --> 00:04:33,240
and then click Review and create.

72
00:04:33,240 --> 00:04:36,840
Once that's complete, we'll go to our resource,

73
00:04:36,840 --> 00:04:41,040
and then we'll click on Routes and we'll click Add,

74
00:04:41,040 --> 00:04:41,560
and here,

75
00:04:41,560 --> 00:04:44,850
we're going to give this a route name and this is our VPN client subnet,

76
00:04:44,850 --> 00:04:47,840
so we're going to end, I'll just enter that here,

77
00:04:47,840 --> 00:04:51,940
and the address prefix is an IP address,

78
00:04:51,940 --> 00:04:56,840
and the source IP address range is our prefix that we're going to

79
00:04:56,840 --> 00:05:00,400
assign to our VPN clients for this particular server.

80
00:05:00,400 --> 00:05:02,780
So if you'll recall from our earlier lessons,

81
00:05:02,780 --> 00:05:08,760
we assign an IP address pool to our VPN clients when they connect,

82
00:05:08,760 --> 00:05:13,040
and so I'm going to enter that here inside our notation.

83
00:05:13,040 --> 00:05:18,140
The Next hop type here will actually be virtual appliance,

84
00:05:18,140 --> 00:05:21,460
and the next hop address is the IP address of the

85
00:05:21,460 --> 00:05:23,940
VPN server that owns this prefix.

86
00:05:23,940 --> 00:05:25,960
So this is a single server deployment,

87
00:05:25,960 --> 00:05:27,740
but if you had multiple servers you would want to make

88
00:05:27,740 --> 00:05:31,040
sure you use the correct IP address here.

89
00:05:31,040 --> 00:05:36,340
So once we're done, we'll click Add,

90
00:05:36,340 --> 00:05:39,380
and once the route has been successfully added,

91
00:05:39,380 --> 00:05:41,330
we'll need to assign it to a subnet.

92
00:05:41,330 --> 00:05:44,380
So now I'm going to go back to the Subnets,

93
00:05:44,380 --> 00:05:46,840
and we'll click Associate,

94
00:05:46,840 --> 00:05:51,490
we'll select our virtual network and then a subnet within that

95
00:05:51,490 --> 00:05:53,800
virtual network that we want to assign it to,

96
00:05:53,800 --> 00:05:55,740
and click OK.

97
00:05:55,740 --> 00:05:56,660
And at this point,

98
00:05:56,660 --> 00:06:05,100
Azure now knows to route the 172.21.12.0/24 network back to the VPN server.

99
00:06:05,100 --> 00:06:08,920
So at this point when clients connect to the VPN server,

100
00:06:08,920 --> 00:06:12,000
they'll get an IP address from that pool, and now the

101
00:06:12,000 --> 00:06:15,360
Azure infrastructure will know how to properly route that

102
00:06:15,360 --> 00:06:18,040
traffic back to the VPN server.

103
00:06:18,040 --> 00:06:20,370
The last point I want to make here is that you would need to

104
00:06:20,370 --> 00:06:24,730
associate this route table with any subnets for which clients

105
00:06:24,730 --> 00:06:27,010
would need to be able to reach resources on.

106
00:06:27,010 --> 00:06:27,780
Also,

107
00:06:27,780 --> 00:06:31,730
if the clients need to connect to the VPN and then traverse a

108
00:06:31,730 --> 00:06:34,940
site‑to‑site VPN or an ExpressRoute connection,

109
00:06:34,940 --> 00:06:44,000
you will also need to assign the route table to those VPN gateways that for those connections, so be aware of that.