Veeam PN for Azure

This solution is a free solution at Veeam. It brings new features to the Veeam solution by allowing restoration in Azure or creation of a VPN connection. It can be used for the following purposes :

Create site-to-site VPN betweeen company office and Microsoft Azure to connect VM restored in Azure
Create point-to-site VPN between remote computers and Microsoft Azure to connect VM restored in Azure
Allow connection to the corporate network to a remote user via Microsoft Azure

Azure PN use Open VPN technology to connect Azure network and company network.

Site-to-Site VPN
site-to-site VPN permit to establish a connection before private network and Azure Network. It is therefore easier to position internal resources in Azure and make them available to the users. Traffic available to the remote network is routed to a secure channel.

Organized around a network hub, this nerwork is the core of the VPN infrastructure. He is responsible for traffic routing, encryption, authentication,…

Veeam PN allows two deployment scenarios:

Deployment of the network hub in Azure
Deployment of the network hub on premise

The Network Hub is one of the points of the VPN tunnel, it’s necessary to create the other point. To do this, a gateway must be deployed. This Gateway is an Appliance whose function is to establish a secure connection with the Network Hub

Point-to-Site VPN
With this scenario, you can establish secure connection between computer and Azure. It’s therefore possible to allow the connection of a computer only and not of an entire network. In this scenario, it is necessary to configure on the Open VPN user’s workstation.

System Requirements

If Network Hub is installed on Azure, it requires Azure VM :

A1 minimum – 1 core, 1,75 GB of RAM memory and 70 GB of space disk.

If you choose to install it on on-premise, you need use VMware vSphere ESXi host 5.0 or later. It require :

1 GB of RAM memory, 3.9 GB of space disk for thin-provisioned disk or 16 GB of space disk for thick-provisioned disk.

You need to allow port into your firewall :

TCP/UDP 1194, from Site Gateways to Network hub. Allows network hub to listen the connections from the site gateway
TCP/UDP 6179, from standalone computer to Network hub. Allows network hub to listen the connections from the standalone computer.
HTTPS 443, from browser to Network hub or site gateway. Permit to communicate with the network hub or site Gateway portal.
SSH 22, from client machine to Network hub or site gateway. Used as a control channel.

Deploy Network hub

We will first deploy the Network Hub. The hub is the component that provides VPN connections. All traffic in the VPN is routed through the network hub. The hub network is deployed in Microsoft Azure. Access to the Azure portal (Azure.microsoft.com) and click on Create a ressource.

In the search bar, enter Veeam PN for Microsoft Azure and click enter.

In the marketplace, click on Veeam PN for Microsoft Azure and click on Create.

Enter information for create Virtual machine (name, user name, password, …) and click on OK.

Select the size of your virtual machine and select storage account. Choose Public IP address or create a news IP address. Choose an unique domain name for VeeamPN.

Configure virtual network and Subnet.

Choose the required security level and click on OK.

Provide VPN information and click to OK. On the Summary Windows, click on OK then on Create to launch installation.

The virtual machine and other components has been deployed.

Configure Network Hub Settings

Into the Azure portal, click on Virtual Machine then on your virtual Applicance.

In the properties of your Appliance, get an Ip address.

Open, browser on your computer and enter https://IPAdress for access to the configuration page. Enter username and password configured when you created Appliance.

A wizard appear, click on Next. You need authenticate in Microsoft Azure Active Directory. For this action, you need click on the link (present in Azure Setup Windows) and enter the authentification code.

Click to continue and connect with your Azure Active Directory account. Close Windows when authentification is OK.

On the Azure Setup wizard, click on Next.

Configuration has now finished, click on Finish.

Configure Veeam PN Services

On the configuration portal, click on Settings then on Services. Diable point-to-Site options.

The VPN settings has configured when the VM was created. You can modify this parameter if you click on VPN tab.

Select Alerts tab and click on No Action for configure Action. Choose the action that you want.

If you choose Send Email action, you need to configure SMTP Server. Click on SMTP tab and configure SMTP Server. Check the box Use SSL and Require authentification if you use Office 365 and enter username/password. Specify email address to send alert information. Click to Apply for commit Settings.

You can configure SSH (Start-Stop service or configure service autostart) from the tab System. Backup, Restore or Reset configuration can also be done from tab System.

Configure Client

Network hub has been configured, you must register client to have access to the VPN. Into the Network Hub portal, click on Clients then on Add.

You can choose option Entire site (for Site-to-Site VPN) or Standalone computer (for Point-to-Site VPN). I want to configure Site-to-Site VPN so I choose Entire Site option. Click Next to validate the settings.

Enter the name of the site and Network address then click on Next.

You need download Veeam PN Open virtual Appliance and deploy it into your ESXi. You need to download the configuration file for configuring Veeam PN Open virtual Appliance.

Access vSphere Client and connect to the ESXi. Import the OVA file previously downloaded. After starting the virtual machine, retrieve the IP address of the virtual machine.