Back

TechnologyDec 01, 2014

Microsoft Azure Positioned for Enterprise Networks

Adrian Romo, and Levi Fuller

One of the most powerful features of Microsoft Azure IaaS is being able to extend your on-premises network through a site-to-site VPN in the same way you would connect to a remote branch office.  You configure DNS and IP address ranges, and manage it just like your on-premises infrastructure.  However, one of the limitations of remote connectivity to Azure has been connecting to only one on-premises site.  Many large organizations have large networks with multiple data centers, where each site is connected to every other site.  This is known as a mesh topology.

Microsoft addressed this limitation in May by releasing a new feature: multi-site VPN.  The Azure VPN Gateway now has the ability to terminate up to 10 site-to-site VPN connections per Virtual Network.  This enables companies to have a meshed network topology with Azure as illustrated below.

Azure

Figure 1. Microsoft Azure Multi-Site VPN (TechNet)

Of course this new feature comes with some caveats:

Dynamic Routing Required

The first is your VPN Gateway must be created to leverage dynamic routing.  Dynamic routing is where your network device uses protocols such as OSPF or RIP to “learn” the network and adapt.  Conversely, a device that uses manually created routing tables uses static routing.  So if your VPN Gateway was provisioned with static routing, you’ll have to tear it down and recreate it.

Firewall Supported

Next, you’ll have to verify your firewall or router supports dynamic routing.  The bad news is the firewall I see used most frequently, the Cisco ASA, relies on access lists (static routing) to secure VPN connections and will not function in a multi-site VPN network.  The good news is Juniper, Checkpoint, FortiGate, and SonicWALL firewalls do support dynamic routing and will work in that scenario.  However, if your network solution has to be Cisco, their ASR and ISR routers also support dynamic routing.  You can also stage a multi-site VPN in a lab environment by putting a Windows Server 2012 machine at the edge of your network as a VPN endpoint since Routing and Remote Access does dynamic routing.

Latest Azure Version

Another caveat is multi-site VPN configuration is not supported in the current version of the Azure management portal.  You have to stand up the VPN gateway and then download the NetworkConfig.xml file, edit it to include the additional sites, and then upload the updated version back to the portal.  An excellent tutorial on how to do that can be found here.

Multi-Site VPN Is a Big Win

The main point I want you to take away is that multi-site VPN is a great new feature that helps Microsoft Azure fit into a larger network.  However, if you have Cisco ASA, F5 BIG-IP, or WatchGuard appliances at the edge of your network you will not be able to leverage this feature because of the dynamic routing requirement.

Do you want to explore options for extending your network to the cloud? Credera has extensive experience in designing, planning, and implementing cloud solutions. If you have questions about this blog post, points of view, or IT infrastructure, please leave a comment below, tweet us @CrederaIT, or contact us online.

Modernize applications and support business initiatives with Microsoft Azure

Explore Our Microsoft Consulting Services  →