Windows Azure: S2S VPN with dynamic public IP

Hi Folks,

Some weeks ago, I decided to focus myself a bit more on Windows Azure and tests several scenarios. The first one was to establish a Site to Site VPN between Windows Azure and my lab at home.
Microsoft is now supporting Windows Server 2012 Routing and Remote Access Service (RRAS) as VPN device with Windows Azure, so all I need is to create a new VM for this task.

To configure and establish the connection with RRAS, I recommend you the two following guides:

http://blogs.technet.com/b/arnaud/archive/2013/06/06/cloud-hybride-vpn-site-224-site-avec-azure-et-windows-server-2012.aspx
http://fabriccontroller.net/blog/posts/setting-up-software-based-site-to-site-vpn-for-windows-azure-with-windows-server-2012-routing-and-remote-access/

These guides are quite complete and I didn’t have any problem to establish the connection.

When you configure your Azure network, it will create an IPSEC tunnel between Azure and your site. During this process, you will have to specify a VPN Gateway Address, which is simply your ISP Internet public IP.
If your Internet Service Provider (ISP) provides you a fix IP, no problem, you are all set. Now, if your ISP provides you a public IP that is changing every x days (like me), each time this IP will change, the VPN connection will go down and you will have to update your public IP in the Azure Web Interface.

Even if I’m using this S2S VPN connection for testing purpose only, updating my public IP manually into Azure Web Interface, this is not an option for me. Hopefully, PowerShell is there to help us.

Two prerequisites:
Install the Windows Azure PowerShell Module:
http://go.microsoft.com/?linkid=9811175&clcid=0x409

Subscribe to a service like http://www.no-ip.com or http://www.dyndns.com which will make your public IP point to a subdomain. (With an automatic update when your IP is changing).

The first thing to do is to retrieve the Azure Settings, for that, simply run the following command:

Import-Module "C:\Program Files (x86)\Microsoft SDKs\Windows Azure\PowerShell\Azure\Azure.psd1"
#Execute: Get-AzurePublishSettingsFile; Save .publishsettings file locally
Get-AzurePublishSettingsFile

It will retrieve a file similar to this one, which is containing all the necessary information to connect to your Azure Subscription.
Save this file in a secure location as it gives a full access to your Azure Subscription.

Configuration the following parameters:

Import-Module "C:\Program Files (x86)\Microsoft SDKs\Windows Azure\PowerShell\Azure\Azure.psd1"
#Variables
$Path = "E:\AzureConfig"
$DynDNS = "xxxx.no-ip.com"
$AzureSubscriptionName = "Windows Azure MSDN - Visual Studio Ultimate"
$AzurePublishSettingsFile = "$Path\Windows Azure MSDN - Visual Studio Ultimate-11-19-2013-credentials.publishsettings"

You could find your Azure Subscription name, simply by clicking on Subscriptions in the Azure Web Interface.

Connect to Windows Azure with the connection file that you save earlier thanks to the Get-AzurePublishSettingsFile command.

#Execute: Import-AzurePublishSettingsFile; reference local .publishsettings file
Import-AzurePublishSettingsFile -PublishSettingsFile $AzurePublishSettingsFile
Set-AzureSubscription -SubscriptionName $AzureSubscriptionName
Select-AzureSubscription -SubscriptionName $AzureSubscriptionName

This part of the script will get your ISP Public IP from your No-IP.com or DynDns subscription and also the current public IP configured in Windows Azure.

#Get IP based on the Domain Name
[string]$IP = ([System.Net.DNS]::GetHostAddresses($DynDNS)).IPAddressToString

#Get AzureVnetConfiguration
Get-AzureVnetConfig -ExportToFile "$Path\AzurevNetConfigCurrent.xml" | Out-Null

[XML]$xml = Get-Content "$Path\AzurevNetConfigCurrent.xml"
[string]$AzureIP =  $xml.NetworkConfiguration.VirtualNetworkConfiguration.LocalNetworkSites.LocalNetworkSite.VPNGatewayAddress

Now, we simply need to configuration if your current public IP is still the same that the one configure in Windows Azure. If the IP is still the same, no modification needed. If the IP has changed, the script will update in Azure.

#Check if the IPs are still the same
if($IP -ne $AzureIP)
{
  #IP Changed, we need to update
  Write-host "IP Update In Progress..."

  #Update the configuration file
  $xml.NetworkConfiguration.VirtualNetworkConfiguration.LocalNetworkSites.LocalNetworkSite.VPNGatewayAddress =  $IP
  $xml.Save("$Path\AzurevNetConfigNew.xml")

  #Upload the configuration file to Azure
  $Ret = Set-AzureVNetConfig -ConfigurationPath "$Path\AzurevNetConfigNew.xml"
  if($Ret.OperationStatus -eq "Succeeded")
  {
   Write-host "IP Updated Successfully"
  }
  else
  {
   Write-host "IP Update Failed"
  }

  # Dial-in to Azure gateway (optional and only if this script is running on the RRAS server)
  #Connect-VpnS2SInterface -Name xxx.xxx.xxx.xxx

}
else
{
#IP didn't change, nothing to do
Write-host "IP Already Up To Date"
}

Normally, your RRAS server will try to reconnect to Windows Azure every x seconds. As soon as the IP will be updated, the connection will be re-established.
Personally, I’m running this script every 5 minutes, directly on my RRAS server. You could also force your RRAS to initiate the connection via the Connect-VpnS2SInterface -Name xxx.xxx.xxx.xxx command.

Now the complete script :

#Perform Prerequisite Setup Steps First
#Download latest Windows Azure PowerShell Module:
Import-Module "C:\Program Files (x86)\Microsoft SDKs\Windows Azure\PowerShell\Azure\Azure.psd1"

#Execute: Get-AzurePublishSettingsFile; Save .publishsettings file locally
#Get-AzurePublishSettingsFile

#Variables
$Path = "C:\Scripts"
$DynDNS = "syno.vnext.be"
$AzureSubscriptionName = "Windows Azure MSDN - Visual Studio Ultimate"
$AzurePublishSettingsFile = "$Path\Windows Azure MSDN - Visual Studio Ultimate-11-19-2013-credentials.publishsettings"

#Execute: Import-AzurePublishSettingsFile; reference local .publishsettings file
Import-AzurePublishSettingsFile -PublishSettingsFile $AzurePublishSettingsFile
Set-AzureSubscription -SubscriptionName $AzureSubscriptionName
Select-AzureSubscription -SubscriptionName $AzureSubscriptionName

#Get IP based on the Domain Name
[string]$IP = ([System.Net.DNS]::GetHostAddresses($DynDNS)).IPAddressToString

#Get AzureVnetConfiguration
Get-AzureVnetConfig -ExportToFile "$Path\AzurevNetConfigCurrent.xml" | Out-Null

[XML]$xml = Get-Content "$Path\AzurevNetConfigCurrent.xml"
[string]$AzureIP =  $xml.NetworkConfiguration.VirtualNetworkConfiguration.LocalNetworkSites.LocalNetworkSite.VPNGatewayAddress

#Check if the IPs are still the same
if($IP -ne $AzureIP)
{
  #IP Changed, we need to update
  Write-host "IP Update In Progress..."

  #Update the configuration file
  $xml.NetworkConfiguration.VirtualNetworkConfiguration.LocalNetworkSites.LocalNetworkSite.VPNGatewayAddress =  $IP
  $xml.Save("$Path\AzurevNetConfigNew.xml")

  #Upload the configuration file to Azure
  $Ret = Set-AzureVNetConfig -ConfigurationPath "$Path\AzurevNetConfigNew.xml"
  if($Ret.OperationStatus -eq "Succeeded")
  {
   Write-host "IP Updated Successfully"
  }
  else
  {
   Write-host "IP Update Failed"
  }

  # Dial-in to Azure gateway (optional and only if this script is running on the RRAS server)
  #Connect-VpnS2SInterface -Name xxx.xxx.xxx.xxx

}
else
{
#IP didn't change, nothing to do
Write-host "IP Already Up To Date"
}

Thanks to this script, I have now a permanent Site to Site VPN connection between Windows Azure and my lab at home, even with an ISP dynamic public IP.
Feel free to comment, update and share!!!

Christopher

Tweet about this on TwitterShare on FacebookShare on LinkedInShare on Google+Email this to someoneShare on TumblrPin on PinterestDigg thisShare on RedditFlattr the authorBuffer this pageShare on StumbleUpon

About Christopher Keyaert

Christopher Keyaert is a Consultant, focused on helping partners to leverage the System Center and Microsoft Azure cloud platform. He is also a Microsoft Most Valuable Professional (MVP) for Cloud and Data Center Management and a Microsoft Certified Trainer (MCT).
This entry was posted in Uncategorized. Bookmark the permalink.

15 Responses to Windows Azure: S2S VPN with dynamic public IP

  1. Pingback: Sunday, January 12, 2014 on #WindowsAzure | Alexandre Brisebois

  2. Pingback: Monday, January 13, 2014 on #WindowsAzure | Alexandre Brisebois

  3. Pingback: How to create a site-to-site VPN connection using ADSL to Windows Azure | UP2V

  4. manu says:

    Hi Christopher,
    Thanks for the nice explanation above.This is very much similar to the scenario that I am working.
    RRAS is running on windows 2012 and initially S2S VPN setup was successful. After the change in dynamic IP address, I followed your above steps but the VPN is still showing as unreachable. I also tried updating the VPN device address from Azure management portal but the S2S VPN connection was unsuccessful.
    Do you have any advise or any change that you suggest?

  5. Pingback: Sophos UTM Site-to-Site VPN Azure - My Home Network

  6. Pingback: Exchange Hybrid 2013 Lab at Home | The FIM Error

  7. Pingback: Azure Automation Scheduled Runbook PowerShell Script to automatically update site-to-site VPN Local Network VPN Gateway Address with dynamic public IP | Working Hard In IT

  8. Pingback: Azure Automation Scheduled Runbook PowerShell Script to automatically update site-to-site VPN Local Network VPN Gateway Address with dynamic public IP - WorkingHardInItWorkingHardInIt

  9. Pingback: Azure Automation Scheduled Runbook PowerShell Script to automatically update site-to-site VPN Local Network VPN Gateway Address with dynamic public IP - WorkingHardInItWorkingHardInIt

  10. Hello,

    Congratulations for your script. I’ve a VPN Site-to-Site working with a PFSense server. I want to schedule this task to run daily, do you know how can I put the credentials/password on this script ?

    thanks.

  11. carsten says:

    Thank you very much for the explanation!

  12. Charles says:

    Excellent script, works well!

    Many thanks!

  13. triomis GmbH says:

    Thx a lot. Works well. We need this since we lost our static IP. But switched to Didier’s Azure Automation. 😉

  14. Pingback: MicrosoftTouch

Leave a Reply

Your email address will not be published. Required fields are marked *