Build DMZ in Azure Cloud

Azure routes traffic between Azure, on-premises, and Internet resources. Azure automatically creates a route table for each subnet within an Azure virtual network and adds system default routes to the table. You can override some of Azure’s system routes with custom routes, and add additional custom routes to route tables. Azure routes outbound traffic from a subnet based on the routes in a subnet’s route table.

You can a DMZ in Azure Cloud within your subscription or tenant. The concept of a DMZ or perimeter network is not new; DMZ is a layered network security approach to minimize the attack footprint of an application.

A DMZ architecture is comprised with either two layers or three layers of security and protection concept with additional user-defined routes and firewall rules. Azure network traffic to and from resources in a virtual network using network security groups and network virtual appliances.

Workload Placement in simple DMZ:

  1. Untrusted Network (Layer 1- Frontend NSG) – WAP Server, Non-domain joined computer, Exchange Edge Server
  2. Trusted Network (Layer 2 – Backend NSG) – Domain Controller, File Server, Print Server, RDS, Database and ADFS Server.

 

Simple DMZ
Simple DMZ Example Source Microsoft

Workloads Placement in advanced DMZ:

  1. Extranet (Layer 1 – External Public Facing) A Firewall Appliance
  2. Untrusted Network (Layer 2- Frontend NSG) – WAP Server, Non-domain joined computer, Exchange Edge Server
  3. Trusted Network (Layer 3 – Backend NSG) – Domain Controller, File Server, Print Server, RDS, Database and ADFS Server.

 

Advanced dmz
Advanced DMZ Example Source Microsoft

 

 Example Address Spacing

Location vNET Address Space Connectivity  to other region
Azure Australia East vNET1 10.11.0.0/16

10.12.0.0/16

Azure Australia Southeast

ExpressRoute or S2S VPN

Australia East On-premises On-prem 10.41.0.0/16

10.41.0.0/16

S2S VPN to Azure Australia East
Azure Australia Southeast vNET2 10.51.0.0/16

10.51.0.0/16

Azure Australia East

ExpressRoute or S2S VPN

Australia Southeast On-premises On-prem 10.100.0.0/16

10.101.0.0/16

S2S VPN to Azure Australia Southeast

Hybrid Network Workloads Placement

Hybrid Network.JPG
Hybrid Network Example Source Microsoft

Best Practices

Follow Azure Networking Best Practices. Follow three basic principal of Azure Networking- Segment, Control and Enforce.

  • Segment- Multiple Azure Networks within a single vNET with large IP Address space. The private IP address spaces available are in the Class A (10.0.0.0/8), Class B (172.16.0.0/12), and Class C (192.168.0.0/16) ranges. Use Trusted IP Address range (x.x.x.x/22), Untrusted IP Address Range (x.x.x.x/22).
  • Control- Create multiple NSGs, associate FrontEnd NSG and Backend NSG with untrusted and trusted network respectively to control to and from Azure. NSGs are simple, stateful packet inspection devices that use the 5-tuple (the source IP, source port, destination IP, destination port, and layer 4 protocol) approach to create allow/deny rules for network traffic.
  • Enforce – Enforce user-defined rules to allow only desired TCP & UDP traffic to the vNET, Use Virtual Network Appliance and Perimeter Networks at all times for Enterprise Azure deployment. Disable RDP at the VM level and allow RDP at the FrontEnd NSG. Use a jump box in the DMZ to access workloads.

Azure Site-to-Site IPSec VPN connection with Citrix NetScaler (CloudBridge)

An Azure Site-to-Site VPN gateway connection is used to connect on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it.

In this example, I am going to use Citrix CloudBridge feature of a NetScaler. The Citrix CloudBridge works in a pair, one at each end of a link, to accelerate traffic over the link. The transformations done by the sender are reversed by the receiver. One CB virtual appliance  can handle many links, so you do not have to dedicate a pair to each connection. You need just one CB virtual appliance per site to handle traffic to and from Azure datacenter to on-premises datacenter. In a Citrix CloudBridge Connector tunnel, IPSec ensures:

  • Data integrity
  • Data origin authentication
  • Data confidentiality (encryption)
  • Protection against replay attacks

The below exercise creates a IPSec tunnel between 66.128.x.x (On-prem) to 168.63.x.x (Azure).

Basic Requirements:

  • Make sure that the public IPv4 address for your VPN device is not located behind a NAT firewall
  • Make sure you have correct NSG rules are configured for you to access on-premises VM from Azure VM or vise-versa.

IP Address Requirements:

IP address of the CloudBridge Connector tunnel end point (CB Appliance) in the on-premises side 66.128.x.x
IP address of the CloudBridge Connector tunnel end point in the Azure VPN Gateway 168.63.x.x
Datacenter Subnet, the traffic of which is to traverse the CloudBridge Connector tunnel 10.120.0.0/23
Azure Subnet, the traffic of which is to traverse the CloudBridge Connector tunnel 10.10.0.0/22

Citrix NetScaler Settings

IPSec profile CB_Azure_IPSec_Profile IKE version = v1

Encryption algorithm = AES

Hash algorithm = HMAC SHA1

CloudBridge Connector tunnel CB_Azure_Tunnel Remote IP = 168.63.x.x

Local IP= 66.128.x.x (SNIP)

Tunnel protocol = IPSec

IPSec profile= CB_Azure_IPSec_Profile

Policy based route CB_Azure_Pbr Source IP range = Subnet in the datacenter =10.120.0.0-10.120.1.254

Destination IP range =Subnet in Azure =10.10.0.1 – 10.10.3.254

IP Tunnel = CB_Azure_Tunnel

Azure VPN Gateway Settings

Public IP Address of the Azure VPN Gateway 168.63.x.x
Local Network On-prem Network VPN Device IP address = 66.128.x.x (SNIP)

On-prem Subnet =10.120.0.0/24

Virtual Network CloudBridge Tunnel in Azure Side Address Space of the Azure vNET= 10.10.0.0/22

Trusted Subnet within the vNET = 10.10.0.1/24

Untrusted Subnet within the vNET = 10.10.1.1/24

Gateway Subnet=10.10.2.0/24

Region Australia East
VPN Type Route-based
Connection Type Site-to-site (IPsec)
Gateway Type VPN
Shared key Sample Shared Key DkiMgMdcbqvYREEuIvxsbKkW0FOyDiLM

Configuration of Citrix NetScaler CloudBridge Feature

Step1: Create IPSec Profile

add ipsec profile CB_Azure_IPSec_Profile –psk  DkiMgMdcbqvYREEuIvxsbKkW0FOyDiLM  -ikeVersion v1 –lifetime 31536000

Note: DkiMgMdcbqvYREEuIvxsbKkW0FOyDiLM is also used in the Azure VPN connection.

Step2: Create IPSec Tunnel

add iptunnel CB_Azure_Tunnel 168.63.x.x 255.255.255.255 66.128.x.x –protocol IPSEC –ipsecProfileName CB_Azure_IPSec_Profile

Step3: Create PBR Rule

add pbr CB_Azure_Pbr -srcIP 10.120.0.0-10.120.1.255 –destIP 10.10.0.0-10.10.3.255 –ipTunnelCB_Azure_Tunnel

Step4: Apply Settings

apply pbrs

You can configure NetScaler using GUI as well. here is an example.

  1. Access the configuration utility by using a web browser to connect to the IP address of the NetScaler appliance in the datacenter.
  2. Navigate to System > CloudBridge Connector.
  3. In the right pane, under Getting Started, click Create/Monitor CloudBridge.
  4. Click Get Started> In the CloudBridge Setup pane, click Microsoft Windows Azure.
  5. In the Azure Settings pane, in the Gateway IP Address* field, type the IP address of the Azure gateway. The CloudBridge Connector tunnel is then set up between the NetScaler appliance and the gateway. In the Subnet (IP Range)* text boxes, specify a subnet range (in Azure cloud), the traffic of which is to traverse the CloudBridge Connector tunnel. Click Continue.
  6. In the NetScaler Settings pane, from the Local Subnet IP* drop-down list, select a publicly accessible SNIP address configured on the NetScaler appliance. In Subnet (IP Range)* text boxes, specify a local subnet range, the traffic of which is to traverse the CloudBridge Connector tunnel. Click Continue.
  7. In the CloudBridge Setting pane, in the CloudBridge Name text box, type a name for the CloudBridge that you want to create.
  8. From the Encryption Algorithm and Hash Algorithm drop-down lists, select the AES and HMAC_SHA1 algorithms, respectively. In the Pre Shared Security Key text box, type the security key.
  9. Click Done.

Configuration of an IPSec Site-to-Site VPN in the Azure Subscription 

Step1: Connect to Azure Subscription

Login-AzureRmAccount

Get-AzureRmSubscription

Select-AzureRmSubscription -SubscriptionName “99ebd-649c-466a-a670-f1a611841”

Step2: Create Azure Resource Group in your region

New-AzureRmResourceGroup -Name TestRG1 -Location “Australia East”

Step3: Create vNET and Subnets

$subnet1 = New-AzureRmVirtualNetworkSubnetConfig -Name “Tursted” -AddressPrefix 10.10.0.0/24

$subnet2 = New-AzureRmVirtualNetworkSubnetConfig -Name “UnTursted” -AddressPrefix 10.10.1.0/24

$subnet3 = New-AzureRmVirtualNetworkSubnetConfig -Name “GatewaySubnet” -AddressPrefix 10.10.2.0/24

$vnet=New-AzureRmVirtualNetwork -Name TestVNet1 -ResourceGroupName TestRG1 -Location “Australia East” -AddressPrefix 10.10.0.0/22 -Subnet $subnet1, $subnet2, $subnet3

Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

Step4: Create On-premises Network

New-AzureRmLocalNetworkGateway -Name Site2 -ResourceGroupName TestRG1 -Location “Australia East” -GatewayIpAddress “66.128.x.x” -AddressPrefix “10.120.0.0/24”

New-AzureRmLocalNetworkGateway -Name Site2 -ResourceGroupName TestRG1 -Location “East US” -GatewayIpAddress “23.99.221.164” -AddressPrefix @(“10.120.0.0/24”,”10.120.1.0/24”)

Step5: Request a Public IP Address

$gwpip= New-AzureRmPublicIpAddress -Name gwpip -ResourceGroupName TestRG1 -Location “Australia East” -AllocationMethod Dynamic

Step6: Create Gateway IP Address

$vnet = Get-AzureRmVirtualNetwork -Name TestVNet1 -ResourceGroupName TestRG1

$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name “GatewaySubnet” -VirtualNetwork $vnet

$gwipconfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name gwipconfig1 -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id

Step7: Create VPN Gateway

New-AzureRmVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1 -Location “Australia East” -IpConfigurations $gwipconfig -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1

Step8: Extract public IP address of the VPN Gateway

Get-AzureRmPublicIpAddress -Name GW1PublicIP -ResourceGroupName TestRG1

Step9: Create VPN Connection

$gateway1 = Get-AzureRmVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1

$local = Get-AzureRmLocalNetworkGateway -Name Site2 -ResourceGroupName TestRG1

New-AzureRmVirtualNetworkGatewayConnection -Name VNet1toSite2 -ResourceGroupName TestRG1 -Location “East US” -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local -ConnectionType IPsec -RoutingWeight 10 -SharedKey “ DkiMgMdcbqvYREEuIvxsbKkW0FOyDiLM”

Step10: verify Connection

Get-AzureRmVirtualNetworkGatewayConnection -Name MyGWConnection -ResourceGroupName MyRG

How to configure site to site VPN using Forefront TMG 2010

To configure site to site VPN using Forefront TMG 2010, you must meet following prerequisites:
Windows Server 2012 Step by Step

  • An user account to authenticate VPN
  • Routable public IP in both sides
  • Create site to site rules in both TMG server
  • For secure VPN using EAP authentication, import computer certificate in both TMG server.

To create a user account for the remote site gateway:

  • On the Forefront TMG server, click Start, point to Administrative Tools, and then click Computer Management.
  • In the Computer Management console, in the tree, click System Tools, click Local Users and Groups, and then click Users.
  • In the details pane, right-click the applicable user, and then click Properties.
  • On the Dial-in tab, under Remote Access Permission (Dial-in or VPN), select Allow access.

12 

An example of site to site VPN:

image

To Create Site to Site VPN Rule in TMG server:

  • In the Forefront TMG Management console, in the tree, click Remote Access Policy (VPN).
  • In the details pane, click the Remote Sites tab.
  • In the Create VPN Site-to-Site Connection wizard, follow the on-screen instructions, On the Welcome page, in the Site-to-Site network name text box, you must type the exact name of the remote network’s gateway. 34

    56

     78

    Add a range of IP addresses for remote site clients. If you don’t have load balancer then click next otherwise type the IP address of load balancer.

    910

    Create a network rule in next steps that include source and protocol type ad click next, click next.

     1112

     1314

    1815

    Apply Changes. Click ok. View rules applied in firewall.

     1617 

    To view a summary of the VPN site-to-site network configuration, right click the selected network, and then click Site-to-Site Summary under the Remote Sites tab.

     19

    Repeat similar steps in remote sites to complete site to site VPN.

    To import Certificates in TMG server:

    Click on System>Select TMG server>Click on Install Server Certificate as shown in picture and follow the prompt.

    20

    To complete the EAP configuration:
    1. On the Forefront TMG computer, click Start, click Administrative Tools, and then click Routing and Remote Access.
    2. In the Routing and Remote Access MMC snap-in, select the Network Interfaces node.
    3. When you applied the changes to the Forefront TMG configuration, a demand dial interface with the same name you gave the network was created. Select this demand dial interface, and then click Properties.
    4. On the Security tab, the advanced custom settings option should be selected. Click Settings to open Advanced Security Settings.
    5. Select the EAP you will be using, and then click Properties to configure EAP according to your EAP provider.

    To check site-to-site VPN connectivity:

    1. In the Forefront TMG Management console, in the tree, click the Monitoring node.
    2. In the details pane, on the Sessions tab, verify whether your VPN session is listed. The site-to-site VPN session has the following properties:
      • Session Type shows VPN Site-to-Site.
      • Client Host Name shows the remote VPN server’s public IP address (if the session was initiated by the local VPN server, this field will be empty).
      • Client IP shows the IP address assigned for the VPN session.
      • Application Name shows that this is a VPN connection and displays the protocol used for the connection. Application Name is not displayed by default. To add it, right-click one of the column headings in the Sessions tab, and click Application Name.

       

    3. To create a session filter that displays only site-to-site VPN sessions:
      1. On the Tasks tab, click Edit Filter.
      2. In the Edit Filter dialog box, in Filter by, select Session Type. In Condition, select Equals; and in Value, select VPN Remote Site.
      3. Click Add To List, and then click Start Query. You must click Start Query to save the filter.

     

     

    Share Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

  • Relevant Articles:

    How to configure L2TP/IPSec VPN using Forefront TMG 2010

    Windows 7: L2TP IPSec VPN dialler

    How to Configure Back-to-Back Firewall with Perimeter (DMZ) Topology—–Step by Step Guide

    Install Forefront TMG SP1

    How to configure reverse proxy using Forefront TMG 2010— step by step