I’m currently in the process of Migrating a customer from an on-premise Windows Server 2003 Small Business Server to an Azure based Windows Server 2012 r2 Datacenter with Windows Server Essentials experience installed.
Part of that migration process is clearly going to involve moving all of the shared data from the current server into Azure. This customer has a Draytek 2860, which although not an officially support Azure device has no problems connecting to Azure.
The main frustration I found when building the site-to-site connectivity between Azure and the Draytek firewall is that neither end has any useful log files that you can look at to aid in troubleshooting, it either works or it doesn’t. Having been through the same exercise recently using a SonicWALL firewall which has extensive logging the process is much easier.
Anyway, here is how to do it. Because I am somewhat new to Azure, and I am assuming that others reading this will be to, I am going to go through the steps required to build the virtual network from scratch and eventually join the Draytek router on.
Create the Azure Virtual Network
Login to Azure and create a new virtual network that is going to link to your Draytek router:
I’ve chose to create my network in the “North Europe” data center location as I am based in the UK and I believe that North Europe is in Dublin, Ireland.
Next I ticked the box to “Configure a site-to-site VPN”, but here is an important note, do NOT tick the box that says “Configure a point-to-site VPN”. If you do this then the Azure network will use dynamic routing instead of static routing and you will not be able to get your Draytek to connect. (If you do manage to, please let me know how you did as I spent a while trying to get it to work!).
On the next screen you will have to name your local network and specify the public IP address of your Draytek router. In addition you will need to tell Azure the details of your local subnet.
In my case the existing local network is a 192.168.250.0/24.
Moving on to the next screen you will define the parameters of the virtual network:
After you have defined a subnet for use in Azure you will need to click on “Add gateway subnet”.
Once you are all done click on the tick to finish the virtual network creation process.
Wait a short time and you should see when the virtual network has been created. Once the network has been created you can go into the network dashboard and finish off the remaining steps.
Your virtual network dashboard will probably look something like this:
Click on the “Create Gateway” button to make an external interface to your Azure Virtual Network. Again making sure to select “Static Routing” in order for it to work with your Draytek router.
You will see the gateway being created, it took about five minutes to complete for me:
When the creation is done you will see the gateway details displayed like this:
You need to make a note of the gateway IP address and the virtual network preshared key. Click on the “Manage Key” button on the bottom of the dashboard and the gateway key will be displayed, make a note of it as you need to enter this into your Draytek Router:
Now you have completed all the steps required at the Azure end, time to head over to your local Draytek.
Define a VPN profile on your Draytek router to create a site-to-site link to Microsoft Azure
Once logged in to your Draytek head to “VPN and Remote Access” and then “LAN to LAN”. Choose an empty profile to begin the configuration.
Give your VPN Profile a name, and set the call direction to “Dial-Out”. Tick the “Always on” check-box.
In the 2nd section enter the gateway IP address, enter the preshared key by clicking on the “IKE Pre-Shared Key” button and set the IPSec Security Method to “High(ESP)” and “AES with Authentication”
Ignore sections three and four and move on to the bottom section 5.
Set the correct details network addresses for your remote Azure virtual network and your local network:
Save the profile by clicking on OK and then go to “VPN and Remote Access” again and then to “Connection Management”.
All being well you should now see that your Draytek router has a connection to Azure:
Draytek 2860 site-to-site VPN to Azure Performance
As you can see, the latency from my connection to the Azure network is pretty low. This is a ping to a Windows Server 2012 VM running inside the newly created Virtual Network:
I also uploaded a file to a drive on the Azure virtual machine and downloaded it again to test transfer speeds. Clearly there is nothing scientific about this and it is totally dependent on your on broadband connection speed, but merely for my own curiosity:
I consistently got around 1.75MB/second upload, which is pretty much the entire upload capacity of my broadband line.
I downloaded the same file from Azure and got these speeds:
The speed downloading from Azure was faster than the upload, but not all that fast really. I have an 80mb connection and would expect Azure to push data out quicker than that, so I checked the CPU usage on the Draytek.
Without utilizing the Azure site-to-site link my Draytek shows around 7% CPU usage:
When downloading a file from Azure the CPU usage shoots up to around 80%, so I am suspect the CPU in the Draytek is a limiting factor when communicating with Azure:
SonicWALL TZ210 site-to-site VPN to Azure Performance
I had an old SonicWALL TZ210 sitting around so I configured that to connect to Azure instead and did the same tests and saw the following speeds performing the same operation:
As you can see the SonicWALL is significantly faster than the Draytek despite being an old model. I also plan to try out a SonicWALL NSA 220, the quoted VPN throughput figures are:
- Draytek 2860 – 50Mbps
- SonicWALL TZ210 – 75Mbps
- SonicWALL NSA 220 – 150Mbps
The VPN performance is a really important factor to consider when choosing what device to use to connect to Azure, with internet connections becoming increasing fast you might be surprised to find that your existing device may not have enough muscle to handle your full bandwidth.