Essential to my Modern Datacenter Lab: Azure Site 2 Site VPN with a DELL SonicWALL Firewall


If you’re a serious operator in the part of IT that is considered the tip of the spear, i.e. you’re the one getting things done, you need a lab. I have had one (well I upgraded it a couple of times) for a long time.  When you’re dealing with cloud as an IT Pro, mostly Microsoft Azure in my case, that need has not changed. It enables you gain the knowledge and insights that you can only acquire by experimenting and hands on work, there is no substitute. Sometimes people ask me how I learn. A lab and lots of hands on experimenting is a major component of my self education and training. I put in a lot of time and some money, yes.

Perhaps you have a lab at work, perhaps not, but you do need one. A lab is a highly valuable investment in education for both your employers and yourself. It takes a lot of time, effort and it cost a bit of money. The benefits however are huge and I encourage any employer who has IT staff to sponsor this at the ROI is huge for a relative small TCO.

I love the fact that in a lab you have (and want) complete control over the entire stack so you experiment at will and learn about the solutions you build end to end. You do need to deal with it all but that’s all good, you learn even more, even when at times it’s tough going. Note that a home lab, even with the associated costs, has the added benefit of still being available to you even if you move between employers or between clients.

You can set up a site to site VPN using Windows Server 2012 R2 RRAS (see Site-to-Site VPN in Azure Virtual Network using Windows Server 2012 Routing and Remote Access Service (RRAS) that works. But for for long term lab work and real life implementations you’ll be using other devices. In the SOHO lab I run everything virtualized & I need internet access for other uses cases than the on premises lab. I also like to minimize the  hosts/VMs/appliances I need to have running to save on electricity costs. For enterprise grade solutions you leverage solutions form CISCO, JUNIPER, CheckPoint etc. There is no need for “enterprise grade” solutions in a SOHO or small branch office environment.Those are out of budget & overkill, so I needed something else. There are some options out there but I’m using a DELL SonicWALL NSA 220. This is a quality product for one and I could get my hands on one in a very budget friendly manner. UTMs & the like are not exactly cheap, even without all the subscription, but they don’t exactly cater to the home user normally. You can go higher or lower but I would not go below a TZ-205 (Wireless) which is great value for money and more than up for the task of providing you with the capabilities you need in a home lab.

SonicWALL NSA 220 Wireless-N Appliance

I consider this minimum level as I want 1Gbps (no I do not buy 100Mbps equipment in 2015) and I want wireless to make sure I don’t need to have too many hardware devices in the lab. As said, the benefit over the RRAS solution are that it serves other purposes (UTM) and it can remain running cheaply so you can connect to the lab remotely to fire up your hosts and VMs which you normally power down to safe power.

Microsoft only dynamic routing with a limited number of vendors/devices but that doesn’t mean all others are off limits. You can use them but you’ll have to research the configurations that work instead of downloading the configuration manual or templates from the Microsoft web site, which is still very useful to look at an example configuration, even if it’s another product than you use.

Getting it to work is a multistep proccess:

    1. Set up your Azure virtual network.
    2. Configure your S2S VPN on the SonicWall
    3. Test connectivity between a on premises VM and one in the cloud
    4. Build out your hybrid or public cloud

Here’s a reference to get you started Tutorial: Create a Cross-Premises Virtual Network for Site-to-Site Connectivity I will be sharing my setup for the SonicWall in a later blog post so you can use it as a reference. For now, here’s a schematic overview of my home lab setup to Azure (the IP addresses are fakes). At home I use VDSL and it’s a dynamic IP address so every now and then I need to deal with it changing. I’d love to have a couple of static IP address to play with but that’s not within my budget. I wrote a little Azure scheduled run book that takes care of updating the dynamic IP address in my Azure site-to-site VPN setup. It’s also published on the TechNet Gallery

image

You can build this with WIndows RRAS, any UTM, Firewall etc … device that is a bit more capable than a consumer grade (wireless) router. The nice things is that I’ve had multiple subnets on premises and the 10 tunnels in a standard Azure  site-to-site VPN accommodate that nicely. The subnets I don’t want to see in a tunnel to azure I just leave out of the configuration.

Tip to save money in your Azure lab for newbies, shut down everything you can when your done. Automate it with PowerShell. I just make sure my hybrid infra is online & the VPN active enough to make sure we don’t run into out of sync issues with AD etc.

Advertisements

Azure Automation Scheduled Runbook PowerShell Script to automatically update site-to-site VPN Local Network VPN Gateway Address with dynamic public IP


You can download the script at the end of the article. When you’re connecting a home (or perhaps even an office) lab  to Azure with a site-2-site VPN you’ll probably have to deal with the fact that you have a dynamic IP assigned by your ISP. This means unless you update the VPN Gateway Address of your Azure local network in some automated way, your connection is down very often and you’re faced with this this in Azure …

image

which on my DELL SonicWALL NSA 220 that looks like this …

image

A fellow MVP of mine (Christopher Keyaert) has written a PowerShell script that a few years back that updated the VPN gateway gddress of your Azure local network via a scheduled task inside of his Windows RRAS VM. Any VM, either in Azure or in your lab will do. Good stuff! If you need inspiration for a script  you have a link. But, I never liked the fact that keeping my Azure site-to-site VPN up and running was tied to a VM being on line in Azure or in my lab, which is also why I switched to a SonicWALL device. Since we have Azure Automation runbooks at our disposal I decided to automate the updating of the VPN gateway address  to the dynamic IP address of my ISP using a runbook.

Finding out your dynamic IP address from anywhere in the world

For this to work you need a way to find out what your currently assigned dynamic IP is. For that I subscribe to a free service providing dynamic DNS updates. I use https://www.changeip.com/. That means that by looking up the FQDN is find can out my current dynamic IP address form where ever I have internet access. As my SonicWALL supports dynamic DNS services providers I can configure it their, not need for an update client running in a VM or so.

image

The runbook to update the VPN Gateway Address of your Azure local network

I will not deal with how to set up Azure Automation, just follow this link. I will share a little hurdle I needed to take. At least for me it was a hurdle. That hurdle was that the Set-AzureVNetConfig cmdlet which we need has a mandatory parameter -ConfigurationPath which reads the configuration to set from an XML file (see Azure Virtual Network Configuration Schema).

You cannot just use a file path in an Azure runbook to dump a file on c:\temp  for example. Using an Azure file share seems overly complicated for this job. After pinging some fellow MVPs at Inovativ Belgium who are deep into Azure automation on a daily basis, Stijn Callebaut gave me the tip to use [System.IO.Path]::GetTempFileName() and that got my script working. Thank you Stijn Winking smile!

So I now have a scheduled runbook that automatically updates my to the dynamic IP address my ISP renews every so often without needing to have a script running scheduled inside a VM. I don’t always need a VM running but I do need that VPN to be there for other use cases. This is as elegant of a solution that I could come up with.

I test the script before publishing & scheduling it by setting the VPN Gateway Address of my Azure local network to a wrong IP address in order to see whether the runbook changes it to the current one it got from my dynamic IP. As you can see it was successful.

image

Now publish it and have it run x times a day … depending on how aggressive your ISP renews your IP address and how long your lab can sustain the Azure site-to-site VPN to be down. I do it hourly. Not a production ready solution, but neither is a dynamic IP and this is just my home lab!

image

Now my VPN looks happy most of the time automatically

image

image

Download the runbook  here (zipped PowerShell script)

DELL SonicWALL Site-to-Site VPN Options With Azure Networking


The DELL SonicWALL product range supports both policy based and route based VPN configurations. Specifically for Azure they have a configuration guide out there that will help you configure either.

Technically, networking people prefer to use route based configuration. It’s more flexible to maintain in the long run. As life is not perfect and we do not control the universe, policy based is also used a lot. SonicWALL used to be on the supported list for both a Static and Dynamically route Azure VPN connections. According to this thread it was taken off because some people had reliability issues with performance. I hope this gets fixed soon in a firmware release. Having that support is good for DELL as a lot of people watch that list to consider what they buy and there are not to many vendors on it in the more budget friendly range as it is. The reference in that thread to DELL stating that Route-Based VPN using Tunnel Interface is not supported for third party devices, is true but a bit silly as that’s a blanket statement in the VPN industry where there is a non written rule that you use route based when the devices are of the same brand and you control both points. But when that isn’t the case, you go a policy based VPN, even if that’s less flexible.

My advise is that you should test what works for you, make your choice and accept the consequences. In the end it determines only who’s going to have to fix the problem when it goes wrong. I’m also calling on DELL to sort this out fast & good.

A lot of people get confused when starting out with VPNs. Add Azure into the equation, where we also get confused whilst climbing the learning curve, and things get mixed up. So here a small recap of the state of Azure VPN options:

  • There are two to create a Site-to-Site VPN VPN between an Azure virtual network (and all the subnets it contains) and your on premises network (and the subnets it contains).
    1. Static Routing: this is the one that will work with just about any device that supports policy based VPNs in any reasonable way, which includes a VPN with Windows RRAS.
    2. Dynamic Routing: This one is supported with a lot less vendors, but that doesn’t mean it won’t work. Do your due diligence. This also works with Windows RRAS

Note: Microsoft now has added a a 3rd option to it’s Azure VPN Gateway offerings, the High Performance VPN gateway, for all practical purposes it’s dynamic routing, but a more scalable version. Note that this does NOT support static routing.

The confusion is partially due to Microsoft Azure, network industry and vendor terminology differing from each other. So here’s the translation table for DELL SonicWALL & Azure

Dynamic Routing in Azure Speak is a Route-Based VPN in SonicWALL terminology and is called and is called Tunnel Interface in the policy type settings for a VPN.

image

Static Routing in Azure Speak is a Policy-Based VPN in SonicWALL terminology and is called Site-To-Site in the “Policy Type” settings for a VPN.

image

  • You can only use one. So you need to make sure you won’t mix the two on both sites as that won’t work for sure.
  • Only a Pre-Shared Key (PSK) is currently supported for authentication. There is no support yet for certificate based authentication at the time of writing).

Also note that you can have 10 tunnels in a standard Azure site-to-site VPN which should give you enough wiggling room for some interesting scenarios. If not scale up to the high performance Azure site-to site VPN or move to Express Route. In the screenshot below you can see I have 3 tunnels to Azure from my home lab.

image
I hope this clears out any confusion around that subject!

Azure Done Well Means Hybrid Done Right


If you think that a hybrid cloud means you need to deploy SCVMM & WAP you’re wrong. It does mean that you need to make sure that you give yourself the best possible conditions to make your cloud a success and an asset in the biggest possible number of all scenarios that might apply or come up.

DC1

Cool you say, I hear you, but what does that mean in real life? Well it means you should stop playing games and get serious. Which translates into the following.

Connectivity

A 200Mbps is the absolute minimum for the SMB market. You need at least that for Office 365 Suite, if you want happy customers that is. Scale based on the number of users and usage but remember you’ll pinch at least a 100Mbps of that for a VPN to Azure.

Get a VPN already!

Or better still, take the gloves off and go for Express Route. Extend your business network to your cloud and be done with all the hacks, workarounds, limitations, tedious & creative yet finicky "solutions" to get thing done. I guess it beats living with the limitations but it will only get you that far.

Any country or business that isn’t investing in FC to the home & cheap affordable data connectivity to the businesses is actively destroying long term opportunity for some dubious short term gain.

So without further ado, life is to short to do hybrid cloud without. It opens up great scenarios that will allow you to get all the comforts of on premise in your Azure data center such as …

Extend AD  & ADFS into Azure

Get that AD & ADFS into the cloud people! What? Yes, do it. That’s what that good solid VPN between Azure and on premises or better still, Express Route enables. Just turn it into just another site of your business.  But one with some fascinating capabilities. DirSync or better Azure Active Directory Sync will only get you that far and mostly in a SAAS(PAAS) ecosystem. Once you’ve done that the world is your oyster!

https://media.licdn.com/mpr/mpr/p/4/005/083/346/127f314.jpg

Conclusion

So don’t be afraid. Just do it!  People I have my home lab and it’s AD connected to my azure cloud via VPN! That’s me the guy that works for his money and pays his own bills. So what are you as a business waiting for?

But wait Didier, isn’t AD going away, why would I not wait for the cloud to be 100% perfect for all I do? Well, just get started today and take it from there. You’ll enjoy the journey if you do it smart and right!

“Your cloud, your terms”. Well that’s true.  But that’s not a given, you’ll need to put in some effort. You have to determine what your terms are and what your cloud should look like. If you don’t you’ll end up in a bad state. If you have good IT staff, you should be OK. If they could handle your development environment & run your data center chances are good they’ll be able to handle “cloud”. Really.

Consultants? Sure, but get really good ones or you’ll get sold to. There’s a lot of churning and selling going on. Don’t get taken for a ride. I know a bunch of really good ones. How do I determine this? One rule … would I hire them Winking smile

Microsoft Ignite calling Thinkers, Doers and Pioneers. Yes, that’s me within my ecosystem!


I know that some people tend to see conferences as a waste of time and money. Going to the wrong conferences will do that yes. So is attending for the wrong reasons or in the wrong way.

But it doesn’t have to be that way. A conference is hard work, fun sure, but hard & lots of work. Don’t expect to go home with a custom magic strategy & implementation plan Winking smile for all your IT needs. Much has been written by many community buddies and myself  on this subject. Here’s a short reading list for you (and there a dozens more) on how to do it well.

But if you pick your conferences, make sure you plan and take the time to network and talk with industry experts, vendors, colleagues & fellow MVPs who you only get to sit down with at such events it can be a tremendously valuable experience. You network gain insights, get to pitch your ideas and views with some of the best and brightest … very stimulating and rewarding!

In my neck of the IT woods it’s a place I want to go an talk shop too the group of people mentioned above. Let me know if you’re attending, it’s always good to meet up.

Win a free ticket to Experts Live 2014


As you might already know I’m speaking at the Dutch IT community event Experts Live 2014 in the Netherlands. The talk is about “The Capable & Scalable Cloud OS “ where we’ll highlight and show some of the scalable capabilities in Windows Server 2012 R2 when combined with great hardware.

You can find the program at Experts Live 2014 which is very rich in content. There are 7 tracks and over 40 sessions! Chose a track or mix and match to your hearts content between  Microsoft Azure, System Center, Hyper-V, SQL, Windows, PowerShell and Office365. It’s all good.

image

To celebrate the success of the event the organizers have allowed us to give away some free entrance tickets. This is a very nice gift that will allow you to enjoy a full day of learning for free.

So convince me you’re willing to put in the time and effort to learn and we’ll help you do exactly that by making sure you get a free ticket!  Leave a reply to this blog post from Thursday October 9th till Thursday October 16th in which you tell me what blog or blogs of mine you’ve enjoyed most. Leave your name, e-mail, your company and function title so we can arrange things for you. Don’t worry we will not publish these.

There is only one request/condition … if you win a ticket come to the event as a no show means some one else can’t come.

Is there longevity in Private & Hybrid Clouds?


This blog is just thinking out loud. Don’t get upset Smile

Private & hybrid clouds demand economies of scale or high value business

Let’s play devils advocate for a moment a look with a very critical eye at private & hybrid clouds. Many People are marketing, selling and buying private & hybrid clouds today. Some of us are building them ourselves, with or without help. Some of us even have good reasons to do so as it makes economical sense to do so. But for many that do it or consider doing it that might not be the case. It depends.

Why are so many marching to the beat of those drums? It’s being marketed as great, it’s being sold as what you need and that’s what makes money for many people. But one can say the same of Porsches, but chances are you’re not buying those as company cars. Well it’s perhaps a bit like VDI. If you have a use case that’s economically sound, design and implement it well, it will serve your needs. But it’s not for everyone as it can be expensive, complex & restrictive.

You want your cloud to be this:

AZurenice

Not this:

cloudnasty

To get great results you’ll need to do more than throw your money at vendors. So what’s the real motivation to do private/hybrid clouds for companies? If the answer is “well so many people are doing it, we can’t ignore it”. Well not doing something is not ignoring it, it’s a valid choice as well. And what others do isn’t relevant per definition. You need to know what you do where and why to make plans & choose technologies to achieve your goals. Think about what you do. When does a private/hybrid cloud make sense? How big do you need to be? What kind of delta should you have to make this worth while, i.e. how many VMs do you deploy per week? How many do you destroy each week?  What economies of scale must you have to make it wise? What kind of business? What are your pain points you’re trying to solve? What are you trying to achieve? Private clouds today are not void of complexity and there a are few abstraction layers that are at the quality/functionality level they need to be at.

My biggest concern here is that too many companies will build expensive, complexes private & hybrid clouds without ever seeing the return on investment. Not just because of the cost, complexity but also because they might not be very long lived for the use cases they have today. Many see these as transition models and they are great for that. The question is how good are you at transitioning? You don’t want to get stuck in that phase due to costs of complexity. What if the transition lasts to long and you complete it when public cloud has evolved into services that wipe away what the reasons your TCO/ROI was based on?

Note: as cloud means everything to every one you could call doing on premise & Office 365 + backup to the cloud also hybrid. So in that case Hybrid is a better fit for many more organizations.

Things are moving fast

Cloud offers are increasing at the speed of light and prices are dropping in free fall. While some say that’s a race to the bottom, it’s not. This is an all out battle which is raging to grab as much market share as possible. When the dust of this settles who’ll be left? Google, Amazon and Microsoft. They’re not loss leaders, they have a purpose and only they know the financial picture behind their solutions.

image

From there they’ll defend a fixed and entrenched position.  Where will that lead us? Stalemate and rising costs? Or a long term tug of ware where mutual assured bankruptcy will make sure prices won’t rise too much … until some game changing event that breaks it all open. For many people IAAS is still (too) expensive and non of the cloud vendors seem to run a profit, all this at ever lower prices. Sounds like a price hike will be in order once the market shares have been grabbed. But have people really calculated the cost of on premise? Can one compete? Or is the benefit of on premise worth the cost? Oh and I take on premise as being anything that even resembles racks in local or regional data centers running a cloud stack on it for you. Now I have to admit that in my region of the world most cloud hosters are not on a level of professionalism & scale like they are in the Nordics for example.

SAAS, PAAS, IAAS

That’s my order of preference actually. I think SAAS & PAAS are the areas where cloud really shines. IAAS can be a great solution for many needs but I don’t see it as ready yet a a whole sale replacement of on premise.  While many offerings in IAAS are not perfect yet and there are many blocking issues to be solved there is a lot of value in the cloud when you do it right for your needs. If you have a very modern and optimized IT infrastructure IAAS can feel like a step back right now but that will change in the right direction over the next 2 to 3 years I think. And as during that time frame you start using SAAS & PAAS more en more I which means improved IAAS will be able to cover (all?) your remaining needs better. Again, you need to things that deliver fast or you run high (financial) risks.

Intersecting fields of fire

In this race at light speed,which cloud vendor is best? If you want and need to have all bases covered I think it’s reasonably safe to say Microsoft holds the most complete port folio from IAAS, PAAS, SAAS & Cloud storage. They’re now throwing in MPLS networks (http://azure.microsoft.com/en-us/services/expressroute/)  to tie it into hybrid scenarios which should take last century VPN technology out of the picture. Some more standardization in network virtualization, flexibility and capabilities would be welcome as well. But in the end will it matter? People might choose based on possible use cases or capabilities but if you don’t need them that’s a moot point. They become commodities you buy from a few players, I just hope we like our cloud dealers a bit better than we do our energy and telecom providers. Nobody seems really happy with those. But as a buyer I like the idea of having options, as the saying goes “I’d rather have it and not need it than need it and don’t have it”.

Now MPLS s coming what else is missing? A storage gateway / proxy in IAAS

One of the biggest issues in airlifting the entire on premise infrastructure into the cloud is the legacy nature of the applications in combination with the high cost of IAAS (VHD) storage and the limitations compared to what you can do with VHDX on premise. That’s probably an artificial licensing decision bit what can you do? What we need to alleviate this is a REST based cloud gateway to present storage to legacy apps in IAAS while storing the data in Azure blob storage. It’s a bit of a cludge as we’’ just love the fact we can get rid of pass through, vISCSI, vFC thanks to (shared) VHDX. Why do I think we need a solution? Apps have a very long (too long?) live time and it would speed up cloud adoption big time. Just dropping the price for virtual disk storage would be the easiest path to go but I don’t see any indication of that.

The lure of being in the cloud is big but bandwidth & latency in combination with storage costs is keeping people from going there when it comes to so many “legacy” on premise applications. There is a fix. Put everything in the cloud where is is close together and where bandwidth and latency can become a none issue. We need affordable storage and a way for legacy apps to handle object based storage. The fact that the new StorSimple offering has an azure appliance doesn’t really help here as it’s tied to on premise and it’s iSCSI to the guest in IAAS. Not that great is it? For now it looks too much like on boarding to Azure for non MSFT shops and people who are way behind the herd in modern technologies. At least for the environment I work in. Physical server are there to host VMs, so no StorSimple. Other physical servers are point solutions (AD, Exchange or specialized software that needs more hardware access than virtualization can supply). Again, no StorSimple target.

I cloud, you cloud, we cloud

Building and maintaining a data center is loosing it’s economic edge fast. At least for now. I’m not saying all data center or even server rooms will disappear but they’ll reduce significantly. The economics of public cloud are to attractive to ignore. Private and hybrid clouds cost money on top of the cost of running a data center. So why would you? Sure, the cost of cloud isn’t cheap but there are other reasons to move:

  • Get rid of facility management of data centers and server rooms. It’s a big issue & cost.
  • Power/cooling needs. The big cloud players are rapidly becoming the only ones with a plan when it comes to developing an energy plan. Way more innovative & action driven then most governments. They’ll have way better deals than you’ll ever get.
  • Infrastructure costs. Storage, networking, compute, backup, DR, licensing … the entire life cycle of these cost a lot of money and require talent.
  • Personnel costs. Let’s face it. Talented people might be a companies most valuable resource in HRM speak, but in reality they’d love to get rid of a much of that talent as possible to maximize profits. The only reason they employ talent is because they have to.
  • The growth in compute & storage in the cloud is humongous. You’ll never keep up and compete at that level. It was said recently Moore’s law has been replaced by “Bezo’s law’’ http://gigaom.com/2014/04/19/moores-law-gives-way-to-bezoss-law/

I’m going to make a bold statement. If you want/need to do cloud, you should really seriously consider spending your money in public cloud and minimize your investment in private/hybrid clouds. Go as directly to the future and try to keep your private/hybrid stack as simple and cheap possible as a transition to the public cloud.  Leverage PowerShell, SMA and for example Azure automation to manage what you leave on premise. I have my doubts about the longevity of private/hybrid clouds for many organizations and a such investments should be “optimized” => cheap & easy to replace. So unless you have a real big business case for wanting to keep on premise and can make that economically feasible, it’s not your goal, it’s a transition tool. If you’re a huge enterprise, an agency involved in national security a hosting company or Switzerland you can ignore this advice Winking smile. But I see no one rushing to buy RackSpace?

Security, Privacy, Concentrated Power?

What about security, privacy, vendor lock in? You have to worry about that now as well, and you’re probably not that good at avoiding it on premise either. Switching from Oracle to SQL is not an easy feat.  Cloud companies will have a lot of power due to the information they distill form big (meta) data. On top of that they’re set to be the biggest providers of compute, energy & if they buy some telecoms companies  even of data communications. More and more power concentrated in ever less players. That’s not desirable, but it seems that’s how it will play out. The alternatives cost more and that determines most of all what happens. The economies are too good to ignore.

Government clouds to mitigate risk?

I now also see the call to build government clouds. Often at various levels. Well for decades now, bar some projects, a lot of their IT efforts have been slow, mediocre and expensive. 400$ to lift & place back some floor tiles. Having to buy a spool of 2km fibre channel if you need 80 meter. 5000$ to answer a question with yes or no, a VM that costs 750$ per month … (1000$ if you want a backup of the VM). 14 days to restore a VM from backup … abuse & money grabbing are rampant. Are these people going to do private cloud and compete? Are they any better at securing their infrastructure than Amazon? Is on premise encryption any better than in the cloud? And even if it is, it’s only until someone pulls a “Snowden”. And who’ll build ‘m? Where are the highly skilled, expert civil servants after decades of outsourcing leaving them at the mercy of 3rd parties? Are they going to buy them away in an era of cost cutting? And if they could, can they use them, do they have the organizational prowess to do so? So they’ll be build by the same pundits as before? Outsourcing to India would at least have been “the same mess for less”, while now it’s the same mess for more.

Sheep, lemmings, wolves & a smart CIO

I see way to little strategy building on this subject and to much “comfort” decisions being made that cost a lot of money and efforts delivering not enough competitive advantages. The smart CIO can avoid this an really deliver on “Your Cloud, Your Terms”. The others, well they’ll all play their role …

Just some food for thought. But I leave you with another musing. 100% cloud might be a great idea but it’s like leasing or renting. There are scenarios where ownership still makes since depending on the situation and business.