Connect standalone servers by using Azure Network Adapter

This reference architecture shows how to connect an on-premises standalone server to Microsoft Azure virtual networks by using the Azure Network Adapter that you deploy through Windows Admin Center (WAC). Azure Network Adapter creates a secured virtual connection over the internet, which extends your on-premises network into Azure.

Architecture

Download a Visio file of these architectures.

Workflow

The architecture consists of:

• On-premises network. This component is an organization's private local area network (LAN).
• Branch office. This component is a private LAN in a remote branch office that connects through a corporate wide area network (WAN).
• Other cloud provider. This component is a private virtual network that a cloud provider offers. It connects through a virtual private network (VPN).
• Windows Server with Windows Admin Center installed. The server that you use to deploy the Azure Network Adapter.
• Windows Server (standalone). The server on which the Azure Network Adapter is installed. This server can be on a branch-office network or in a different cloud provider's network.
• Azure Virtual Network (VNet). The virtual servers, and other services and components, for the Azure VPN Gateway that are in the same virtual network inside Azure.
• Azure VPN Gateway. The VPN Gateway service that enables you to connect the virtual network to the on-premises network or standalone servers through a VPN appliance or Azure Network Adapters. For more information, see Connect an on-premises network to a Microsoft Azure virtual network. There are several pricing tiers, or stock keeping units (SKUs), available for VPN gateways. Each SKU supports different requirements based on the types of workloads, throughput, features, and service-level agreements (SLAs). The VPN gateway includes the following components:
  • Virtual network gateway (active). This Azure resource provides a virtual VPN appliance for the virtual network, and it's responsible for routing traffic back and forth between the on-premises network and the virtual network.
  • Virtual network gateway (passive). This Azure resource provides a virtual VPN appliance for the virtual network, and it's the standby instance of the active Azure VPN Gateway. For more information, see About Azure VPN gateway redundancy.
  • Gateway subnet. The virtual network gateway is held in its own subnet, which is subject to various requirements that the following Recommendations section details.
  • Connection. The connection has properties that specify the connection type. These properties include Internet Protocol security (IPsec), and the key shared with the on-premises VPN appliance to encrypt traffic.
• Cloud application. This component is the application that's hosted in Azure. It can include many tiers with multiple subnets that connect through Azure load balancers. For more information about the application infrastructure, see Running Windows VM workloads and Running Linux VM workloads.
• Internal load balancer. Network traffic from the VPN gateway is routed to the cloud application through an internal load balancer, which is in the application's production subnet.
• Azure Bastion. Azure Bastion lets you log into VMs in the Azure virtual network without exposing the VMs directly to the internet. It uses Secure Shell (SSH) or Remote Desktop Protocol (RDP). If you lose VPN connectivity, you can still use Azure Bastion to manage your VMs in the Azure virtual network. However, the management of on-premises servers through Azure Bastion isn't supported.

Components

• Virtual Network. Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks.

• Azure Bastion. Azure Bastion is a fully managed service that provides more secure and seamless Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) access to virtual machines (VMs) without any exposure through public IP addresses.

• VPN Gateway. VPN Gateway sends encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. You can also use VPN Gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. A VPN gateway is a specific type of virtual network gateway.

• Windows Admin Center. Windows Admin Center is a locally deployed, browser-based app for managing Windows servers, clusters, hyper-converged infrastructure, as well as Windows 10 PCs. It is a free product and is ready to use in production.

Recommendations

The following recommendations apply for most scenarios. Follow these recommendations unless you have a specific requirement that overrides them.

Connect a standalone server

To connect a standalone server through the WAC, you must add the server to the managed-servers list in the dedicated server's WAC installation. After you add the server to that list, you can select the server for which you want to install the Azure Network Adapter, and then select Network from the tools followed by the "+ Add Azure Network Adapter (Preview)" option in the Network pane.

When you select the + Add Azure Network Adapter (Preview) option, the Add Azure Network Adapter configuration blade opens in a browser window. There are several options you can configure within this blade.

The following information is necessary:

Once you complete all necessary fields, the Create button becomes active, and you should select it to begin your Azure Network Adapter's deployment to the selected server.

The deployment process has two major parts, the first of which is the deployment and selection of the Azure VPN Gateway. If you need to deploy your Azure VPN Gateway first, allow for 25 to 45 minutes for the deployment to complete. (Some configurations can take that long to deploy.) The WAC will provide information about the deployment's progress. The second part is the actual installation of the Azure Network Adapter, which can take 10 minutes. The WAC will notify you about the installation progress as well.

Once the deployment begins, you can change the focus of the WAC by selecting other tools or servers. The deployment process continues in the background.

If you select the Auto-generated Self-signed root and client Certificate option, Azure creates the two required certificates for you automatically and stores them in the selected server's certificate store. You can use the Certificates tool in the WAC to find them, and then you can locate a root certificate in the Local Machine/Root container. The certificate's name begins with Windows Admin Center-Created-vpngw and contains the P2SRoot string. The string's tail includes a timestamp encoded with the certificate's creation date. This certificate will also be stored in the Local Machine/CA container. The second certificate is stored in the Local Machine/My container. The name of this certificate starts with Windows Admin Center-Created-vpngw and contains the P2SClient string. The string's tail includes a timestamp encoded with the certificate's creation date.

After the deployment finishes, the selected server's Networks tool is updated with the new Azure Network Adapter, which automatically starts after the deployment ends and indicates an active status. You can select the adapter to activate the More drop-down list, which you can select to disconnect or delete the adapter. On the actual server, the Azure Network Adapter is installed as a VPN connection. The adapter's name begins with Windows Admin CenterVPN- followed by a random three-digit number.

When the Azure Network Adapter is installed and connected, you can use this new network connection to connect directly to the Azure VNets and their systems. This type of connection is typically used to establish a remote-desktop session via an Azure VM's internal IP address, instead of using the VM's public IP address.

Using a dedicated WAC server

For a centralized administration, we recommend you use a dedicated Windows Admin Server installation, from which you can add other servers. This approach means no administered servers require extra software. For more information, see Windows Admin Center.

Prepare a dedicated VNet

The Azure Network Adapter's installation interface might not meet your naming convention or pricing tier needs. To avoid this conflict, you can create the requisite Azure resources before you deploy the adapter. During the deployment, you select the already existing resources instead of creating them through the installation interface.

Considerations

These considerations implement the pillars of the Azure Well-Architected Framework, which is a set of guiding tenets that can be used to improve the quality of a workload. For more information, see Microsoft Azure Well-Architected Framework.

Scalability

• VPN Gateway SKU:
  • The VPN Gateway SKU you're selecting determines how many connections it can take in parallel, and the bandwidth that's available to all of those connections. The number of concurrent connections varies from 250 to 1,000 when you're using the P2S IKEv2/OpenVPN option. IKE refers to IPsec Key Exchange. It's advisable to begin with VpnGw1 and scale out later if you need more connections. If you need to switch the VPN Gateway generation, you need to install a new gateway and deploy a new Azure Network Adapter to connect to it.
• Connect multiple standalone servers:
  • You can use the WAC to deploy the Azure Network Adapter to as many servers as you need. You also can add many Azure Network Adapters to a single server to connect to different Azure VNets. Once the initial deployment of the VPN Gateway is complete, you can configure extra servers to use the same gateway by selecting the existing gateway in the installation interface.
  • Standalone servers can be located on the same network, on a branch-office network, or on a different cloud-based network. You can use the network connection that you've established, such as your corporate WAN or a dedicated VPN to a different cloud provider, if the required network ports are available through these connections. For more information, see the "Security considerations" section in this article.
• Azure Site-to-Site connection:
  • The Azure Network Adapter is a single installation on a single server. If you want to connect several servers, you could face a significant administrative effort. However, you can avoid this effort by connecting your on-premises systems using the Azure Site-2-Site connection (S2S) method, which connects an existing on-premises network to an Azure VNet and its subnets. At this connection's core is an Azure VPN Gateway through which you can connect a local, on-premises VPN gateway with the remote Azure VPN Gateway. This secure connection allows the two network segments to communicate transparently with each other.

Availability

• The Azure Network Adapter only supports an active-passive configuration of the Azure VPN Gateway. During the adapter's configuration, you can point to an existing active-active Azure VPN gateway. The setup will reconfigure the gateway to the active-passive configuration. A manual gateway reconfiguration to the active-active state is possible, but the Azure Network Adapter won't connect to this gateway.

  Warning

  Configuring an Azure Network Adapter against an existing Azure VPN Gateway with an active-active configuration will reconfigure the gateway to active-passive. This will impact all existing VPN connections to this gateway. Changing from active-active configuration to active-standby configuration will cause a drop of one of the two IPsec VPN tunnels for each connection. Do not proceed without evaluating your overall connection requirements and consulting with your network administrators.

Manageability

• Administrative account:

  • The WAC is the core tool that you use to deploy the Azure Network Adapter and configure account handling. For more information about the available options, see User access options with Windows Admin Center. You can configure an individual account per server connection.

    Note

    The dialog box in which you configure the administrative account per server will validate your credentials when you select Continue. To open the dialog box, in the WAC, select the row with the applicable server name, and then select Manage as. Do not select the hyperlink that represents the server, as it'll connect you to that server immediately.

  • Additionally, you must configure a user account for the Azure connection by opening the Settings dialog box in the WAC and modifying the account section. You also can switch users or log out of a user's session in the Settings dialog box.

• Azure Recovery Vault integration:
  • When you install Azure Network Adapter on a standalone server, you then can consider that server a port for your business continuity. You can integrate that server into your back-up and disaster-recovery procedures by using Azure Recovery Vault services that you configure by selecting Azure Backup in the Tools section of the WAC. Azure Backup helps protect your Windows server from corruptions, attacks, or disasters by backing up your server directly to Microsoft Azure.

Security

Security provides assurances against deliberate attacks and the abuse of your valuable data and systems. For more information, see Overview of the security pillar.

• Required network ports:

  • Network ports for PowerShell remoting must be open if you want to use the WAC to deploy the Azure Network Adapter.

  • PowerShell Remoting uses Windows Remote Management (WinRM). For more information, see PowerShell Remoting Security Considerations and PowerShell Remoting default settings.

  • In some scenarios, you're required to use extra authentication methods. WAC can use PowerShell with the Credential Security Support Provider protocol (CredSSP) to connect to remote servers. For more information, see PowerShell Remoting and CredSSP and how Windows Admin Center uses CredSSP.

  • PowerShell Remoting (and WinRM) uses the following ports:

    Protocol	Port
    HTTP	5985
    HTTPS	5986

  • How you connect to the server on which the Windows Admin Center (WAC) is installed depends on your WAC's installation type. The default port varies and can be port 6516 when installed on Windows 10 or port 443 when installed on Windows Server. For more information, see Install Windows Admin Center.

• Microsoft Defender for Cloud integration:
  • To help protect the server on which the Azure Network Adapter is installed, you can integrate the server to Microsoft Defender for Cloud by selecting Microsoft Defender for Cloud from the Tools section in WAC. During the integration, you must select an existing Azure Log Analytics workspace or create a new one. You'll be billed separately for each server that you integrate with Microsoft Defender for Cloud. For more information, see Microsoft Defender for Cloud pricing.

DevOps

• Azure Automation:
  • The WAC gives you access to the PowerShell code that creates the Azure Network Adapter, and you can review it by selecting the Network tool, and then selecting the View PowerShell scripts icon at the top of the WAC page. The script's name is Complete-P2SVPNConfiguration, and it's implemented as a PowerShell function. The code is digitally signed and ready to be reused. You can integrate it into Azure Automation by configuring more services inside the Azure portal.

Cost optimization

Cost optimization is about looking at ways to reduce unnecessary expenses and improve operational efficiencies. For more information, see Overview of the cost optimization pillar.

• Azure Pricing Calculator:
  • Using the Azure Network Adapter doesn't actually cost anything, as it's a component that you deploy to an on-premises system. The Azure VPN Gateway, as part of the solution, does generate extra costs, as does the use of other services, such as Azure Recovery Vault or Microsoft Defender for Cloud. For more information about actual costs, see the Azure Pricing Calculator. It's important to note that actual costs vary by Azure region and your individual contract. Contact a Microsoft sales representative for more information about pricing.
• Egress costs:
  • There are extra costs associated with outbound Inter-VNet data transfers. Those costs are dependent on your VPN Gateway's SKU and the actual amount of data you're using. For more information, see the Azure Pricing Calculator. It's important to note that actual costs vary by Azure region and your individual contract. Contact a Microsoft sales representative for additional information about pricing.

Contributors

This article is maintained by Microsoft. It was originally written by the following contributors.

Principal author:

• Frank Migacz | App Innovation Specialist

To see non-public LinkedIn profiles, sign in to LinkedIn.

Next steps

Learn more about the component technologies:

• Top 10 networking features in Windows Server 2019: #3 Azure Network Adapter
• Point-to-Site VPN
• Try Windows Admin Center on Microsoft Evaluation Center
• What is Azure Virtual Network?
• What is Azure Bastion?
• What is VPN Gateway?
• Windows Admin Center overview

Related resources

Explore related architectures:

• Manage hybrid Azure workloads using Windows Admin Center
• Hub-spoke network topology in Azure
• Extend an on-premises network using VPN
• Design a hybrid Domain Name System solution with Azure