Connect your Home Lab to Azure

One of the big challenges of the current times is to interconnect offices to a Cloud provider like Azure. I have this need at my home as well: to create and simulate an enterprise network.

My home lab consists of the following:

One Unifi USG: https://www.ui.com/unifi-routing/usg/
A Unifi Switch 24p PoE: https://www.ui.com/unifi-switching/unifi-switch-poe/
3 Aps Unifi LR: https://www.ui.com/unifi/unifi-ap-ac-lr/

The only problem is that I have a dynamic public IP. So, it’s difficult to maintain the connectivity for this Site-to-Site. Therefore, I used a service, NOIP, to help me. My USG will update this service every time that my public IP changes. It’s easy for me, after that, to host some websites/services at my home too, by creating a CNAME record.

In your USG interface, go to Settings > Gateway > Dynamic DNS and choose on which interface you want to update your Dynamic DNS. WAN 1 for me. Choose the service where you created your dynamic DNS, provide the hostname that you have created on NOIP, and the username/password to authenticate to update the IP directly on your hostname:

We will go to Azure Portal now, and we will return to this UI interface after. Create a Virtual Network Gateway with a SKU Basic. After 45 minutes, you will have your Virtual Network Gateway with a Public IP that you will need later:

Now, create a local network gateway. It will contain the Public IP of your USG, and each On-Premises address spaces that you want to route on the S2S Tunnel:

Afterwards, you need to create the connection between your Local Network Gateway and your VPN Gateway in Azure. Create a Shared Key and write it with your public IP on Azure:

Then, go back to your UI interface. In Settings > VPN > VPN Connections create a new connection to external VPN. Choose the type Manual IPSec and provide the remote subnet where your VPN gateway is connected. Provide the peer IP (this is the IP from Azure), and in Local WAN IP, the IP of your USG WAN interface. At this time, you can’t choose an interface but you need to provide the IP. Provide the shared key that you created in Azure and, in IPSec profile, choose Azure dynamic routing:

Regarding the encryption, choose the following:

Key Exchange: IKEv2
Encryption: AES-256
Hash: SHA-1
DH Group: 2
PFS enable
Dynamic Routing enable

After a few minutes, the tunnel should be up and you should be able to access your VM from your PC to Azure:

I also created a runbook, that will run every 4 hours because of the 500 free Azure Automation minutes. It will check if your IP changed, and if it has changed, it will update your IP automatically with the following script:

#=====================================================================================================================================

#

# NAME: Update_PublicIP_v1.1.ps1

#

# AUTHOR: Florent APPOINTAIRE

# DATE: 11/02/2020

# VERSION: 1.1

#

# COMMENT: The purpose of this script is to update your Azure RM VPN S2S public IP with a dynamic public IP

# USING : Update values with you information

#

#=====================================================================================================================================




#Connect to the subscription

$connectionName = "AzureRunAsConnection"

try

{

# Get the connection "AzureRunAsConnection "

$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName

$connectionResult =  Connect-AzAccount -Tenant $servicePrincipalConnection.TenantID `

-ApplicationId $servicePrincipalConnection.ApplicationID   `

-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint `

-ServicePrincipal

}

catch {

if (!$servicePrincipalConnection)

{

$ErrorMessage = "Connection $connectionName not found."

throw $ErrorMessage

} else{

Write-Error -Message $_.Exception

throw $_.Exception

}

}

Select-AzSubscription -SubscriptionId "Your_Subscription_Id"

#Destination email

$dest = "Your_Email_Address"

#DynDns link

$DynDNS = "Your_DynDns_Name"

#Resource group where S2SVpn is stored

$RGName = "Network"

#Name of the local network gateway

$name = "FLOAPP-LocalGW"

#Name of the virtual network gateway

$vNetGw = "FLOAPP-VNetGW"

#Name of the connection in the virtual network gateway

$connectionName = "FLOAPP-Conn"




#Get the public IP of your Dynamic DNS

$IP = ([System.Net.DNS]::GetHostAddresses($DynDNS)).IPAddressToString

#Get the IP in your Azure Gateway

$gw = Get-AzLocalNetworkGateway -ResourceGroupName $RGName -Name $name

$AzureIP = $gw.GatewayIpAddress

Write-Output "Public IP       : $IP"

Write-Output "Azure gateway IP: $AzureIP"

#Check if your public IP and the Azure Public IP are the same

if($IP -ne $AzureIP)

{

#Old Gateway IP Address

$oldAzureIP = $AzureIP

#IP Changed, we need to update

Write-Output "IP Update In Progress..."

#Get your virtual network gateway connection information

$connection = Get-AzVirtualNetworkGatewayConnection -Name $connectionName -ResourceGroupName $RGName

if ($connection -eq $null){

#Store values to recreate it

$sharedKey = "Your Shared Key"

$routingWeight = 0

$connectionType = "IPSec"

#Create the new local network gateway

$location = "westeurope"

$addressPrefix = "172.16.0.0/24","172.16.10.0/24"

New-AzLocalNetworkGateway -AddressPrefix $addressPrefix -GatewayIpAddress $IP -Location $location -Name $name -ResourceGroupName $RGName

#Create the virtual network gateway connection

$gateway1 = Get-AzVirtualNetworkGateway -Name $vNetGw -ResourceGroupName $RGName

$local = Get-AzLocalNetworkGateway -Name $name -ResourceGroupName $RGName

New-AzVirtualNetworkGatewayConnection -Name $connectionName -ResourceGroupName $RGName -Location $location -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local -ConnectionType $connectionType -RoutingWeight $routingWeight -SharedKey $sharedKey







} else {




#Store values to recreate it

$sharedKey = $connection.SharedKey

$routingWeight = $connection.RoutingWeight

$connectionType = $connection.ConnectionType

#Remove the network gateway connection and the local network gateway

Remove-AzVirtualNetworkGatewayConnection -ResourceGroupName $RGName -Name $connectionName -Force

Remove-AzLocalNetworkGateway -ResourceGroupName $RGName -Name $name -Force

#Create the new local network gateway

$location = $gw.Location

$name = $gw.Name

$addressPrefix = $gw.LocalNetworkAddressSpace.AddressPrefixes

New-AzLocalNetworkGateway -Name $name -ResourceGroupName $RGName -Location $location -GatewayIpAddress $IP -AddressPrefix $addressPrefix

#Create the virtual network gateway connection

$gateway1 = Get-AzVirtualNetworkGateway -Name $vNetGw -ResourceGroupName $RGName

$local = Get-AzLocalNetworkGateway -Name $name -ResourceGroupName $RGName

New-AzVirtualNetworkGatewayConnection -Name $connectionName -ResourceGroupName $RGName -Location $location -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local -ConnectionType $connectionType -RoutingWeight $routingWeight -SharedKey $sharedKey




}

#Get the public ip in azure

$gw = Get-AzLocalNetworkGateway -ResourceGroupName $RGName -Name $name

$AzureIP = $gw.GatewayIpAddress

#Get the current date

$date = Get-Date -Format  'dd/MM/yyyy - HH:mm:ss'

#If your public IP and the Azure public IP are the same, all is fine :)

if($IP -eq $AzureIP){

"$date : IP Updated Successfully. Old IP address was $oldAzureIP and the new one is $AzureIP"

.\Send-GridMailMessage.ps1 -Subject "Azure Gateway - S2S VPN: IP updated" -content "$date : IP Updated Successfully. Old IP address was $oldAzureIP and the new one is $AzureIP" `

-FromEmailAddress $dest -destEmailAddress $dest

}

else {

"$date : IP Update Failed"

}




}

else

{

#IP didn't change, nothing to do

Write-Output "IP Already Up To Date"

}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

#=====================================================================================================================================

# NAME: Update_PublicIP_v1.1.ps1

# AUTHOR: Florent APPOINTAIRE

# DATE: 11/02/2020

# VERSION: 1.1

# COMMENT: The purpose of this script is to update your Azure RM VPN S2S public IP with a dynamic public IP

# USING : Update values with you information

#=====================================================================================================================================

#Connect to the subscription

$connectionName = "AzureRunAsConnection"

try

{

# Get the connection "AzureRunAsConnection "

$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName

$connectionResult = Connect-AzAccount -Tenant $servicePrincipalConnection.TenantID `

-ApplicationId $servicePrincipalConnection.ApplicationID `

-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint `

-ServicePrincipal

}

catch {

if (!$servicePrincipalConnection)

{

$ErrorMessage = "Connection $connectionName not found."

throw $ErrorMessage

} else{

Write-Error -Message $_.Exception

throw $_.Exception

}

Select-AzSubscription -SubscriptionId "Your_Subscription_Id"

#Destination email

$dest = "Your_Email_Address"

#DynDns link

$DynDNS = "Your_DynDns_Name"

#Resource group where S2SVpn is stored

$RGName = "Network"

#Name of the local network gateway

$name = "FLOAPP-LocalGW"

#Name of the virtual network gateway

$vNetGw = "FLOAPP-VNetGW"

#Name of the connection in the virtual network gateway

$connectionName = "FLOAPP-Conn"

#Get the public IP of your Dynamic DNS

$IP = ([System.Net.DNS]::GetHostAddresses($DynDNS)).IPAddressToString

#Get the IP in your Azure Gateway

$gw = Get-AzLocalNetworkGateway -ResourceGroupName $RGName -Name $name

$AzureIP = $gw.GatewayIpAddress

Write-Output "Public IP : $IP"

Write-Output "Azure gateway IP: $AzureIP"

#Check if your public IP and the Azure Public IP are the same

if($IP -ne $AzureIP)

{

#Old Gateway IP Address

$oldAzureIP = $AzureIP

#IP Changed, we need to update

Write-Output "IP Update In Progress..."

#Get your virtual network gateway connection information

$connection = Get-AzVirtualNetworkGatewayConnection -Name $connectionName -ResourceGroupName $RGName

if ($connection -eq $null){

#Store values to recreate it

$sharedKey = "Your Shared Key"

$routingWeight = 0

$connectionType = "IPSec"

#Create the new local network gateway

$location = "westeurope"

$addressPrefix = "172.16.0.0/24","172.16.10.0/24"

New-AzLocalNetworkGateway -AddressPrefix $addressPrefix -GatewayIpAddress $IP -Location $location -Name $name -ResourceGroupName $RGName

#Create the virtual network gateway connection

$gateway1 = Get-AzVirtualNetworkGateway -Name $vNetGw -ResourceGroupName $RGName

$local = Get-AzLocalNetworkGateway -Name $name -ResourceGroupName $RGName

New-AzVirtualNetworkGatewayConnection -Name $connectionName -ResourceGroupName $RGName -Location $location -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local -ConnectionType $connectionType -RoutingWeight $routingWeight -SharedKey $sharedKey

} else {

#Store values to recreate it

$sharedKey = $connection.SharedKey

$routingWeight = $connection.RoutingWeight

$connectionType = $connection.ConnectionType

#Remove the network gateway connection and the local network gateway

Remove-AzVirtualNetworkGatewayConnection -ResourceGroupName $RGName -Name $connectionName -Force

Remove-AzLocalNetworkGateway -ResourceGroupName $RGName -Name $name -Force

#Create the new local network gateway

$location = $gw.Location

$name = $gw.Name

$addressPrefix = $gw.LocalNetworkAddressSpace.AddressPrefixes

New-AzLocalNetworkGateway -Name $name -ResourceGroupName $RGName -Location $location -GatewayIpAddress $IP -AddressPrefix $addressPrefix

#Create the virtual network gateway connection

$gateway1 = Get-AzVirtualNetworkGateway -Name $vNetGw -ResourceGroupName $RGName

$local = Get-AzLocalNetworkGateway -Name $name -ResourceGroupName $RGName

}

#Get the public ip in azure

$gw = Get-AzLocalNetworkGateway -ResourceGroupName $RGName -Name $name

$AzureIP = $gw.GatewayIpAddress

#Get the current date

$date = Get-Date -Format 'dd/MM/yyyy - HH:mm:ss'

#If your public IP and the Azure public IP are the same, all is fine :)

if($IP -eq $AzureIP){

"$date : IP Updated Successfully. Old IP address was $oldAzureIP and the new one is $AzureIP"

.\Send-GridMailMessage.ps1 -Subject "Azure Gateway - S2S VPN: IP updated" -content "$date : IP Updated Successfully. Old IP address was $oldAzureIP and the new one is $AzureIP" `

-FromEmailAddress $dest -destEmailAddress $dest

}

else {

"$date : IP Update Failed"

}

else

{

#IP didn't change, nothing to do

Write-Output "IP Already Up To Date"

}

Only one bug at this time as I already explained, it’s the Local WAN IP part on USG, to be able to select directly an interface.

Feel free to contact me if you have any questions 😊

Connect Your Home Infrastructure to Azure