In a recent post I discussed options for load balancing Windows Server Routing and Remote Access Service (RRAS) in Microsoft Azure for Always On VPN. There are many choices available to the administrator, however the best alternative is to use a dedicated Application Delivery Controller (ADC), or load balancer. The Kemp LoadMaster load balancer is an excellent choice here, as it is easy to configure and deploy. It is also very cost effective and offers flexible licensing plans, including a metered licensing option.
Deploy LoadMaster in Azure
To provision a Kemp LoadMaster load balancer in Microsoft Azure, open the Azure management console and perform the following steps.
1. Click Create Resource.
2. Enter LoadMaster in the search field.
3. Click on LoadMaster Load Balancer ADC Content Switch.
4. Choose an appropriate license model from the Select a software plan drop-down list.
5. Click Create.
Prepare Azure Instance
Follow the steps below to provision the Azure VM hosting the Kemp LoadMaster load balancer.
1. Choose an Azure subscription to and resource group to deploy the resources to.
2. Provide instance details such as virtual machine name, region, availability options, and image size.
3. Select an authentication type and upload the SSH private key or provide a username and password.
4. Click Next:Disks >.
5. Select an OS disk type.
6. Click Next: Networking >.
7. Select a virtual network and subnet for the load balancer.
8. Create or assign a public IP address.
9. Click Review + create.
LoadMaster Configuration
Once the virtual machine has been provisioned, open a web browser and navigate to the VM’s internal IP address on port 8443 to accept the licensing terms.
Next, log in with your Kemp ID and password to finish licensing the appliance.
Finally, log in to the appliance using the username ‘bal’ and the password provided when the virtual machine was configured.
Azure Network Security Group
A Network Security Group (NSG) is automatically configured and associated with the LoadMaster’s network interface when the appliance is created. Additional inbound security rules must be added to allow VPN client connectivity.
In the Azure management console open the properties for the LoadMaster NSG and follow the steps below to configure security rules to allow inbound VPN protocols.
SSTP
1. Click Inbound security rules.
2. Click Add.
3. Choose Any from the Source drop-down list.
4. Enter * in the Source port ranges field.
5. Select Any from the Destination drop-down list.
6. Enter 443 in the Destination port ranges field.
7. Select the TCP protocol.
8. Select the Allow action.
9. Enter a value in the Priority field.
10. Enter a name for the service in the Name field.
11. Click Add.
IKEv2
1. Click Inbound security rules.
2. Click Add.
3. Choose Any from the Source drop-down list.
4. Enter * in the Source port ranges field.
5. Select Any from the Destination drop-down list.
6. Enter 500 in the Destination port ranges field.
7. Select the UDP protocol.
8. Select the Allow action.
9. Enter a value in the Priority field.
10. Enter a name for the service in the Name field.
11. Click Add.
12. Repeat the steps below for UDP port 4500.
Load Balancing SSTP and IKEv2
Refer to the following posts for detailed, prescriptive guidance for configuring the Kemp LoadMaster load balancer for Always On VPN load balancing.
Always On VPN SSTP Load Balancing with Kemp LoadMaster
Always On VPN IKEv2 Load Balancing with the Kemp LoadMaster
Always On VPN Load Balancing Deployment Guide for the Kemp LoadMaster
Summary
Although Windows Server RRAS is not a formally supported workload in Azure, it is still a popular and effective solution for Always On VPN deployments. The Kemp LoadMaster load balancer can be deployed quickly and easily to provide redundancy and increase scalability for larger deployments.
Additional Information
Windows 10 Always On VPN SSTP Load Balancing with Kemp LoadMaster Load Balancers
Windows 10 Always On VPN IKEv2 Load Balancing with Kemp LoadMaster Load Balancers
Windows 10 Always On VPN Load Balancing Deployment Guide for Kemp LoadMaster Load Balancers
Deploying the Kemp LoadMaster Load Balancer in Microsoft Azure