BookmarkSubscribeRSS Feed

How to Connect SAS Viya in Azure to On-Prem with VPN Gateways - Part 1

Started ‎05-15-2023 by
Modified ‎08-21-2023 by
Views 2,004

@StephenFoerster mentioned in Connecting Viya in Azure to On-Prem with Azure VPN, ExpressRoute (Intro): “Microsoft recommends two different mechanisms for connecting SAS Viya in Azure to on-premises resources […] Both methods require Azure Virtual Network (VNET) gateways to facilitate communication. Site to Site VPN connections also require VPN devices configured on premises.”

 

Read this post to learn how you can connect a SAS Viya on Azure deployment to an on-premises network by using site-to-site VPN gateways. When the connection is in place, you can access from SAS Viya resources in your on-premises data centre, a database, for example.

 

Context and Objective

You have SAS Viya deployed on Azure. All resources are deployed in a virtual network. You also have an on-premises data centre with one database. The database is fenced by its own virtual network.

 

The objective is to access this database from SAS Viya on Azure, through the VPN tunnel.

 

One way to achieve the objective is to connect the on-premises datacentre to the Azure virtual network (VNET) through a site-to-site VPN gateway connection.

 

VPN: A virtual private network (VPN) is a type of private interconnected network. VPNs use an encrypted tunnel within another network. They're typically deployed to connect two or more trusted private networks to one another over an untrusted network, typically the public Internet. Traffic is encrypted while traveling over the untrusted network to prevent eavesdropping or other attacks.

 

Azure VPN gateway: A VPN gateway is a type of Virtual Network Gateway (VNG). VPN gateways are deployed in Azure virtual networks and can connect on-premises datacentres to Azure virtual networks through a site-to-site connection.

 

Simulated Data Centre

In this post we are going to simulate the on-premises data centre. The on-premises datacentre will be represented by a database in an Azure virtual network, called HQ-Network.

 

Why we chose to simulate the data centre? There are many types of on-premises VPN devices, and it is not possible to describe their configuration in a single post.

 

What you need to remember is the logic and the configuration steps. You just need to replace the steps for the simulated network with steps tailored to your on-premises VPN device.

 

Architecture Diagram

By the end of the post series, we want to realize the following architecture diagram:

 

bt_1_Site-to-Site-VPN-Connection-SAS-Viya-on-prem.png

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

 

Where:

  • $PREFIX-vnet is the SAS Viya virtual network:
    • $PREFIX-aks-subnet is the sub-network of the SAS Viya Azure Kubernetes Service (AKS) cluster and its resources.
    • $PREFIX-misc-subnet is the sub-network of the several virtual machines, including $PREFIX-jump-VM.
    • A separate gateway subnet must be created for the Azure Virtual Network Gateway (VNG).
  • HQ-Network is the on-premises network that you want to access from Azure:
    • It has an Applications subnet. In this subnet, a database server and a private endpoint are hosted. We created a private endpoint, to force the database traffic, network-to-network, through the VPN tunnel. We want to avoid SAS Viya connections directly to the database over the Public Internet.
    • A separate gateway subnet must be created for the on-premises VNG.
  • $PREFIX-vnet will be connected to HQ-Network via a Virtual Network Gateway (VNG) / Local Network Gateway (LNG) pair.
  • HQ-Network will be connected to $PREFIX-vnet via a second VNG / LNG pair.
  • The connections are establishing the VPN tunnel.

To reiterate the objective, we want to connect to the on-premises database from SAS Viya, through the VPN tunnel.

 

Assumption

SAS Viya deployed on Azure, in the $PREFIX-vnet mentioned in the diagram.

 

Azure Side Resources

 

You can use the Azure CLI to create the resources:

Variables

 

RGHQ=HQ-rg
RG=resource_group_for_SAS_Viya_resources
PREFIX=prefix_for_SAS_Viya_resources

 

 

Add a Gateway Subnet

Add a gateway subnet to $PREFIX-vnet. Every VNG needs a gateway subnet. $PREFIX-vnet has an address space of 192.168.0.0/16 (65,536 IPs), therefore you must choose at least a /27 address space (32 IPs):

 

az network vnet subnet create \
    --resource-group $RG \
    --vnet-name $PREFIX-vnet \
    --address-prefixes 192.168.255.0/27 \
    --name GatewaySubnet

 

 

bt_2_Site-to-Site-VPN-Connection-SAS-Viya-Gateway-Subnet.png

 

 

Create a Local Network Gateway

A local network gateway (LNG) is a specific object that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to. You then specify the IP address of the on-premises VPN device to which you'll connect.

 

You must specify the IP address prefixes that can be routed through the VPN gateway to the VPN device.

 

Create the LNG-HQ-Network local network gateway. The local address prefixes describe your on-premises vnet or subnets. For example, 172.16.0.0/24 corresponds to the Applications subnet in the HQ-Network vnet.

 

az network local-gateway create \
    --resource-group $RG \
    --gateway-ip-address 94.0.252.160 \
    --name LNG-HQ-Network \
    --local-address-prefixes 172.16.0.0/24

 

This local gateway represents the on-premises network that you’re connecting to. The IP address specified as the remote gateway, the simulated on-premises network, needs to be updated later because it has not yet been created.

 

The address prefixes are very important! They define the local resources you can reach through the gateway from Azure.

 

bt_3_Site-to-Site-VPN-Connection-Local-Newtork-Gateway.png

 

 

Simulated On-premises Resources

 

Create the HQ-Network Virtual Network and the Applications Subnet

Create the HQ-Network virtual network and the Applications subnet in a separate resource group.

 

az group create --name $RGHQ --location eastus
az network vnet create \
    --resource-group $RGHQ \
    --name HQ-Network \
    --address-prefixes 172.16.0.0/16 \
    --subnet-name Applications \
--subnet-prefixes 172.16.0.0/24

 

Add a Gateway Subnet to HQ-Network

Add GatewaySubnet to HQ-Network.

 

az network vnet subnet create \
    --resource-group $RGHQ \
    --address-prefixes 172.16.255.0/27 \
    --name GatewaySubnet \
--vnet-name HQ-Network

 

Create a Local Network Gateway

Create the LNG-$PREFIX-VNet local network gateway.

 

az network local-gateway create \
    --resource-group $RGHQ \
    --gateway-ip-address 94.0.252.160 \
    --name LNG-$PREFIX-vnet \
    --local-address-prefixes 192.168.2.0/24 192.168.0.0/23

 

The gateway’s --local-address-prefixes points to the Azure network and subnets you're connecting to. As you can see, the address space points to $PREFIX-misc-subnet and $PREFIX-aks-subnet address ranges: 192.168.2.0/24 and 192.168.0.0/23.

 

 

bt_4_Site-to-Site-VPN-Connection-HQ-Network-subnets.png

 

 

You'll update later the IP address specified as the remote gateway, which is in Azure.

 

bt_5Site-to-Site-VPN-Connection-HQ-Network-resources-1.png

 

 

Verify the Topology

 

Verify the Virtual Networks

Verify that the virtual networks have been successfully created.

 

az network vnet list \
    --resource-group $RG \
--output table
az network vnet list \
    --resource-group $RGHQ \
    --output table

 

 

bt_6_Site-to-Site-VPN-Connection-VNETs.png

 

 

Verify the Local Network Gateways

Verify the local network gateways have been successfully created.

 

az network local-gateway list \
    --resource-group $RG \
--output table
az network local-gateway list \
    --resource-group $RGHQ \
--output table

 

 

bt_7_Site-to-Site-VPN-Connection-LNGs.png

 

 

Conclusions

For a site-to-site VPN gateway connection:

  • In each virtual network (VNET) you want to connect, you need a Gateway Subnet where the Virtual Network Gateway will be hosted
  • There must not be addresses that overlap in the VNETs you want to connect
  • The address prefixes in each Local Network Gateway are very important! They define the local resources you can reach through the gateway from Azure.

In Part 2

 

Read the next postHow to Connect SAS Viya in Azure to On-Prem with VPN Gateways - Part 2, where you will learn how to:

  • Create the Azure side and the on-premises Virtual Network Gateways.
  • Connect the two Virtual Network Gateways.

Useful Resources

Thank you for your time reading this post. If you liked the post, give it a thumbs up! Please comment and tell us what you think about access to on-premises datacentres using VPN gateways.  If you wish to get more information, please write me an email.

 

Find more articles from SAS Global Enablement and Learning here.

 

Version history
Last update:
‎08-21-2023 08:27 PM
Updated by:

SAS Innovate 2025: Call for Content

Are you ready for the spotlight? We're accepting content ideas for SAS Innovate 2025 to be held May 6-9 in Orlando, FL. The call is open until September 25. Read more here about why you should contribute and what is in it for you!

Submit your idea!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started