@StephenFoerster mentioned in Connecting Viya in Azure to On-Prem with Azure VPN, ExpressRoute (Intro): “Microsoft recommends two different mechanisms for connecting SAS Viya in Azure to on-premises resources […] Both methods require Azure Virtual Network (VNET) gateways to facilitate communication. Site to Site VPN connections also require VPN devices configured on premises.”
Read this post to learn how you can connect a SAS Viya on Azure deployment to an on-premises network by using site-to-site VPN gateways. When the connection is in place, you can access from SAS Viya resources in your on-premises data centre, a database, for example.
You have SAS Viya deployed on Azure. All resources are deployed in a virtual network. You also have an on-premises data centre with one database. The database is fenced by its own virtual network.
The objective is to access this database from SAS Viya on Azure, through the VPN tunnel.
One way to achieve the objective is to connect the on-premises datacentre to the Azure virtual network (VNET) through a site-to-site VPN gateway connection.
VPN: A virtual private network (VPN) is a type of private interconnected network. VPNs use an encrypted tunnel within another network. They're typically deployed to connect two or more trusted private networks to one another over an untrusted network, typically the public Internet. Traffic is encrypted while traveling over the untrusted network to prevent eavesdropping or other attacks.
Azure VPN gateway: A VPN gateway is a type of Virtual Network Gateway (VNG). VPN gateways are deployed in Azure virtual networks and can connect on-premises datacentres to Azure virtual networks through a site-to-site connection.
In this post we are going to simulate the on-premises data centre. The on-premises datacentre will be represented by a database in an Azure virtual network, called HQ-Network.
Why we chose to simulate the data centre? There are many types of on-premises VPN devices, and it is not possible to describe their configuration in a single post.
What you need to remember is the logic and the configuration steps. You just need to replace the steps for the simulated network with steps tailored to your on-premises VPN device.
By the end of the post series, we want to realize the following architecture diagram:
Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.
Where:
To reiterate the objective, we want to connect to the on-premises database from SAS Viya, through the VPN tunnel.
SAS Viya deployed on Azure, in the $PREFIX-vnet mentioned in the diagram.
You can use the Azure CLI to create the resources:
RGHQ=HQ-rg
RG=resource_group_for_SAS_Viya_resources
PREFIX=prefix_for_SAS_Viya_resources
Add a gateway subnet to $PREFIX-vnet. Every VNG needs a gateway subnet. $PREFIX-vnet has an address space of 192.168.0.0/16 (65,536 IPs), therefore you must choose at least a /27 address space (32 IPs):
az network vnet subnet create \
--resource-group $RG \
--vnet-name $PREFIX-vnet \
--address-prefixes 192.168.255.0/27 \
--name GatewaySubnet
A local network gateway (LNG) is a specific object that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to. You then specify the IP address of the on-premises VPN device to which you'll connect.
You must specify the IP address prefixes that can be routed through the VPN gateway to the VPN device.
Create the LNG-HQ-Network local network gateway. The local address prefixes describe your on-premises vnet or subnets. For example, 172.16.0.0/24 corresponds to the Applications subnet in the HQ-Network vnet.
az network local-gateway create \
--resource-group $RG \
--gateway-ip-address 94.0.252.160 \
--name LNG-HQ-Network \
--local-address-prefixes 172.16.0.0/24
This local gateway represents the on-premises network that you’re connecting to. The IP address specified as the remote gateway, the simulated on-premises network, needs to be updated later because it has not yet been created.
The address prefixes are very important! They define the local resources you can reach through the gateway from Azure.
Create the HQ-Network virtual network and the Applications subnet in a separate resource group.
az group create --name $RGHQ --location eastus
az network vnet create \
--resource-group $RGHQ \
--name HQ-Network \
--address-prefixes 172.16.0.0/16 \
--subnet-name Applications \
--subnet-prefixes 172.16.0.0/24
Add GatewaySubnet to HQ-Network.
az network vnet subnet create \
--resource-group $RGHQ \
--address-prefixes 172.16.255.0/27 \
--name GatewaySubnet \
--vnet-name HQ-Network
Create the LNG-$PREFIX-VNet local network gateway.
az network local-gateway create \
--resource-group $RGHQ \
--gateway-ip-address 94.0.252.160 \
--name LNG-$PREFIX-vnet \
--local-address-prefixes 192.168.2.0/24 192.168.0.0/23
The gateway’s --local-address-prefixes points to the Azure network and subnets you're connecting to. As you can see, the address space points to $PREFIX-misc-subnet and $PREFIX-aks-subnet address ranges: 192.168.2.0/24 and 192.168.0.0/23.
You'll update later the IP address specified as the remote gateway, which is in Azure.
Verify that the virtual networks have been successfully created.
az network vnet list \
--resource-group $RG \
--output table
az network vnet list \
--resource-group $RGHQ \
--output table
Verify the local network gateways have been successfully created.
az network local-gateway list \
--resource-group $RG \
--output table
az network local-gateway list \
--resource-group $RGHQ \
--output table
For a site-to-site VPN gateway connection:
Read the next post, How to Connect SAS Viya in Azure to On-Prem with VPN Gateways - Part 2, where you will learn how to:
Thank you for your time reading this post. If you liked the post, give it a thumbs up! Please comment and tell us what you think about access to on-premises datacentres using VPN gateways. If you wish to get more information, please write me an email.
Find more articles from SAS Global Enablement and Learning here.
Are you ready for the spotlight? We're accepting content ideas for SAS Innovate 2025 to be held May 6-9 in Orlando, FL. The call is open until September 25. Read more here about why you should contribute and what is in it for you!
Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning and boost your career prospects.