In addition to building Virtual Networks on the Windows Azure cloud fabric for running Virtual Machines in the cloud, we can also securely extend those virtual networks to on-premise devices in a couple ways:

• Cloud-to-Site IPsec VPN connectivity 
  Essentially, this is a Site-to-Site IPsec VPN tunnel between a Virtual Network defined on the Windows Azure cloud platform and an on-premise network in your data center.  Previously, my friend and colleague Bob Hunt stepped us through this configuration process in the following article on his blog:
   
• Step-by-Step: Building a Windows Azure Virtual Network and Site-to-Site VPN
   
• Cloud-to-Client SSL VPN connectivity      
  In addition to the Site-to-Site VPN option represented above, Windows Azure Connect provides a Cloud-to-Client SSL VPN connectivity option.  This option provides additional flexibility, in that you can connect multiple virtual machines, potentially running in different virtual networks on Windows Azure, to multiple on-premise client or server endpoints, potentially located on different physical networks. 

In this article, I’ll step through the configuration of Windows Azure Connect to securely connect one or more cloud-based virtual machines to one or more on-premise client or server endpoints.

Lab Scenario

In this Step-by-Step Guide, we’ll work through the process for installing and configuring Windows Azure Connect on both a pre-existing Windows Azure Virtual Machine and an on-premise client or server to enable secure cloud-to-client connectivity.

Lab Scenario: Windows Azure Connect

If you have additional cloud-based virtual machines or on-premise clients/servers that you wish to join together using Azure Connect, you can simply perform the steps in this Step-by-Step Guide for each additional virtual machine, client or server to create a broader connectivity solution.

Prerequisites

The following is required to complete this step-by-step guide:

• A Windows Azure subscription with the Virtual Machines Preview enabled.
   
  DO IT: Sign up for a FREE 90-Day Trial of Windows Azure
   
  NOTE: When activating your FREE Trial for Windows Azure, you will be prompted for credit card information.  This information is used only to validate your identity and your credit card will not be charged, unless you explicitly convert your FREE Trial account to a paid subscription at a later point in time.
   
• Prior completion of the following Step-by-Step Guides to prepare your cloud-based lab environment:
   
  DO IT: Getting Started with Servers in the Cloud
   
  DO IT: Step-by-Step: Building a Windows Server 2012 Active Directory Forest in the Cloud

Let’s Get Started!

In this Step-by-Step Guide, you will complete the following exercises to configure secure cloud-to-client network connectivity between a cloud-based virtual machine and an on-premise client or server device using Windows Azure Connect:

• Install and Configure Windows Azure Connect Clients
• Configure Windows Azure Connect Groups
• Test Secure Cloud-to-Client Connectivity

Estimate Completion Time: 30 minutes

Exercise 1: Install and Configure Windows Azure Connect Clients

In this exercise, you will install and configure the Windows Azure Connect client software on each cloud-based virtual machine and on-premise client/server endpoint.  The Windows Azure Connect client software is used to establish connectivity and route network traffic securely through the Windows Azure cloud to other configured endpoints.
 
NOTE: Complete the steps in this exercise at the console of each cloud-based virtual machine ( ie., XXXlabad01 in the Lab Scenario diagram above ) and on each on-premise client and server endpoint that you wish to securely connect using Windows Azure Connect.

1. Login to the Windows Azure Portal for Windows Azure Connect with the same user credentials used when you activated the FREE 90-Day Trial subscription above.
    
2. On the top Common Tasks toolbar of the portal, click the Connect button to the Windows Azure Connect portal page.
    
   
   Windows Azure Common Tasks Toolbar
    
3. On the Windows Azure Connect portal page, select the name of your Windows Azure subscription in the left navigation pane.
    
   
   Selecting Your Windows Azure Subscription Name
    
4. After selecting your Windows Azure subscription, on the top Configure toolbar click the Install Local Endpoint button to open the Install Windows Azure Connect Endpoint Software dialog box.
    
   
   Install Windows Azure Connect Endpoint Software
    
   Click the Copy Link to Clipboard button to copy the software installation link to the clipboard.
    
5. Open Internet Explorer and paste the software installation link copied to the clipboard into the browser address bar and press the Enter key. When prompted by the browser, run the setup program for the Windows Azure Connect installation program.
    
6. When running the Windows Azure Connect installation program, accept all default values and step through the installation wizard screens to completion.
    
7. If installing the Windows Azure Connect client software on a virtual or physical endpoint running the Windows Server 2012 or Windows 8 operating system, complete the following additional steps to configure the Windows Azure Connect client software with your Windows Azure subscription information:
    
1. On the Windows Azure Connect page of the Windows Azure portal, click the Get Activation Token button to open the Get Activation Token for Windows Azure Roles dialog box.
    
   
   Get Activation Token for Windows Azure Roles
    
   Click the Copy Token to Clipboard button to copy the activation token code to the clipboard.
    
2. Using the Registry Editor, create the following registry value and then paste the activation token copied to the clipboard into the value data field.
    
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Azure Connect\Endpoint\Client Activation Token ( REG_SZ )
    
3. After configuring the registry value noted above, stop and restart the Windows Azure Connect Endpoint service by executing the following commands in a Command Prompt window:
    
   NET STOP WACE
    
   NET START WACE
    
8. On the Windows Azure Connect portal page, click on the Activated Endpoints folder node located in the left navigation pane below your Windows Azure subscription name.
    
   
   Windows Azure Connect Activated Endpoints
    
   As you perform the steps in this exercise on each virtual and physical endpoint, the name of each endpoint should appear in the Activated Endpoints list shown above.

Exercise 2: Configure Windows Azure Connect Groups

In this exercise, you will create two Windows Azure Connect endpoint groups: one group for cloud-based virtual machines and one group for on-premise client and/or server endpoints.  After each groups is created, you will associate each endpoint with the appropriate group and configure inter-group  connectivity.

1. Login to the Windows Azure Portal for Windows Azure Connect with the same user credentials used when you activated the FREE 90-Day Trial subscription above.
    
2. On the top Common Tasks toolbar of the portal, click the Connect button to the Windows Azure Connect portal page.     
      
        
   Windows Azure Common Tasks Toolbar
    
3. Select the Windows Azure Relay Region to handle relay of Windows Azure Connect network traffic between endpoints.
    
1. On the Windows Azure Connect portal page, select the name of your Windows Azure subscription in the left navigation pane.
    
   
   Select Windows Azure Subscription
    
2. On the Windows Azure Connect portal page, click the Relay Region button located on the top Manage toolbar.
    
   
   Selecting a Windows Azure Connect Relay Region
    
3. In the Relay Region drop-down box, select the closest region to your location and click the OK button. 
    
4. On the Windows Azure Connect portal page, select the Groups and Roles folder node located under the name of your Windows Azure subscription in the left navigation pane.
    
   
   Windows Azure Connect Groups and Roles
    
5. Create a new Windows Azure Connect Endpoint Group for cloud-based VMs.
    
1. On the Windows Azure Connect portal page, click the Create Group button to open the Create a New Endpoint Group dialog box.
     
   
   Create a New Endpoint Group for Cloud-based VMs
    
2. In the Group Name field, enter XXXlab_cloud.
    
3. In the Connect from list box, click the Add button and add each of the endpoints that are cloud-based VMs.
    
4. Click the Create button to create the new endpoint group.
    
6. Create a new Windows Azure Connect Endpoint Group for on-premise clients and servers.
    
1. On the Windows Azure Connect portal page, click the Create Group button to open the Create a New Endpoint Group dialog box.
    
   
   Create a New Endpoint Group for On-premise Endpoints
    
2. In the Group Name field, enter XXXlab_onpremise.
    
3. In the Connect from list box, click the Add button and add each of the endpoints that are on-premise clients or servers.
    
4. In the Connect to list box, click the Add button and add the XXXlab_cloud endpoint group.
    
5. Click the Create button to create the new endpoint group.

Exercise 3: Test Secure Cloud-to-Client Connectivity

In this exercise, you will test cloud-to-client secure connectivity via Windows Azure Connect by using Windows Azure Connect client diagnostics, ping and remote desktop tools.

1. Verify connectivity from the console of each Windows Azure Connect endpoint.
    
1. Right-click on the Windows Azure Connect system tray icon and select Refresh Policy from the pop-up menu.
    
   
   Refresh Windows Azure Connect Policy
    
   After performing the refresh, you should see a dialog box confirming network connectivity.
    
   
   Windows Azure Connect connectivity confirmation
    
   Click the OK button to continue.
    
2. Right-click on the Windows Azure Connect system tray icon and select Diagnostics from the pop-up menu.
    
   
   Selecting Windows Azure Connect Diagnostics
    
   After a few moments, the following dialog box should be displayed confirming successful configuration of the Windows Azure Connect endpoint.
    
   
   Windows Azure Connect Diagnostics
    
   Click the Close button to continue.
    
2. Verify connectivity via Windows Azure Connect between endpoints.
    
1. Open a Command Prompt window from each endpoint and attempt to ping the remote endpoints by FQDN hostname.
    
   
   Ping remote endpoint via Windows Azure Connect
    
   If successful, the remote endpoint hostname should be resolved to an IPv6 address used for communication via Windows Azure Connect and network replies should be received.
    
2. Open a Remote Desktop Connection to one of the cloud-based virtual machine endpoints to test routing of application traffic between endpoints via Windows Azure Connect.
    
   
   Testing Remote Desktop Connection to XXXlabad01.contoso.com

Success! You’ve completed the configuration of Windows Azure Connect to permit secure Cloud-to-Client connectivity.

What’s Next? Keep Learning!

The configuration of a new Windows Azure Connect cloud-to-client secure connectivity solution is now complete.  To continue your learning about Windows Server 2012 and Windows Azure, be sure to explore these other great resources:

• Join the Windows Server 2012 “Early Experts” Challenge study group to learn more about Windows Server 2012! and prepare for MCSA Certification!
• Learn more about Windows Azure Virtual Machines and Virtual Networks with this FREE Online Training!
• Complete the other Hands-On Labs in the "Early Experts" Cloud Quest to request your certificate of completion ... Become our next "Early Expert"!

How are you using Windows Azure Virtual Machines and Virtual Networks?

Do you have an interesting or unique scenario that you are evaluating on the Windows Azure cloud platform?  Feel free to leave your comments, feedback and ideas below to share across our IT Pro community!