Establish VPN Connect Between Azure Vnet and Local RRAS

OK, pardon my ugly diagram. It is the structure I used for this lab. The main focus on this lab is the RRAS. As I understand, RRAS is like a software router so I can use it to establish VPN connection with Azure Vnet in my case.

As usual, I won’t go through all details but only record down the parts that I learn this time. Without further ado, let’s get started.

  1. Prepare AWS VPC and Azure Vnet
  2. Setup Windows RRAS
  3. Setup Azure VPN (Virtual Network Gateway & Local Network Gateway)
  4. Configure RRAS
  5. configure AWS client route table to RRAS and NSG settings
  6. Prepare client for AWS and Azure
  7. Test and verify connection

I will focus on step 2 and 4 for this post.

Setup RRAS in Windows 2019

Follow the images to setup

Tick Remote Access

OK, at this moment, RRAS is done installed, let’s configure it now.

For my lab, I will setup S2S VPN between two locations, so I chose as the image below.

That’s a lot of images! At this moment RRAS is up and running. Let’s configure the static route so that clients can ping each other

Input your destination network CIDR. For my case, which is the Azure Vnet

Let’s configure some VPN settings

Input the pre-shared key entered when creating connection under Local Network Gateway

Once done, verify if VPN connection is working

RRAS has established VPN connection with Azure Vnet

And that’s it! Let’s verify the result now! is the client on Azure, is the client on AWS.

From AWS ping Azure

From Azure ping AWS

I know I omit a lot of detail steps in this post so I am going to list some points that needs to pay attention to

  1. RRAS FW needs to allow Azure V.N.G public IP
  2. RRAS FW needs to allow internal IP so that AWS client can ping Azure client through RRAS
  3. RRAS FW needs to allow Azure client private so it can ping AWS client
  1. RRAS OS FW is turned off
  2. AWS client (Windows) OS FW is turned off
  3. Configure forced AWS client subnet route to RRAS interface
  4. Make sure AWS network CIDR ( is configured inside Local network gateway -> Configuration -> Address space
  5. Make sure Azure network CIDR ( is configured inside RRAS IPv4 Static route

That’s about it, hope all you guys have done it successfully!

AWS Certified SA, SysOps & Developer Associate, Alibaba Cloud certified SA. Focusing on Azure, Prometheus w/ Grafana, ELK and K8S now.