This topic is part of a series about how to deploy a Windows Server 2016 RDS farm in Microsoft Azure. In this topic, we will see how to deploy the Microsoft Azure networks resources, the storage account and how to prepare a Windows Image. You can find the other topics of the series in the following menu:
- Deploy a Windows Server 2016 RDS Farm in Microsoft Azure
- Create Microsoft Azure networks, storage and Windows image
- Deploy the Microsoft Azure Virtual Machines
- Configure Domain Controllers
- Deploy the RDS farm
- Configure File Servers for User Profile Disk (UPD)
- RDS final configuration
Github
I have published the complete JSON template on my github. You can copy it and make your modifications as you wish.
JSON template explanation
The JSON template consists of parameters, variables and resources. Parameters and variable are easy to understand. However, it is a little more complicated for resources. The below resource is a Virtual Network. This virtual network takes settings in parameters and variables. The below JSON code create a virtual network with four subnets (Internal, DMZ, Cluster and Gateway).
{
"apiVersion": "[variables('API-Version')]",
"location": "[variables('ResourcesLocation')]",
"name": "[parameters('vNETName')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"[parameters('vNETPrefix')]"
]
},
"subnets": [
{
"name": "[parameters('vNETSubIntName')]",
"properties": {
"addressPrefix": "[parameters('vNETSubIntPrefix')]"
}
},
{
"name": "[parameters('vNETSubExtName')]",
"properties": {
"addressPrefix": "[parameters('vNETSubExtPrefix')]"
}
},
{
"name": "[parameters('vNETSubCluName')]",
"properties": {
"addressPrefix": "[parameters('vNETSubCluPrefix')]"
}
},
{
"name": "[Parameters('vNETSubGtwName')]",
"properties": {
"addressPrefix": "[Parameters('vNETSubGtwPrefix')]"
}
}
]
},
"tags": {
"displayName": "Virtual Network"
},
"type": "Microsoft.Network/virtualNetworks"
},
The following block code creates a Public IP address for the Azure Gateway.
{
"apiVersion": "[variables('API-Version')]",
"location": "[variables('ResourcesLocation')]",
"name": "[parameters('S2SPIPName')]",
"properties": {
"publicIPAllocationMethod": "Dynamic"
},
"tags": {
"displayName": "Public IP Address"
},
"type": "Microsoft.Network/publicIPAddresses"
}
The following JSON code deploys the local gateway. The S2SGtwOnPremPIP specifies the public IP address of the On-Prem Gateway. The S2SLocalIPSubnet specifies the On-Prem routed IP subnets.
{
"apiVersion": "[variables('API-version')]",
"location": "[variables('ResourcesLocation')]",
"name": "[parameters('S2SGtwOnPremName')]",
"properties": {
"localNetworkAddressSpace": {
"addressPrefixes": [
"[parameters('S2SLocalIPSubnet')]"
]
},
"gatewayIpAddress": "[parameters('S2SGtwOnPremPIP')]"
},
"tags": {
"displayName": "Local Gateway"
},
"type": "Microsoft.Network/localNetworkGateways"
}
The following JSON code deploys the Microsoft Azure Gateway by taking the previously created Public IP address. The Microsoft Azure Gateway is located in the gateway subnet.
{
"apiVersion": "[variables('API-version')]",
"dependsOn": [
"[concat('Microsoft.Network/publicIPAddresses/', parameters('S2SPIPName'))]",
"[concat('Microsoft.Network/virtualNetworks/', parameters('vNETName'))]"
],
"location": "[Variables('Resourceslocation')]",
"name": "[parameters('S2SGtwAzureName')]",
"properties": {
"enableBgp": false,
"gatewayType": "Vpn",
"ipConfigurations": [
{
"properties": {
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses',parameters('S2SPIPName'))]"
},
"subnet": {
"id": "[variables('vNETSubGtwRef')]"
}
},
"name": "vnetGatewayConfig"
}
],
"vpnType": "[parameters('S2SGtwVPNType')]"
},
"tags": {
"displayName": "Azure Gateway"
},
"type": "Microsoft.Network/virtualNetworkGateways"
}
To finish, the following block code creates a storage account. This storage account will be used for VM diagnostic logs.
{
"name": "[parameters('StoAcctLogName')]",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2016-05-01",
"tags": {
"displayName": "Log Storage Account"
},
"sku": {
"name": "[parameters('StoAcctLogType')]"
},
"kind": "Storage",
"location": "[variables('ResourcesLocation')]"
}
Import the template
To import the template, connect to Microsoft Azure and search for Template Deployment. Copy past the template. You should have something as below:
Then change the parameters as you wish and click on Purchase (don’t worry, it’s free :p).
Once the template is deployed, you should have 5 resources as below. So the virtual network, the gateways and storage account are created.
You can review the virtual network configuration as the following screenshot:
The public IP is also created:
Create the VPN connection
Now I create the VPN connection between On-Prem and Microsoft Azure. Select the On-Prem gateway and click on Configuration. Please review if the local gateway IP address is correct.
Then select Connections, and create a new connection. Provide a name, select Site-to-Site and specify the virtual network gateway and the local network gateway. To finish, provide a shared key.
Now, you have to configure your local gateway. I have an Ubiquiti gateway and I have set it with the following command lines:
set vpn ipsec auto-firewall-nat-exclude disable set vpn ipsec disable-uniqreqids set vpn ipsec esp-group esp-azure compression disable set vpn ipsec esp-group esp-azure lifetime 3600 set vpn ipsec esp-group esp-azure mode tunnel set vpn ipsec esp-group esp-azure pfs disable set vpn ipsec esp-group esp-azure proposal 1 encryption aes256 set vpn ipsec esp-group esp-azure proposal 1 hash sha1 set vpn ipsec ike-group ike-azure ikev2-reauth no set vpn ipsec ike-group ike-azure key-exchange ikev2 set vpn ipsec ike-group ike-azure lifetime 28800 set vpn ipsec ike-group ike-azure proposal 1 dh-group 2 set vpn ipsec ike-group ike-azure proposal 1 encryption aes256 set vpn ipsec ike-group ike-azure proposal 1 hash sha1 set vpn ipsec ipsec-interfaces interface pppoe0 set vpn ipsec nat-traversal enable set vpn ipsec site-to-site peer <Azure Gateway Public IP> authentication mode pre-shared-secret set vpn ipsec site-to-site peer <Azure Gateway Public IP> authentication pre-shared-secret <Shared Key> set vpn ipsec site-to-site peer <Azure Gateway Public IP> connection-type initiate set vpn ipsec site-to-site peer <Azure Gateway Public IP> default-esp-group esp-azure set vpn ipsec site-to-site peer <Azure Gateway Public IP> ike-group ike-azure set vpn ipsec site-to-site peer <Azure Gateway Public IP> ikev2-reauth inherit set vpn ipsec site-to-site peer <Azure Gateway Public IP> local-address any set vpn ipsec site-to-site peer <Azure Gateway Public IP> tunnel 100 allow-nat-networks disable set vpn ipsec site-to-site peer <Azure Gateway Public IP> tunnel 100 allow-public-networks disable set vpn ipsec site-to-site peer <Azure Gateway Public IP> tunnel 100 esp-group esp-azure set vpn ipsec site-to-site peer <Azure Gateway Public IP> tunnel 100 local prefix 10.10.0.0/16 set vpn ipsec site-to-site peer <Azure Gateway Public IP> tunnel 100 protocol all set vpn ipsec site-to-site peer <Azure Gateway Public IP> tunnel 100 remote prefix 10.11.0.0/16
Once the VPN is connected, you should have a Succeeded status as below:
Create the Windows Server 2016 image
To create the Windows Server 2016 image, first I deploy a new Azure VM. I call it zTemplate.
Then I choose a VM size.
I choose to use managed disks and I connect the VM in the Internal subnet. I don’t need Network Security Group for this VM. I enable the boot diagnostics and I choose the previously created storage account to store logs.
Once the Azure VM is started, I customize the operating system and I apply updates. Then I run sysprep as below:
Once the VM is stopped, I click on Capture:
Then I specify an image name and the resource group. I choose also to automatically delete the VM after creating the image.
At the end of this topic, I have the following resources in the resource group:
Next topic
In the next topic, we will deploy all Azure VMs for the Remote Desktop farm. The VM will be deployed from the Windows Image and from a JSON template.
Hi Roman – thanks for the post – very infromative. You did not specifically mention, but I assume that the image creation mentioned on this page – is for the session host? Ie you install all user applicaitons etc and then sysprep/capture?
Hi,
No this is just an image of Windows Server with updates. Applications should be installed later.
Hello Roman, i’m trying to implement the template you provided but it appears that the API version is invalid. How come?
Hello,
In the JSON file, you have a variable called APIVersion. You have to update it to the current API version. You can get this information here: https://docs.microsoft.com/en-us/azure-stack/user/azure-stack-profiles-azure-resource-manager-versions
Romain.