With Azure Stack TP3 released I wanted it to be available on the Corp network / internet. I wrote about how to kill the BGPNAT VM after deployment and use BGP peering direct with your TOR switches from the SLB VM’s, but that seemed to hard to accomplish for to many people in their current network. So now in this blog post I am going to put the NATBGP VM in route mode after the installation of Azure Stack is finished. So instead of using outbound NAT and inbound NAT rules we need to plan the networks used in Azure Stack to be routed by the BGPNAT VM to the Corp network. Lets get started…
You might have noticed they did a good clean up job in the TP3 build. Actually, what they have done is wrapped most files in dedicated NuGet packages (.nupkg). So when I was looking for the OneNodeCustomerConfigTemplate.xml file I had to extract it from one of the NuGet packages. From C:\CloudDeployment\NuGetStore copy Microsoft.AzureStack.Solution.Deploy.CloudDeployment.1.0.381.0.nupkg to the desktop and rename the file extension to .zip. When you open the zip file and look i the content folder you might start recognizing some folders from the TP2 deployment:
In the Configuration folder copy out the OneNodeCustomerConfigTemplate.xml and edit the networks:
If you do want to use your own switch for BGP peering with the SLB (Like we did in the TP2 public internet) also update the MuxASn and MuxPeerAsn to match your environment.
When finished copy back the XML file in the original location in the zip file.
Now go to Microsoft.AzureStack.Solution.Deploy.CloudDeployment.1.0.381.0.zip\content\Configuration\Roles\Fabric\VirtualMachines and open the onenoderole.xml, search for 192.168.200 and replace it with [VMDC1-IpAddress]/[PrefixLength]
If you want to change the domain name Azure Stack is deployed in, copy out from Setup folder the DeploySingleNode.ps1 and edit the domain values:
When finished copy back the PS1 file in the original location in the zip file.
Now rename the zip back to nupkg and copy it back to the NuGetStore folder and copy one out of your server for future deployments.
Run your normal deployment
When the installation is finished we need to configure the BGPNAT VM in routing mode. Use this script on the Hyper-V host to accomplish that:
$cimSession = New-CimSession -ComputerName MAS-BGPNAT01
$ipNATAddress = Get-NetNatExternalAddress -CimSession $cimSession
$interfaceIndex = (Get-NetIPAddress -IPAddress $ipNATAddress.IPAddress -CimSession $cimSession).InterfaceIndex
$prefixLength = (Get-NetIPAddress -IPAddress $ipNATAddress.IPAddress -CimSession $cimSession).PrefixLength
$defaultGw = (Get-NetRoute -DestinationPrefix 0.0.0.0/0).NextHop -CimSession $cimSession
Get-NetNat -CimSession $cimSession | Remove-NetNat -CimSession $cimSession
New-NetIPAddress -IPAddress $ipNATAddress.IPAddress -AddressFamily IPv4 -Type Unicast -PrefixLength $prefixLength -InterfaceIndex $interfaceIndex -DefaultGateway $defaultGw -CimSession $cimSession
Now add static routes for the networks you have defined in xml file on your router in your network to forward these to the NATBGP VM. So in my case it is for HP5900 switch:
ip route-static 10.1.50.0 24 10.1.52.33
ip route-static 10.1.54.0 24 10.1.52.33
ip route-static 10.1.56.0 24 10.1.52.33
To have name resolution simplified from your Corp network just add a forwarder in your Corp DNS servers for your ‘configured external Azure Stack domain’ to the MAS-DC01 ending on IP .224 (10.1.54.224 in my deployment)
Now you need to give the RootCA to your users who want to consume Azure Stack resources and you are good to go! You can get the RootCA certificate from the \\MAS-CA01\c$\Windows\System32\CertSrv\CertEnroll folder.
Have fun with Azure Stack in your Corp network / Internet