Read this guide to learn how to connect an on-premises Windows Admin Center to an Azure vNET and manage VMs in the Azure vNET with WAC.
Overview and Introduction
Windows Admin Center has a feature that allows you to create an Azure Virtual Network. The process effectively creates a point-to-site VPN connection from the WAC server to an Azure virtual network (vNET).
This hands-on guide walks you through the steps to complete all the tasks required to connect your on-prem WAC to an Azure vNET.
Although the first task – Provisioning an Azure VM – starts with creating a resouce group, you can skip these sub-tasks if you already have an Azure resource group and a vNET.
Similarly, creating a VM is optional if you have existing VMs in the Azure virtual network. Before skipping Task 1, you must add a subnet called GatewaySubnet – see Task 1.2 for details.
Task 1: Provisioning an Azure VM
In this section, you will provision a new Azure Virtual Machine managed by an on-prem Windows Admin Center. However, before creating the VM, you will deploy an Azure Virtual Network for the VM to use.
When creating the virtual network, the address spaces specified MUST not overlap with any of the address spaces on your on-premises network.
Meanwhile, to create the connectivitiy to Azure VM from the on-prem WAC, the virtual network requires a subnet named GatewaySubnet. The gateway subnet must be named GatewaySubnet for Azure to create the required gateway resources.
Also equally important, the GatewaySubnet subnet must be within the address space of the Azure Virtual Network.
So, we would add a GatewaySubnet subnet while creating the virtual network. Finally, we would create an Azure VM and attach the virtual network.
Before we create any of the resources mentioned above, we require an Azure Resource Group to which they all will belong.
Task 1.1: Create an Azure Resource Group
- Sign in to portal.azure.com and open the Azure Cloud Shell PowerShell.
- Finally, run the commands below to create an Azure Resource Group called IPM-WAC-RG in the “UK West” Azure region.
Change ‘ukwest’ to the Azure region location you want to create the RG. To get a list of all Azure regions, run the Get-azLocation command
#1. Get your Azure region - change uk to a name in the region you requireGet-azLocation | Where-Object {$_.DisplayName -like "*uk*"}
#2. Set location and RG name variables
$RGlocation = 'uksouth'
$RGName="IPM-WAC-RG-1"#3. Create the Resource Group
New-AzResourceGroup -Location $RGlocation -Name $RGName
To confirm that the RG was created, run this command:
Get-AzResourceGroup -Name $RGName
Task 1.2: Create a Virtual Network with a Virtual Network Gateway Subnet
In my home lab network, I have the 192.168.0.0/24 and 172.16.0.0/24 networks. So, my Azure Virtual network address spaces must be outside these two.
One option is to create a vNET with the 172.17.0.0/22 (172.17.0.0/255.255.252.0) network. This will give me 1,024 addresses.
While creating the virtual network, I’ll add a default subnet called subnet0 with a starting address of 172.17.0.0, on /24 (256 addresses), a range of 172.17.0.0 – 172.17.0.255.
Similarly, I will add a Virtual Network Gateway subnet. When you select a Virtual Network Gateway for the purpose of the subnet, Azure calls the name of the subnet GatewaySubnet. You could also do this with PowerShell.
The GatewaySubnet subnet will have a starting address of 172.17.1.0, a size of /27 (32 IP addresses), and a range of 172.17.1.0 – 172.17.1.31.
To create the Azure Virtual Network and the other resources described above, run these PowerShell scripts in the numbered order, starting with #1.
In commands #3 and #4, notice that I piped the output of the Add-AzVirtualNetworkSubnetConfig command to the Set-AzVirtualNetwork command. Here is why: When you run the Add-AzVirtualNetworkSubnetConfig command, it creates a subnet configuration object. However, it does not apply the configuration to the virtual network. By piping Add-AzVirtualNetworkSubnetConfig to Set-AzVirtualNetwork, the subnet configuration is applied to the virtual network resource.
#1. Set Variables
$AzVirtualNetworkName="IPM-WAC-vNET-2"
$AzResourceGroup = 'IPM-WAC-RG-1'
$AzRegion = 'uksouth'#2. Create the virtual network
New-AzVirtualNetwork -Name $AzVirtualNetworkName -ResourceGroupName $AzResourceGroup -Location $AzRegion -AddressPrefix '172.17.0.0/22'#3. Create subnet0
Add-AzVirtualNetworkSubnetConfig -Name 'subnet0' -AddressPrefix '172.17.0.0/24' -VirtualNetwork (Get-AzVirtualNetwork -Name $AzVirtualNetworkName -ResourceGroupName $AzResourceGroup) | Set-AzVirtualNetwork#4. Create GatewaySubnet
Add-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix '172.17.1.0/27' -VirtualNetwork (Get-AzVirtualNetwork -Name $AzVirtualNetworkName -ResourceGroupName $AzResourceGroup) | Set-AzVirtualNetwork
Task 1.4: Review the vNET and its Subnets
Before moving on, let’s confirm that the virtual network and the two subnets were created correctly.
- Minimize or close Azure Cloud Shell. Then, search for the name of the Azure Virtual Network—in my example, IPM-WAC-vNET-2—and open it.
- Then, expand the virtual network’s Settings and click Address space. The address space should be configured as shown on the second screen below.
- After that, click the Subnets menu and confirm that the two subnets – subnet0 and GatewaySubnet – exist.
- Finally, open the subnet0 and GatewaySubnet subnets and review their settings.
The Subnet, subnet0, should be a default subnet, while GatewaySubnet should be a Virtual Network Gateway subnet.
Task 1.5: Create an Azure Virtual Machine
Finally, create an Azure VM with this script below:
Execute the scripts in Azure Cloud Shell.
#1. Set variables$AzResourceGroupName="IPM-WAC-RG-1"
$AzRegion = 'uksouth'
$AzVirtualNetworkName="IPM-WAC-vNET-2"
$subnetName="subnet0"
$vmName="WAC-AZ-VM-1"
$nicName="WAC-vNETAdapter-4"
#The image below is the SKU for "Windows Server 2022 Datacenter: Azure Edition - Gen2" - #the only Windows Server 2022 image on the Azure free tier
$VMImage="MicrosoftWindowsServer:WindowsServer:2022-datacenter-azure-edition-core:latest"
$vmSize="Standard_D2s_v3"
$PublicIPAddressName="WAC-Public-IP-4"
$adminUsername="WACAdmin"#2. Create a public IP address for the VM
New-AzPublicIpAddress -ResourceGroupName $AzResourceGroupName -Name $PublicIPAddressName -Sku Standard -Location $AzRegion -AllocationMethod Static
#3. Save the Public IP ID and Subnet Id in a variable
$PublicIpAddressId = (Get-AzPublicIpAddress -ResourceGroupName $AzResourceGroupName -Name $PublicIPAddressName).Id
#Get the vNET and Resource Group
$AzVirtualNetwork = Get-AzVirtualNetwork -Name $AzVirtualNetworkName
$AzResourceGroup = Get-AzResourceGroup -Name $AzResourceGroupName$SubnetId = (Get-AzVirtualNetworkSubnetConfig -Name $subnetName -VirtualNetwork $AzVirtualNetwork).Id
#4. Create a network interface card for to be attached to the VM
New-AzNetworkInterface -Name $nicName -ResourceGroupName $AzResourceGroupName -Location $AzRegion -SubnetId $SubnetId -PublicIpAddressId $PublicIpAddressId
#5. Set admin credentials - when prompted, enter the admin password for the VM
$AdminCredential = (Get-Credential -UserName $adminUsername -Message "Enter the password for the VM")
#6. Create the Azure virtual machine - this is th
New-AzVm -ResourceGroupName $AzResourceGroupName -Name $vmName -Location $AzRegion -VirtualNetworkName $AzVirtualNetworkName -SubnetName $subnetName -PublicIpAddressName $PublicIPAddressName -Image $VMImage -Size $vmSize -Credential $AdminCredential -OpenPorts 3389
When running command #6, creating the VM will take a while.
Task 2: Deploy Hybrid Connectivity with Azure Network
Now that you have created an Azure VM, the virtual network, and the GatewaySubnet subnet, it is time to register the Windows Admin Center in Azure and create an Azure Network Adapter in Windows Admin Center.
This task aims to confirm that you can establish hybrid connectivity between an on-premises server and the Azure VM you provisioned in task 1.
Task 2.1: Register Windows Admin Center with Azure
- Sign in to the Windows Admin Center on a browser.
- From the Windows Admin Center page, click the Windows Admin Center (WAC) Server to open it.
The WAC server should appear as the gateway server.
- When the server details page opens, click Network and select Add Azure Network Adapter (Preview).
- Select the Register Windows Admin Center to Azure option on the Add Azure Network Adapter pop-up.
The notes on the pop-up state that creating an Azure Network Adapter lets you configure a Point-to-Site VPN connection to Azure. A Point-to-Site (P2S) VPN gateway allows you to connect individual computers—in this example, the on-prem Windows Admin Center computer – to an Azure Virtual Network.
- After that, click the Register button on the Register with Azure page.
- Then, on the fly-out window, select Azure Cloud and copy the code in step 2. After copying the code, the step 3 link will be activated. Click the Enter the code link—a link will open in a browser tab.
- Enter the code you copied in step 5 and click Next. After that, sign in to your Azure account and confirm the access.
- When the new browser displays a confirmation page, return to the Windows Admin Center. Then, select the Microsoft Entra (tenant) ID to connect to.
After that, on the Microsoft Entra application, click Create new, click Connect, and wait for the app to be created.
- Click the Sign in button to connect the WAC server to your Azure account. Finally, check the “Consent on behalf of your organization” checkbox on the “Permissions requested” pop-up window and click the Accept button.
The registration details will be displayed in the Windows Admin Center. To view the registration in Azure, click the View in Azure link.
Task 2.2: Create an Azure Virtual Network Gateway
An Azure Virtual Network Gateway connects your WAC server to the Azure vNET. In the following steps, you will create one and then the point-to-site VPN from WAC.
- Sign in to your Azure portal, search for the virtual network gateway, and open the resource.
- Then, on the Virtual Network Gateway page, click Create virtual network gateway
- Finally, set up the new vNET gateway using my screenshots below.
- In the first screenshot, once you select the subscription you have been using in this deployment, Azure populates the resource group based on the virtual network resource group
- Then, on the Instance details section, give the virtual net gateway a name and select the Region if the right one is not selected automatically
- Select an option from the SKU drop-down menu. The VPN gateway SKU you select determines the bandwidth you get and the price you pay.
- After entering the details, click Review + create at the bottom left. Finally, click Create to deploy the gateway.
Wait for the deployment to complete before proceeding to task 2.4 below. The deployment can take between 20 and 45 minutes to complete.
Task 2.4: Create an Azure Network Adapter in WAC
After creating the virtual network gateway in Azure, you need to add a point-to-site (P2S) configuration. You could do this from Azure or via WAC.
However, configuring the P2S via WAC is easier as it allows autogenerating a self-signed certificate. Follow the steps below to add a P2S configuration to the Azure vNET gateway.
- Open the WAC server from the All Connections page in Windows Admin Center, click Networks, and then click Add Azure Network Adapter (Preview).
- Then, on the Add Azure Network Adapter fly-out, select your Azure Subscription, the Azure region (Location) where you created the resources in Task 1, and the Azure Virtual Network—the Gateway Subnet will be selected automatically and grayed out.
It will then automatically detect the vNET gateway attached to the vNET. The Gateway SKU selected when you created the vNET will be shown and grayed out.
- On the Client Address Space, assign an IP address range to dynamically assign clients connecting over a Point-to-Site VPN.
Finally, in the Authentication Certificate option, select “Auto-generated Self-signed root and client Certificate,” then click Create.
Use a private IP address range that does not overlap with the on-premises location from which you connect or the Azure Virtual Network to which you want to connect. I’m using 192.168.1.0/24.
When you click Create, WAC sends the request to Azure. It will take a while for the S2P to be created in Azure.
After a while, refresh the page to display the Azure Network adapter (the point-to-site connection from the WAC server to the Azure virtual network).
Once the Azure Network adapter is displayed in WAC, the configuration will also be displayed if you open the virtual network gateway in Azure and open its Point-to-site configuration menu.
If you scroll down, you will see the IP address allocated to the point-to-site connection from WAC. You can ping this IP from your WAC server.
You can also RDP to the Azure VM from the WAC server via its Private IP address. To get the VM’s private IP address, open it in Azure – see the second screenshot below.
At this point, your on-prem WAC server can be used as a jump server. With a point-to-site connection to the WAC server, you can RDP and manage all Azure VMs in the Azure Virtual Network.
Task 2.5: Harden the Network Security Group
When you created the VM, the command included allowing access to the VM via port 3389 (RDP). By including this, a Network Security Group and an Inbound Security Rule were created to allow the RDP port.
However, this inbound rule is configured to allow any IP, which is not great. To harden the security of the Azure Virtual Network, we need to modify this inbound rule to allow specific IP addresses.
Here are the steps:
- After that, search Network Security Group and open it from the results. Then, open the NSG—it should have the same name as the Virtual Machine.
- Once the NSG opens, click the RDP (port 3389) inbound rule.
- On the fly-out window, change the Source from Any to IP Addresses. Then, enter the Client Address Pool network you used when you set up the Azure Network Adapter in WAC—see the second screenshot below.
- Finally, to confirm that the WAC S2P is still connected, open the WAC server’s Network menu in Windows Admin Center and refresh the settings.
By configuring the RDP inbound rule to allow the WAC vNET gateway S2P network only, you disable RDP access to the VM from other IPs, including accessing the VMs RDP via their public IP addresses.
Task 3: Manage the Azure VM with the on-prem WAC
In this task, you will add Azure VMs to your on-premises Windows Admin Center server.
Task 3.1: Create an Inbound Security Rule for the WAC Server on Azure NSG
To allow WAC connection to Azure VMs, create an inbound port rule allowing connectivity on TCP port 5986 using the steps below.
- Search for and open network security groups.
- Then, click the NSG to open it.
- After that, expand its Settings, then choose Inbound security rules.
- Then, click “+ Add” in the top middle window and configure the inbound security rule by following my screenshots below.
Task 3.3: Configure winrm and Firewall on the Azure VM
Apart from configuring the Azure NSG firewall to allow WAC connection, you must also set up the Windows firewall. Meanwhile, you also need to configure WinRM in the Azure VM.
To complete these two tasks, RDP to the Azure VM and run the following commands:
#1. Configure WinRMwinrm quickconfig -quiet
#2. create a firewall rule that allows WINRM-HTTP traffic
Set-NetFirewallRule -Name WINRM-HTTP-In-TCP-PUBLIC -RemoteAddress any
Task 3.4: Add the Azure VM to the Windows Admin Center
- From the WAC server’s All connections window, click Add.
- Scroll to the Azure VMs section and click Add.
- Then, sign in to the Azure account.
- Now, click on the IP address of the Azure VM you just added to WAC, provide its local admin credentials, and sign in.
- After connecting to the VM, when you return to the Server list, its name will be added to its IP address:
Task 3.5: Create a New Azure VM from WAC
You can also create new Azure VMs from the Windows Admin Center. The screenshots below illustrate the first few steps.
When I wrote this guide in September 2024, creating an Azure VM from WAC was in preview, so some Azure VM SKUs were not available.
Task 4: Deprovision the Azure Environment
One of the benefits of creating all resources in an Azure Resource Group is ease of deployment, update, and deletion. So, to delete all the resources created in this lab, all you have to do is delete the resource group.
When you delete a resource group, it deletes dependent resources to avoid errors. If you try deleting the resources manually, deleting a resource another resource uses throws an error message.
You can perform this task via the Azure Portal or Azure Cloud Shell PowerShell.
To delete the resource group and all its resources via the Azure Portal, open the resource group and click Delete resource group.
Alternatively, open Azure Cloud PowerShell and run these commands:
#1. confirm that the Get-AzResourceGroup command returns the resource group you intend to deleteGet-AzResourceGroup -Name 'IPM*'
#2. Delete the resource group and run the command as a job
Get-AzResourceGroup -Name 'IPM*' | Remove-AzResourceGroup -Force -AsJob
#3. Monitor the progress of the job by running this command from time to time.
#when the status displays "Running" the delete task is still ongoing.Get-Job -Name *long*
While the job is still running, opening the resource group in the Azure portal will display “Deleting.”
Conclusion
The Windows Admin Center offers SysAdmins, a great tool for managing on-premises /Azure Hybrid infrastructure. In this guide, I explained how to prepare your Azure environment for a point-to-site connection with an on-prem WAC server.
I also demonstrated the steps to connect the on-prem WAC server and add Azure VMs for administration.
I hope you found the guide helpful. Let me know your thoughts by responding to our “Was this page helpful?” feedback request below.