There are quite a few articles out there that cover the subject. Nevertheless, there are some improvements in Azure that simplify the whole process.

The most important improvement is, that you can now use a FQDN name to define your Local Network Gateway instead of a static IP. Back in the days where only the static IP option was available you needed an automation account, a runbook and a script to have your local network gateway updated with your dynamic public Fritz!Box IP.
 

Step 1: Register a MyFRITZ! account

The MyFRITZ! account is used to have a domain that always resolves to the ip address of your FRITZ!Box.

AzureToFritzBoxVPN Connect MyFRITZ account

In my case this domain is argq6adasd23ruo.myfritz.net. We’ll need that later.
 

Step 2: Create a Virtual Network

In this post all resources created in Azure are going to use the newly created resource group “AzureToFritzBoxVPN-RG”.

Create a Virtual Network in Azure

Choose a name for your Virtual Network. Or use mine: AzureToFritzBoxVPN-VN.
AzureToFritzBoxVPN Create virtual network Basics Microsoft Azure

For this scenario I use an ip address space of 10.5.0.0/24.
AzureToFritzBoxVPN Create virtual network IP Addresses Microsoft Azure

 

Add default subnet to the Virtual Network

For the default and gateway subnets I chose /25 subnets. For the DefaultSubnet named “AzureToFritzBoxVPN-DefaultSubnet” the range is 10.5.0.0/25.
Open the “Subnets” blade of the Virtual Network you just created. Now add a “Subnet” with the following properties.

AzureToFritzBoxVPN Virtual network Add subnet Microsoft Azure

 

Add gateway subnet to the Virtual Network

On the “Subnets” blade of the Virtual Network add a “Gateway subnet” with the following properties.
For the gateway subnet – the name is fixed, the address range will be 10.5.0.128/25.

AzureToFritzBoxVPN Virtual network Add gateway subnet Microsoft Azure

 

Step 3: Create a Local Network Gateway

Create a Local Network Gateway in Azure

Here comes the part about the change with the FQDN. In the past Local Network Gateways had to use a static ip address. Now you can create the gateway using the fqdn of your Fritz!Box (MyFRITZ! address).
When you try to create the gateway using the Azure portal you’ll run into the following error:

AzureToFritzBoxVPN Create local network gateway fails in portal Microsoft Azure

The specified FQDN is not valid.

At this point we move over and use PowerShell.

If you haven’t already done so, install and import the Azure PowerShell module and connect to your Azure subscription:

Then create the Local Network Gateway using New-AzLocalNetworkGateway cmdlet with your MyFRITZ address for the fqdn parameter and your local subnet definition for the addressprefix parameter:

AzureToFritzBoxVPN Create local network gateway with powershell Microsoft Azure

 

Step 4: Create a Virtual Network Gateway

Create a Virtual Network Gateway in Azure

Choose a name for your Virtual Network Gateway. Or use mine again: AzureToFritzBoxVPN-VNG.
The gateway type is “VPN”. The VPN type is “Policy-based”. SKU is “Basic” and Generation is “Generation1”.
Choose the Virtual Network you created in step 2.
I chose to create a new public ip address named “AzureToFritzBoxVPN-IP” with default settings.
AzureToFritzBoxVPN Create virtual network gateway Microsoft Azure

 

Step 5: Connect the two gateways

Now that we have a Local Network Gateway and a Virtual Network Gateway we need to connect the two.
In the Azure portal go to the Local Network Gateway resource or Virtual Network Gateway resource and click “Connections”, than add a connection.

My name for the connection is “AzureToFritzBoxVPN-CON”. The connection type is “Site-to-site (IPSec)”. Now select the Virtual network gateway and Local network gateway you created in the steps before.
For the connection a pre-shared key (also key, psk or shared key) is required. This is a long password that the connection in Azure and your FRITZ!Box both need to know. So please use the password generator of your choice and create a long random password. This password goes into the “Shared key (PSK)” box and in the configuration file for your FRITZ!Box (Step 6), so please keep it for now.
For IKE Protocol choose “IKEv1”.

AzureToFritzBoxVPN Connect LNG and VNG Microsoft Azure

 

Step 6: Configuration file for your FRITZ!Box

This config file is a template! You are required to edit a few things!

From top to bottom:

  • name: Rename this configuration as you like
  • remoteip: This is the public ip address of your Virtual Network Gateway
  • localid:
    • fqdn: this is your MyFRITZ! address
  • remoteid:
    • ipaddr: Again this is the public ip address of your Virtual Network Gateway
  • key: This is the pre-shared key from step 5. DO NOT USE THE VALUE FROM THIS TEMPLATE!!!!
  • phase2localid:
    • ipnet:
      • ipaddr: this is the starting ip address of your FRITZ!Box network
      • mask: this is the subnet mask of your FRITZ!Box network
  • phase2localid:
    • ipnet:
      • ipaddr: this is the starting ip address of your GatewaySubnet from your Virtual Network
      • mask: this is the subnet mask of your GatewaySubnet from your Virtual Network
  • accesslist: this is the ip address and subnet mask of your DefaultSubnet from your Virtual Network

In your FRITZ!Box go to Internet > Permit Access > VPN (IPSec). At the bottom choose “Add VPN Connection”. Upload the edited and saved configuration file.

 

Conclusion

After importing the configuration file, your FRITZ!Box and your Azure Gateway try to establish a connection. This may take a few minutes.

AzureToFritzBoxVPN FRITZBox and Azure connected

 

Cost

This setup costs about 23€ per month for the Virtual Network Gateway.