Today I will show you how to run the Mikrotik CHR router in Azure virtual machine, in order to be able to create for example SSTP VPN or S2S VPN.

Prerequisites

In this scenario I assumed that you already have Azure subscription. Moreover you will need a resource group (RG), two network interfaces (NICs), and storage account if you don’t already have these. It’s also a good idea to attach a static public IP address to the NIC, and set up a security group allowing winbox access. Note that your new CHR will have a blank password, so be conscious of exposing it to the internet in this configuration.

To run MVA we need a Mikrotik image for Hyper-V. For this we need to download the current CHR system image in VHDX format from https://mikrotik.com/download (I recommend the “current” edition).

First of all you need to convert Mikrotik CHR image form VHDX to VHD format. Than upload the VHD to your storage account using PowerShell, or the Azure Storage Explorer. This VHD will be attached to your CHR, so name it accordingly.

#Install required modules if needed
#Install-Module -Name AzureRM -AllowClobber

#Convert Mikrotik CHR image from VHDX to VHD
$MikrotikVHDX = "C:\Downloads\chr-6.46.4.vhdx"
$MikrotikVHD = "C:\Downloads\mt01-vm.vhd"

if ((Test-Path -Path $MikrotikVHD) -eq $false)
{
    Convert-VHD -Path $MikrotikVHDX -DestinationPath $MikrotikVHD -VHDType Fixed
}

#Login to Azure Account
Login-AzureRmAccount

#Get Azure subscription ID 
#You can use Get-AzureRmSubscription to determine your SubscriptionID
$SubscriptionId = "********-****-****-****-************"
Select-AzureRmSubscription -SubscriptionId $SubscriptionId

#Set variables
$ResourceGroup = "mikrotik-rg"
$Location = "westeurope"

#Create Resource Group
if ((Get-AzureRmResourceGroup -Name $ResourceGroup -ErrorAction SilentlyContinue) -eq $null)
{
    Write-Host "Create Resource Group $ResourceGroup"
    New-AzureRmResourceGroup -Name $ResourceGroup -Location $Location
}

#Create storage account and upload VHD
$StorageAccountName = "mikrotik"+(Get-Random)
New-AzureRmStorageAccount -ResourceGroupName $ResourceGroup -Name $StorageAccountName -Location $Location -SkuName Standard_LRS -Kind StorageV2 -AccessTier Hot
$StorageAccount = Get-AzureRmStorageAccount | Where-Object 
{
    $_.StorageAccountName -like $StorageAccountName
}
$urlOfUploadedVhd = "https://"+$StorageAccountName+".blob.core.windows.net/vhds/"+$(Split-Path $MikrotikVHD -Leaf)
Add-AzureRmVhd -ResourceGroupName $StorageAccount.ResourceGroupName -LocalFilePath $MikrotikVHD -Destination $urlOfUploadedVhd

Network and virtual machine creation

Now, We are ready to create virtual network (VNET), subnets (DMZ and LAN). Of course, if you need, you can add more subnets – and thus add more network cards, but check if the selected VM size supports more than two network cards https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sizes-general. We also create a static public IP address for our router.

# Create VNET, subnets and public IP address
$VnetName = "network-we"
$VmName = "mt01-vm"
$SubnetName_dmz01 = "mikrotik-dmz01"
$SubnetName_lan01 = "mikrotik-lan01"
$Subnet_dmz01 = New-AzureRmVirtualNetworkSubnetConfig -Name $SubnetName_dmz01 -AddressPrefix "10.0.1.0/28"
$Subnet_lan01 = New-AzureRmVirtualNetworkSubnetConfig -Name $SubnetName_lan01 -AddressPrefix "10.0.2.0/24"
New-AzureRmVirtualNetwork -ResourceGroupName $ResourceGroup -Location $Location -Name $VNETName -AddressPrefix "10.0.0.0/16" -Subnet $Subnet_dmz01,$Subnet_lan01
$Vnet= Get-AzureRmVirtualNetwork | Where-Object 
{
    $_.Name -like $VNETName
}

$Subnet_eth01 = Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $VNET -Name $SubnetName_dmz01
$Subnet_eth02 = Get-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $VNET -Name $SubnetName_lan01

$PublicIP = New-AzureRmPublicIpAddress -ResourceGroupName $ResourceGroup -Location $Location -AllocationMethod Static -IdleTimeoutInMinutes 4 -Name "mt01-vm$(Get-Random)"

# Create network security groups rules
$nsgRuleRDP = New-AzureRmNetworkSecurityRuleConfig -Name Allow-In-Mikrotik-Winbox -Protocol Tcp -Direction Inbound -Priority 1000 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 8291 -Access Allow
$nsgRuleWeb = New-AzureRmNetworkSecurityRuleConfig -Name Allow-In-Mikrotik-WWW -Protocol Tcp -Direction Inbound -Priority 1001 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 80 -Access Allow
$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName $ResourceGroup -Location $Location -Name $VNETName -SecurityRules $nsgRuleRDP,$nsgRuleWeb

# Create a virtual network card and associate with public IP address and NSG
$VmNic_eth01 = New-AzureRmNetworkInterface -Name $VMName"-eth01" -ResourceGroupName $ResourceGroup -Location $Location -SubnetId $Subnet_eth01.Id -PublicIpAddressId $PublicIP.Id -NetworkSecurityGroupId $nsg.Id -EnableIPForwarding
$VmNic_eth02 = New-AzureRmNetworkInterface -Name $VMName"-eth02" -ResourceGroupName $ResourceGroup -Location $Location -SubnetId $Subnet_eth02.Id -EnableIPForwarding

Last part is to create virtual machine using all previously created services.

#Create Virtual Machine
$VmSize = "Standard_B1ls"
$Vm = New-AzureRmVMConfig -VMName $VmName -VMSize $VmSize
$Vm = Add-AzureRmVMNetworkInterface -VM $Vm -Id $VmNic_eth01.Id -Primary
$Vm = Add-AzureRmVMNetworkInterface -VM $Vm -Id $VmNic_eth02.Id
$vm = Set-AzureRmVMOSDisk -VM $Vm -Name "mt01-vm" -VhdUri $urlOfUploadedVhd -Caching ReadWrite -CreateOption Attach -Linux
$vm.OSProfile = $null
New-AzureRmVM -ResourceGroupName $ResourceGroup -Location $Location -VM $Vm -Verbose

After this, your VM will take a few minutes to create, and you’ll be able to login and continue configuration.