Connecting to an Azure Virtual Network Gateway VPN

Image result for microsoft Azure

This article describes how to connect and configure an Azure Virtual Network Gateway to connect to Pureport via a Dynamic BGP - HA VPN. This allows you to grow your network without having to manage Traffic Selectors and Route Tables.

 

Prerequisites

Before proceeding ensure that your Azure VNET, Subnets, and Gateway Subnet created.  See the Azure resources section for more information on how to provision and validate these items. Note that Azure VPN's only support select IKE and IPSec security settings, more on this can be found in their documents located at: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#routebased-vpn-ipsec-security-association-ike-quick-mode-sa-offers

 

Example Configuration

This example builds an HA IPsec VPN between a customer-premises device (in this case an Azure VNG-VPN) and the Pureport platform. The configuration consists of two separate tunnels connecting to a single Azure Virtual Network Gateway deployment provisioned in Active-Active mode.

 

Note: These examples provide a baseline configuration only. You must adapt these examples to your specific environment.

 

  1. Start by provisioning your Virtual Network Gateway. Create a Resource ->Virtual network gateway -> Create

  2. Enter the required values making sure to select a Gateway Type of VPN. You will want to ensure that this VNG is provisioned in the region of you VNET and assigned to the VNET’s Gateway Subnet.  Be sure to select the VNET you wish to connect this VNG too.  You will also want to enable Active-Active mode and BGP.  

    Provide a name for both of the Public IP's that will be created and enter in APIPA addresses for the primary and secondary. Azure only supports limited APIPA ranges, so you will need to enter these manually and confirm they do not conflict with any other IP's on your network. In our example we will use 169.254.21.2 for the primary address and 169.254.21.6 for the secondary address.

    Select Review + create once you have entered all the values specific to your architecture.

  3.  Once all settings and tags have been confirmed, select Review+create to provision the VNG resource. This process can take approximately 35 minutes to complete.

  4.  Navigate to the VNG resource that was created, make note of the Public IP addresses and ASN listed under the configuration section of the VNG. We will use this to provision the Pureport VPN connection next. 

  5. Next Navigate to your Pureport account and drill down to your Network. Add a new connection and Select Site IPsec VPN. Select your desired location to connect to Pureport, and the desired speed. You will be asked for the Primary and Secondary Customer Router IP and Routing type. Enter the following details:
    Requested DetailsValues to Use
    Primary Customer Router IP*Azure VNG Public IP (As Captured in step 4)
    Secondary Customer Router IP*Azure VNG Second Public IP (As captured in step 4)
    Routing Type*Route Base BGP

    Select Next

  6. Enter in the BGP ASN captured in Step 4 and select "Advanced - Set Peering IPs".
  7. Enter in your peering IP addresses (this will use the APIPA address entered in step 2.  In our example we will use 169.254.21.1/30 and 169.254.21.5/30 as our Pureport BGP IP's and 169.254.21.2/30 and 169.254.21.6/30 for our VPN BGP IPs.  You will need to confirm there are no conflicts with these IPs on your network. Select Next.
  8. Skip the customer networks and NAT configuration steps as we will not be needing them in our example.
  9. In the IKE Configuration Settings, enter a value that is supported by the Azure VPN VNG, see “https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#routebased-vpn-ipsec-security-association-ike-quick-mode-sa-offers

    In this example we will leverage the following Settings:


    Click Next.

  10. Enter the Name and Description you wish to have in Pureport for this VPN connection and click Add Connection
  11. Once the Connection has been added, make note of the Primary and Secondary Gateway “Pureport Gateway IP” and “Pre-shared Key”. We will use these values to create the VPN connections in Azure.




  12. Next you will need to create two Azure Local Network Gateways (LNGs), one for each gateway.  Navigate to the Local Network Gateway option in Azure.


  13. Select Add to add a new local network gateway.
  14. Enter in the Pureport IP address for the Primary gateway as well as the Pureport IP address captured in Step 11.  You will want to select "Configure BGP settings" and enter in the Pureport ASN and Pureport BGP IP for the gateway.



  15. Repeat step 14 to create an LNG for the secondary gateway updating the details to match the secondary Pureport Gateway.

  16. Navigate back to the Azure VNG that was created earlier and select the “Connections” settings on the left side.
  17. Select +Add to create two new VPN connections to the Pureport Site connect connection created in steps 5 - 9.
  18. You will be presented with a “Add connection” wizard to setup the VPN connection on the Azure Side.  Enter a Name for the connection, Connection Type of “Site-to-site (IPsec)”, leave the Virtual network gateway with the default settings.
  19. Select the local Network Gateway, a blade will be presented showing you the choose or create new LNG's.  Select the LNG you created to connect to the Primary Pureport Gateway.



  20. You will then need to enter in the PSK.  Be sure to enable BGP and select IKEv2 and click Okay.


  21. Repeat steps 18-21 for the secondary gateway.
  22. Once both connections are created, you will want to select the primary connection from the list.
  23.  Select Configuration from the Settings options for the connection.
  24. Ensure that BGP has been enabled for the connection and choose to set a custom "IPsec/IKE Profile". You will then be presented with options to configure your profile. Set these to match what was configured in step 9.



  25. Save the updates to the connection and repeat steps 23-25 for the secondary connection.
  26. Once both connections have been updated, it can take a few minutes for your VPN to establish.  You will see your VPN gateways transition to connected in Azure and Pureport and BGP established.

 

Validating IPSEC VPN Tunnel Connectivity

 

To verify your VPN tunnels have connected successfully, You will need to check on both the Pureport and Azure side of the tunnel.

In Pureport, Navigate to the Network and Connection you created and validate that both gateways are showing as Up and IPsec status of Established and BGP established.

Primary GatewaySecondary Gateway

In Azure, Navigate to your VNG and Connections and ensure both are reporting a status of Connected

If you have already provisioned another connection on your Pureport account, you can additionally ping from a device on the VPN side to a device on another connection.

Azure Resources