Tutorial: Connect Azure to CloudConnexa with IPsec
This tutorial shows how to configure an IPsec connection to your Azure VNet. Once configured, site-to-site IPsec tunnel(s) connects your Azure VNet to the configured CloudConnexa Region. On a successful connection, your CloudConnexa users and other networks connected to any of CloudConnexa's Regions can access the Azure VNet.
This tutorial shows how to configure an Azure Site-to-Site IPsec VPN connection between your Azure VNet and a CloudConnexa Region. A good reference for the Azure configuration aspect of this setup is available in Azure documentation.
The Azure configuration involves:
Creating a gateway subnet: The virtual network gateway requires a specific subnet named GatewaySubnet. The gateway subnet is part of the IP address range for your virtual network and contains the IP addresses that the virtual network gateway resources and services use.
Creating a Virtual Network Gateway: In this step, you create a virtual network gateway (VPN gateway) for your virtual network. Creating one often take 45 minutes or more, depending on the selected gateway SKU.
Creating a local network gateway: The local network gateway is a specific object deployed to Azure that represents your CloudConnexa Region for routing purposes.
Creating a VPN connection: Create a site-to-site VPN connection between your virtual network gateway and the CloudConnexa Region.
On a successful connection, your CloudConnexa users and other networks connected to any of CloudConnexa's Regions can access the Azure VNet.
Add a Network using the Network Configuration Wizard to represent your AWS VPC and select the IPsec Tunneling Protocol option.
In the Connector configuration step, select Azure from the Platform to Connect drop-down menu. Refer to CloudConnexa Connectors and About Network Connectors.
Instructions will appear on how to configure IPsec connectivity with CloudConnexa. You will see four steps:
Create Azure Gateways: Use these values when configuring the Azure Local and Virtual network gateways. See steps Step 6 and Step 7.
Setup CloudConnexa Tunnel: Complete the CloudConnexa tunnel setup using values as shown in Step 8 and Step 9.
Create Azure Connection: Use this information in Step 10
Verify Connectivity: After configuring the tunnel on both sides, click “Test Connection” to check that CloudConnexa can establish a connection to the remote network
(Azure) Create a gateway subnet. Refer to Azure documentation. The virtual network gateway requires a specific subnet named GatewaySubnet. The gateway subnet is part of the IP address range for your virtual network and contains the IP addresses that the virtual network gateway resources and services use.
When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The number of IP addresses needed depends on the VPN gateway configuration that you want to create. Some configurations require more IP addresses than others. It's best to specify /27 or larger (/26, /25, etc.) for your gateway subnet.
On the page for your virtual network, on the left pane, select Subnets to open the Subnets page.
At the top of the page, select + Gateway subnet to open the Add subnet pane.
Select an appropriate Size. For example, /27.
Click Add.
(Azure) Create a local network gateway. Refer to Azure documentation. The local network gateway is a specific object deployed to Azure that represents the CloudConnexa Region (the site) for routing purposes. You give the site a name by which Azure can refer to it, and then specify the IP address of the site's VPN device to which you create a connection. You also specify the IP address prefixes that are routed through the VPN gateway to the site's VPN device (CloudConnexa Region). The address prefixes you specify are the prefixes located on your on-premises network.
In the Azure portal, go to Local network gateways and open the Create local network gateway page.
Click + Create on the Local network gateways page.
On the Basics tab, fill in the following fields:
Resource Group: Select appropriately.
Region: Select appropriately.
Name: Enter name. For example, CloudConnexa
IP address: Copy from CloudConnexa Admin Portal instructions.
Address Spaces: Copy one-by-one from CloudConnexa Admin Portal instructions.
Click Next to move to the Advanced tab and set Configure BGP settings to NO.
Click Next to move to Review + create tab and click Create.
(Azure) Create a virtual network gateway (VPN gateway). Refer to Azure documentation.
In Search resources, services, and docs (G+/), enter virtual network gateway. Locate Virtual network gateway in the Marketplace search results and select it to open the Create virtual network gateway page. Click + Create.
On the Basics tab, fill in the following fields:
Subscription: Select appropriately.
Name: Enter name.
Region: Select same Region as selected for local network gateway.
Gateway Type: VPN
SKU: Recommend to choose the default setting.
Generation: Recommend to choose the default setting.
Virtual Network: Seclect the one on which the GatewaySubnet was created.
Specify the values for Public IP address. These settings specify the public IP address objects that will be associated to the VPN gateway. A public IP address is assigned to each public IP address object when the VPN gateway is created. Create or use existing Public IP address, enable Enable active-active mode, and create or use an existing SECOND PUBLIC IP ADDRESS.
Set Configure BGP to Disabled.
Click Next: Tags >
Click Review + create to run validation.
After validation passes, select Create to deploy the VPN gateway.
A gateway can take 45 minutes or more to fully create and deploy. You can see the deployment status on the Overview page for your gateway.
From the Deployment Details section of the Azure Portal's VPN gateway Overview page, copy the two IP addresses and paste it in the Remote Site Public IPv4 Address fields of Tunnel 1 and Tunnel 2 in the Setup CloudConnexa Tunnel section of CloudConnexa Administration Portal.
Create one complex random string for use as PSK and enter it in the Pre-shared Key field for Tunnel 1 and Tunnel 2.
(Azure) Create a VPN connection. Refer to Azure documentation.
At the top of the Connections page, select + Create to open the Create connection page.
On the Create connection page, on the Basics tab, configure the values for your connection:
Under Project details, select the subscription and the resource group where your resources are located.
Under Instance details, configure the following settings:
Connection type: Select Site-to-site (IPSec).
Name: Name your connection. Region: Select the region for this connection.
Region: Same as the previous created entities.
Click Next: Settings >
In the Settings tab, configure the following values:
Virtual network gateway: Select the virtual network gateway from the dropdown list that was created in Step 7.
Local network gateway: Select the local network gateway from the dropdown list that was created in Step 6.
Shared key: The value here must match the value that was entered in Step 9.
IKE Protocol: Select IKEv2.
Use Azure Private IP Address: Don't select.
Enable BGP: Don't select.
IPsec/IKE policy: Select Custom and match all the values for the various fields with what is shown in the CloudConnexa portal. Encryption uses AES256, Integrity uses SHA256, DH Group is 14 and PFS Group is PFS2048. Change IPsec SA lifetime in seconds to 3600.
Use policy based traffic selector: Select Enable.
DPD timeout in seconds: Select 45.
Connection Mode: Select ResponderOnly.
Click Next: Tags>.
Click Review + create to run validation.
After validation passes, click Create and wait till deployment is finished.
Click Test Connection 1 and Test Connection 2 to check connectivity for both the IPsec tunnels.
Continue with the network wizard instructions.