Aviatrix Virtual Appliance For Azure VPN Gateway Connection Configuration Guide Last updated: November 17, 2016 Aviatrix Systems, Inc. 4555 Great America Pkwy Santa Clara CA 95054 USA http://www.aviatrix.com Tel: +1 844.262.3100
TABLE OF CONTENTS 1 Overview...1 1.1 Use Case Azure VNET to Remote Site...1 2 Configuration Workflow...2 2.1 Prerequisites...2 2.2 Configuration...2 2.2.1 Step1 Deploy the Aviatrix Virtual Appliance...3 2.2.2 Step 2 Configure Azure Site to Site VPN Connection...3 2.2.3 Step 3 Configure Aviatrix Site-to-Cloud VPN Connection...4 3 Troubleshooting...6 3.1 Aviatrix Virtual Appliance Tunnel Status...6 3.2 Remote site static routes...6 3.3 Azure Instance Network Security Groups...6 4 Appendix Support...7 4.1 Aviatrix Support...7
1 Overview Aviatrix is a next generation cloud networking solution built from the ground up for the public cloud. It simplifies the way you enable site to cloud, user to cloud and cloud to cloud secure connectivity and access. The Aviatrix solution requires no new hardware and deploys in minutes. This configuration guide provides step by step instructions on how to deploy the Aviatrix virtual appliance for and Azure VPN gateway (site to site) connection. 1.1 Use Case Azure VNET to Remote Site In this use case, there is a need to connect a remote on-premise site to an Azure VNet. Instead of configuring the IPSec termination on the edge device, which may put tier 1 applications at risk, an Aviatrix virtual appliance can be deployed on premise to terminate the IPSec tunnel. With this approach, no changes are needed on the edge device. The IPSec tunnel configuration is configured directly on the Aviatrix virtual appliance. Below is an example of the solution can be deployed. Azure VNET Remote Site VNET CIDR: 10.30.0.0/16 Azure VPN Gateway Aviatrix Virtual Appliance SITE-2-SITE IPSEC 10.30.1.0/24 Gateway 10.30.0.0/24 Edge Device Users 10.16.0.0/16 192.168.50.0/24 Benefits 1. Quick and Easy to deploy up and running within minutes. 2. No changes on edge device 3. Supports popular hypervisors VMWare and Hyper-V 4. Supports all major public cloud providers (AWS, Azure, GCP) 5. No exchange of public cloud credentials is needed. Page 1 of 9
2 Configuration Workflow 2.1 Prerequisites Please review the following before configuring the VNet to site connection. Confirm and check the following: 1. Make sure you have a valid Azure subscription. 2. Make sure the hypervisor that you re using is supported a. VMWare ESXi 5.0 or later b. Windows 2012 R2 or later Hyper-V 3. The Aviatrix virtual appliance requires the following: a. A static IP address (internal) b. Requires access to a DNS server c. Requires outbound ports i. TCP 443 ii. UDP 4500 & 500 4. In the remote site, create static routes to Azure VNet. a. In order for devices in the remote site to reach the Azure VNet, they must be routed to the Aviatrix virtual appliance. 2.2 Configuration The following configuration setups are based on the example environment shown below. Please replace values accordingly for your setup. Azure VNET Remote Site VNET CIDR: 10.30.0.0/16 Azure VPN Gateway Aviatrix Virtual Appliance SITE-2-SITE IPSEC Edge Device 10.30.1.0/24 Gateway 10.30.0.0/24 Public IP 104.42.225.163 Public IP 207.47.51.61 10.16.0.0/16 Users 192.168.50.0/24 Page 2 of 9
2.2.1 Step1 Deploy the Aviatrix Virtual Appliance Step 1 Deploy the Aviatrix Virtual Appliance 1. Download the virtual appliance for your hypervisor. Download 2. Import the virtual appliance into your virtualization environment 3. Once the virtual appliance boots up, login to the CLI console. The default login is admin / Aviatrix123# 4. Use the following command to configure the static IP address on the virtual appliance: setup_interface_static_address ip_address subnet_mask default_gateway primar_dns secondary_dns Example: setup_interface_static_address 10.16.0.11 255.255.255.0 10.16.0.10 8.8.8.8 8.8.4.4 5. Login to the virtual appliance web GUI. The default URL is: https://static_ip_address Default login is: admin / static_ip_address (i.e. 10.16.0.11) The system will prompt for a recovery email address and then prompt you to change the default password. The virtual appliance will initialize after the password change. Afterwards, login to the console with the new password. 6. Update the License key. Click Settings > License. Under Customer ID, enter in your customer ID and click Save. If you don t have one, contact Aviatrix at support@aviatrix.com. 7. Done. 2.2.2 Step 2 Configure Azure Site to Site VPN Connection On the Azure side, a site to site VPN connection needs to be created. An Azure site to site VPN connection consist of the following components 1. VNET This defines the network within a VNET 2. Local Network Gateway This defines the network on the remote site 3. Virtual Network Gateway This defines a gateway where the VPN will terminate in Azure 4. Site-to-Site VPN Connection This definition puts everything together Step 2 Configure Azure Site to Site VPN Connection 1. Log into the Azure Portal Page 3 of 9
2. Create a VNET (or identify VNET you want to use for the site-2-site connection). In this example, we will use the following values: a. Address Space: 10.30.0.0/16 b. 1: 10.30.0.0/24 (for Gateway. This is a special subnet for the Azure VPN gateway) c. 2: 10.30.1.0/24 (for Compute instances) 3. Create a Local Network Gateway. In this example, we will use the following values: a. IP Address: 207.47.51.61 (this is the public IP of the edge device at the remote site) b. Address space: 10.16.0.0/16, 192.168.50.0/24 (these are subnets on the remote site) 4. Create a Virtual Network Gateway. Please note the following settings a. Gateway Type: VPN b. VPN Type: Policy-based (Aviatrix only supports policy-based at this time) c. Virtual Network: (chose your VNET) d. Public IP address: (chose a public IP or create a new one) 5. Create a Site-to-Site VPN Connection a. Click on the virtual network gateway from the previous step b. Navigate to Settings -> Connections, and click Add c. Please note the following settings i. Connection Type: Site-to-Site ii. Virtual Network Gateway: Select the gateway created in the previous step iii. Local network gateway: Select the local network gateway for the remote site iv. Shared Key: Type in a shared key d. Click Ok. 6. Done 2.2.3 Step 3 Configure Aviatrix Site-to-Cloud VPN Connection To complete the connection, we must define the VPN connection on the Aviatrix virtual appliance as well. Step 3 Aviatrix Site to Cloud Definition 1. Login to the Aviatrix Virtual Appliance. 2. Click Site2Cloud -> +Add New a. VPC ID/VNet Name Select Local b. Connection Type Unmapped c. Connection Name Type in a name of the connection d. Remote Gateway IP Address This is the public IP of the Azure VPN gateway e. Remote Type in the subnet on the Azure VNET side (i.e. 10.30.0.0/16). If there are more than one network, use a comma f. Local Type in the network on the remote site side (i.e. 10.16.0.0/16, 192.168.50.0/24). g. Pre-shared Key Type in the same shared key that was used for the Azure VPN gateway. h. Remote Gateway Type choose Azure VPN 3. Click Ok. 4. Done Page 4 of 9
Congratulations. The configuration is complete. Page 5 of 9
3 Troubleshooting Below are some troubleshooting tips w 3.1 Aviatrix Virtual Appliance Tunnel Status Tunnel status can be checked from the Controller. From the Controller GUI: 1. Click Site2Cloud -> Diagnostics 2. Select the following: a. VPC ID / VNet / NET = Select Local b. Connection = Select the connection you want to troubleshoot c. Action = Select the diagnostics that you want to see 3. Click OK. 3.2 Remote site static routes Make sure static routes are defined on your remote site to reach the Azure VNET. For example, in the below example, you will need to add a static route on the remote site Destination Next Hop 10.30.0.0/16 Aviatrix Virtual Appliance Azure VNET Remote Site VNET CIDR: 10.30.0.0/16 Azure VPN Gateway Aviatrix Virtual Appliance SITE-2-SITE IPSEC Edge Device 10.30.1.0/24 Gateway 10.30.0.0/24 Public IP 104.42.225.163 Public IP 207.47.51.61 10.16.0.0/16 Users 192.168.50.0/24 3.3 Azure Instance Network Security Groups Check and make sure your network security groups are configured properly for access from your remote site. By default, inbound access to Azure instances are restricted. Page 6 of 9
4 Appendix Support 4.1 Aviatrix Support Standard: 8x5 Enterprise Phone Support, email support, product-specific knowledge-base and user forum is included. For Additional levels of support and support offers please visit: www.aviatrix.com/support Page 7 of 9