My collegue was called by a customer who was facing issues establishing a stable working VPN tunnel from his FortiGate router to Microsoft Azure. For some reason even though the tunnel is connected, whenever a file is being copied or any kind of load is put on the connection, it actually drops and the tunnel goes down. So with FortiGate support not being able to solve the issue and the customer having NetScaler on-premise, its time to make full use of it and by that I mean the Platinum license which is required for NetScaler cloudbridge connector feature to be operational.
We are going to configure an IPSEC VPN tunnel between NetScaler cloudbridge connector utilizing subnet IP on NS and Microsoft Azure (Resource Manager). It is going to be a Policy-Based tunnel. My NS Subnet IP which will act as the cloudbridge connector tunnel IP is going to be Nated (to those who only have one public IP ). I am using a Mikrotik router which is honestly the best lab router you could possibly wish for and I will be using 10.20.34.0/24 for my local subnet ( you could have more subnets) and 10.0.0.0/24 for my Azure subnet.
Zero to Hero assumes nothing is preconfigured so this is going to be a single post with 3 parts. Firstly we will configure Microsoft Azure Network and VPN, Secondaly we will configure Mikrotik router (you can easily replicate config to your router), and Thirdly we will configure NetScaler cloudbridge connector.
- One public IP on a managed router.
- NetScaler with Platinum license.
- Microsoft Azure account.
Part 1: Microsoft Azure VPN
1- Login to your Azure new portal , go on the left to Resource Groups and create a new Resource Group. I am going to name it “cloudbridge” for the sake of neatness.
2- Go to New on the left panel and search for virtual network then press on it.
3- On the right hand keep deployment model as Resource Manager and hit Create.
4- Configure Virtual Network settings as follows:
– Name: Whatever makes you feel good 🙂 I have named it ” cloudbridgeNETWORK “.
– Address Space: The full range of your azure network , incase you want to create multiple subnets. I am using 10.0.0.0/16 . Note that you need a subnet for Gateway whic his automatically created/configured by Azure so you have to spesify a range that can hold you subnet and the Gateway subnet.
– Subnet Name: Whatever makes you feel good 🙂 make it relevant !I have named it ” cloudbridge “.
– Subnet Range: This is the subnet range which your VMs on Azure will assigned IPs from. You can create more later and add to VPN tunnel. for now I am using 10.0.0.0/24 which is covered under my address space subnet.
– Resource Group: Use existing and choose the one we created earlier “cloudbridge”. Keep location same as Resource group location specified when creating the resource group.
5- Go to the New button on the left and search for “Virtual Network Gateway” and Create.
6- Configure Virtual Gateway as follows:
– Name: Whatever makes you feel good :). I have named it ” cloudbridgeGATEWAY “.
– Virtual Network: click and choose the virtual network we just created earlier. ” cloudbridgeNETWORK ” .
– Gateway Subnet: It will be populated by default. If it doesnt conflict with any of your desired or local network ranges keep the same and if it does you can change to whatever subnet you desire as long as its under your virtual network space address range.
– Public IP: click, Create New, Name it ” cloudbridgePublicIP “, press OK twice to go back to virtual gateway page.
– Gateway type: VPN.
– VPN Type: CHANGE to Policy-Based.
– Create. Takes about 30 minutes to complete so be patient.
7- Go to Resource Groups on the left, choose the resource group created earlier ” cloudbridge “, choose Virtual Network Gateway created earlier ” cloudbridgeGATEWAY”, click on Connections, ADD connection, configure as follows:
– Name: Whatever makes you feel happy :). Myne named ” cloudbridgeVPN “.
– Connection type: change to Site-to-Site IPSEC .
– Virtual Network Gateway: Chosen by default, if not the one you created earlier.
– Local Network Gateway: click, Create new, Name ” cloudbridgeLOCAL “, IP address: your public IP address ” 184.108.40.206 “, Address space: your local subnets ” 10.20.34.0/24 “. You have to add any local subnet that you want passing through the VPN tunnel. Press OK twice.
– Shared Key: Password for VPN tunnel ” cloud “.
– OK .
8- Lets add our internal DNS to Azure Virtual Network so that when VMs are created on Azure they are assigned our internal DNS sGo to Resource Groups on the left, choose the resource group created earlier ” cloudbridge “, choose Virtual Network . ” cloudbridgeNETWORK “, press all settings tab if nots opened by default, choose DNS servers, choose Custom DNS, add DNS servers, press SAVE. I only added google DNS incase tunnel is not working properly, VM would still have internet access and I would be able to RDP it its public IP assignes by Azure (later on that).
9- Lets create a new VM on Azure network subnet we just created for testing purposes later on when we need to test the VPN tunnel.
– Go to New , search for Server 2016 TP5 (Or whatever OS you want to deploy) , click on it and then create (Resource Manager).
– Name the VM, specify username ( not admin or administrator 🙂 ), specify password (at least 12 characters), User existing Resource group we created earlier ” cloudbridge “, same location stated when created resource group, press OK.
– Choose the size and press Next.
– Configure VM settings as follows:
– Disk Type : Premium
– Storage: Keep as Default New
– Virtual Network: Choose Virtual Network created earlier ” cloudbridgeNETWORK”
– Subnet: Choose subnet created earlier ” cloudbridge ”
– Public IP: Keep as Default New
– Security: Keep as Default New
– Press OK .
10- On summary tab wait for validation , verify all information is correct, and press OK. It would take about 10 minutes for VM to be created and ready.
Now everything from Azure side is good to go. We will now move to Mikrotik router configuration which can be easily replicated to other routers/firewalls as I will explain the simple logic behind it.
Part 2: Mikrotik Router
I have multiple public IP`s on my router which is connected by only one port to ISP thus I need to specify source and destination NAT from my subnet IP hosted on internal network on NetScaler which is my cloudbridge tunnel IP and public IP I will be using for VPN which I already specified in Azure Gateway configuration ( This would work the same if you had only one public IP).
On top of that I will create one route on my router stating that whenever traffic comes from Azure subnet ” 10.0.0.0/16 ” forward it to the NetScaler subnet IP which is actually my cloudbridge connector tunnel IP ” 10.20.34.42 “. You would do this for every subnet on Azure you want to communicate with through the VPN tunnel or else you would have to create static routes on every VM which is not optimal.
I am also going to configure my router firewall to allow traffic between Azure subnets ” 10.0.0.0/16 ” and local subnets ” 10.20.34.0/24 “. I will also configure my router to NOT NAT traffic going from local subnet ” 10.20.34.0/24 ” to azure subnet ” 10.0.0.0/16 ” simply because they need to talk to each other on there internal IPs because they are connected through VPN which is behind the router.Hope it makes more sense with screen shots, so here goes :
1- Because my VPN device is behind a router/firewall and is NATed, we need to first open IPSEC port to allow VPN IPSEC traffic to pass to internal network. ipsec-esp port 50 .
add action=accept chain=input comment=”Allow IPSEC-ESP port 50″ disabled=no protocol=ipsec-esp
2- Lets create a static route on router/firewall to inform it that azure subnets gateway ip is the subnet IP on NS which is also the cloudbridge tunnel IP.
add dst-address=10.0.0.0/16 gateway=10.20.34.42
3- Lets create 2 NAT rules. Destination NAT rule will tell my router that all traffic coming from Azure gateway VPN public IP ( The IP can be found in reference pic below) hiting my VPN public IP on my router to be forwarded to NetScaler cloudbridge IP ” 10.20.34.42 “. Source NAT rule will tell my router to forward all packets coming from my cloudbridge IP ” 10.20.34.24 ” to Azure gateway VPN pulic IP using my public IP which I specified for VPN taffic (If you had one public IP that would not be required but doesnt hurt to configure).
Destination NAT: add action=dst-nat chain=dstnat comment=”All traffic from Azure to cloudbridge IP” disabled=no src-address=220.127.116.11 dst-address=18.104.22.168 in-interface=”ether1-gateway” to-addresses=10.20.34.42
Source NAT: add action=src-nat chain=srcnat comment=”Route VPN traffic to Azure via cloudbridge tunnel IP” disabled=no src-address=10.20.34.42 dst-address=22.214.171.124 to-addresses=126.96.36.199
Because I trust Azure, I did not specify any ports (you can limit VPN ports UDP 500 and 4500 if security with Azure is a big concern) so any taffic coming Azure public IP 188.8.131.52 to my VPN public IP 184.108.40.206 will be forwarded to cloudbridge IP 10.20.34.42. Any traffic going outside from cloudbridge IP 10.20.34.42 to Azure public IP 220.127.116.11 will use VPN public IP 18.104.22.168 .
I know networking part is a bit of a hastle so if you still didnt get any of the above kindly comment and I will elaborate further.
4- Lets create a NAT rule so that router/firewall understands that my local network can communicate with Azure network without the need for NAT (since VPN configuration is not directly on router, we have to explain the logic so that it understands what to do with this azure subnet which is not hosted on it).
add action=accept chain=srcnatsrc-address=10.20.34.0/24 dst-address=10.0.0.0/16
5- Now we have to create a firewall rule to allow taffic to pass from azure subnet 10.0.0.0/16 to local subnet 10.20.34.0/24 and vice versa.
Finally we move on now to the cloudbridge connector configuration which is the easiest part.
Part 3: NetScaler Cloudbridge Connector
1- Login to NetScaler, go to System, go to Settings, press on Configure Advanced Features, Enable Cloud Bridge. Remember you need Platinum license for this feature to work.
2- Go to System, CloudBridge Connector, press on Create/Monitor CloudBridge Connector.
3- Click Get Started, and choose Microsoft Azure.
4- Enter Azure VPN public IP and Azure local network address space (not subnet, the whole space).
5- Choose subnet IP configured on NetScaler and local subnet.
6- Name the connector, keep default settings, and type the VPN password we set earlier in Azure VPN configuration.
7- That is it. Now go back to Systems, Cloud Bridge Connector, IP Tunnels, and make sure it is UP. It might take couple of minutes to connect so be patient before going crazy on troubleshooting.
1- We already created a VM on azure for testing purposes so lets put it into good use. Lets figure out what IP was issued to that VM and lets try to ping it from our internal subnet and vice versa.
Because I created a public IP dedicated for that VM, I can use Azure to connect to that VM directly. Login with the specified username/pass when the VM was created.
First thing let me try pining the cloudbridge tunnel IP from the VM
Cool now let me try to resolve from my internal DNS
Great that is working so now let me try to ping the Azure VM from my local network ( disable firewall on azure VM before pinging )
I did my best to simplify this but again it is not for the faint-hearted, though I am not a networking guy, I did lots of testing and troubleshooting before laying this here especially on the router/firewall side. Its amazing what you can acheive nowadays with emerging technologies, I mean NetScaler has tens of features which most of us do not use or sometimes heard of. I also managed to get VMware NSX VMs connected with Azure VMs through this VPN tunnel but trying to explain that in details would take ages 🙂 .
Hope you have enjoyed and feel free to comment.
This actually answered my problem, thank you!
Most Welcome 🙂
Great write up. What kind of (max) throughput are you able to achieve with this? Would this be considered a Basic gateway as described in https://azure.microsoft.com/en-us/pricing/details/vpn-gateway/?
Thank you. Throughput depends on your WAN link and the type of gateway would be determined on the type of SKU it was created with, you can checkout this page https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways for more info on Gateway SKU and how to change it if required.
Comments are closed.