Connecting your Cloudspace to Azure via IPSEC
GIG is offering a wide variety of solutions and methods to integrate your existing platform. Either this is on premises or on another Cloud provider.
In this tutorial we will present in few steps how easy is to integrade your Azure environment with GIG's cloud as a service platform cloudspace.
- Valid Azure Subscription.
- Assuming basic to none configuration on Azure and the following guide is assisting you to setup also initial configurations. In case you already have them feel free to proceed to step 2.
- Access to your GIG cloudspace with RouterOS virtual firewall
Steps involved in creating a site to site VPN
- Create a Virtual Network, and a Gateway Subnet
- Create Virtual Network Gateway
- Create Local Network Gateway
- Add Connection for Site-To-Site VPN
- Create the configuration on GIG's Cloud as a Service gateway.
Step 1 (Azure) - Create a Virtual Network.
Select from the + button on "Create a Resource" and input "Virtual Network".
You can leave all items as they are and proceed on creating the virtual network
Upon creation go back to the resource "Virtual Network" and from the "+ Subnet" icon add one subnet that will be used for the creation of the Gateway
By selecting ok you will end up having something as shown below in your Network screen
Step 2 (Azure) - Create Virtual Network Gateway
Back to Home and select from the + button on "Create a Resource" and input "Virtual Network Gateway".
Name: Name for the virtual network gateway
Gateway Type: For our VPN it will be VPN
VPN Type: Route-based
Virtual Network: Select the VNet you have created following the previous step
Public IP Address: Create new
Public IP Name: Any name that you like can go here.
Location: Select the correct region to match with VNet region
You should have now a screen as the following:
Step 3 (Azure) - Local Network Gateway
Back to Home and select from the + button on "Create a Resource" and input "Local Network Gateway"
Click on create and input the following fields:
Name: Name for the local gateway
IP Address: Public IP address of your GIG Cloudspace.
Address Space: The IP range used on your GIG cloudspace for the VMS normally something like 192.168.103.0/24.
Resource Group: Create new resource group or use the same one you were using
You should end up on something that will resemble the following image:
Step 4 (Azure) - Add Connection for Site-To-Site VPN
As your Local Network Gateway is created, select "Connections"
Name: Name of the connection
Connection Type: Type of the VPN (site-to-site(IPsec))
Virtual Network Gateway: Select the one that was created on the previous step
Local Network Gateway: Select the relevant local network gateway for your connection
Shared Key: Pre-shared key you going to use for the VPN configuration.
Step 5 (GIG) - Create the configuration in the defense shield of your Cloudspace.
Browse to your cloudspace, Select "Defense Shield" and from there "Advanced Shield Configuration"
Note: This is only available for RouterOS cloudspaces
Select Console from top right and paste the following configuration, changing with the appropriate to your environment IP settings
- /ip ipsec peer add address=\<Azure gateway public IP> exchange-mode=ike2 local-address=\<your cloudspace public ip> name="Azure"
- /ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=7h30m name= "Azure"
- /ip ipsec identity add peer="Azure" secret="Mysupersecurepassword1"
- /ip ipsec policy add dst-address=\<Internal subnet of Azure systems> peer="Azure" proposal= "Azure" sa-dst-address=\<Azure public IP> sa-src-address=\<your cloudspace public ip> src-address=\<Internal subnet of your GIG cloudspace> tunnel=yes
You should be having something like the in the following images displayed to your Router OS environment:
The last required item is to add a firewall rule that will allow the traffic from our internal network towards Azure internal networks without any further modification.
Ping from Azure environment towards GIG Cloudspace VM.
azureuser@VM1:~$ ping 192.168.103.254 -c 5
PING 192.168.103.254 (192.168.103.254) 56(84) bytes of data.
64 bytes from 192.168.103.254: icmp_seq=1 ttl=63 time=28.3 ms
64 bytes from 192.168.103.254: icmp_seq=2 ttl=63 time=28.1 ms
64 bytes from 192.168.103.254: icmp_seq=3 ttl=63 time=27.5 ms
64 bytes from 192.168.103.254: icmp_seq=4 ttl=63 time=27.3 ms
64 bytes from 192.168.103.254: icmp_seq=5 ttl=63 time=27.5 ms64 bytes from 192.168.103.254: icmp_seq=5 ttl=63 time=27.5 ms
This should make the connection between the private network of your cloudspace with your network in Azure.