Categories

Connecting your Cloudspace to Azure via IPSEC

You are here:
< All Topics

Introduction
GIG is offering a wide variety of solutions and methods to integrate your existing platform. Either this is on premises or on another Cloud provider.

In this tutorial we will present in few steps how easy it is to integrate your Azure environment with GIG's cloud as a service platform cloudspace.

Prerequisites

  • Valid Azure Subscription.
  • Assuming basic to none configuration on Azure and the following guide is assisting you to setup also initial configurations. In case you already have them feel free to proceed to step 2.
  • Access to your GIG cloudspace with RouterOS virtual firewall

Steps involved in creating a site to site VPN

  • Create a Virtual Network and a Gateway Subnet
  • Create Virtual Network Gateway
  • Create Local Network Gateway
  • Add Connection for Site-To-Site VPN
  • Create the configuration on GIG's Cloud as a Service gateway.

Step 1 (Azure) - Create a Virtual Network.

Select from the + button on "Create a Resource" and input "Virtual Network".
You can leave all items as they are and proceed on creating the virtual network

Upon creation go back to the resource "Virtual Network" and from the "+ Subnet" icon add one subnet that will be used for the creation of the Gateway

file

By selecting "ok" you will end up having something,as shown below, in your Network screen.

file

Step 2 (Azure) - Create Virtual Network Gateway

Back to Home and select from the + button on "Create a Resource" and input "Virtual Network Gateway".

Name: Name for the virtual network gateway
Gateway Type: For our VPN it will be VPN
VPN Type: Route-based
SKU: VpnGw1
Virtual Network: Select the VNet you have created following the previous step
Public IP Address: Create new
Public IP Name: you can choose any name here
Location: Select the correct region to match with VNet region

You should now have following screen:
file

Step 3 (Azure) - Local Network Gateway

Back to Home and select from the + button on "Create a Resource" and input "Local Network Gateway"

Click on create and input the following fields:
Name: Name for the local gateway

IP Address: Public IP address of your GIG Cloudspace.
Address Space: The IP range used on your GIG cloudspace for the VMS normally something like 192.168.103.0/24.
Resource Group: Create new resource group or use the same one you were using

You should end up with something resembling the following image:
file
Step 4 (Azure) - Add Connection for Site-To-Site VPN

As your Local Network Gateway is created, select "Connections"
file

Name: Name of the connection
Connection Type: Type of the VPN (site-to-site(IPsec))
Virtual Network Gateway: Select the one that was created in the previous step
Local Network Gateway: Select the relevant local network gateway for your connection
Shared Key: Pre-shared key your going to use for the VPN configuration.
file

Step 5 (GIG) - Create the configuration in the defense shield of your Cloudspace.

Browse to your cloudspace, Select "Defense Shield" and from there "Advanced Shield Configuration"
file

Note: This is only available for RouterOS cloudspaces

Select Console from top right and paste the following configuration, changing with the appropriate to your environment IP settings

  • /ip ipsec peer add address=\<Azure gateway public IP> exchange-mode=ike2 local-address=\<your cloudspace public ip> name="Azure"
  • /ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=7h30m name= "Azure"
  • /ip ipsec identity add peer="Azure" secret="Mysupersecurepassword1"
  • /ip ipsec policy add dst-address=\<Internal subnet of Azure systems> peer="Azure" proposal= "Azure" sa-dst-address=\<Azure public IP> sa-src-address=\<your cloudspace public ip> src-address=\<Internal subnet of your GIG cloudspace> tunnel=yes

You should have something like the in the following images displayed to your Router OS environment:

IPSEC Policy
file

IPSEC Peer
file
IPSEC proposal
file
The last required item is to add a firewall rule that will allow the traffic from our internal network towards Azure internal networks without any further modification.

file
Validation

Ping from Azure environment towards GIG Cloudspace VM.

azureuser@VM1:~$ ping 192.168.103.254 -c 5
PING 192.168.103.254 (192.168.103.254) 56(84) bytes of data.
64 bytes from 192.168.103.254: icmp_seq=1 ttl=63 time=28.3 ms
64 bytes from 192.168.103.254: icmp_seq=2 ttl=63 time=28.1 ms
64 bytes from 192.168.103.254: icmp_seq=3 ttl=63 time=27.5 ms
64 bytes from 192.168.103.254: icmp_seq=4 ttl=63 time=27.3 ms
64 bytes from 192.168.103.254: icmp_seq=5 ttl=63 time=27.5 ms64 bytes from 192.168.103.254: icmp_seq=5 ttl=63 time=27.5 ms

This should make the connection between the private network of your cloudspace with your network in Azure.

Table of Contents