Introduction - NetFoundry for Azure Virtual WAN.
NetFoundry integrates with Microsoft Azure Virtual WAN to provide instant-on Azure connectivity without private circuits, VPNs, or networking hardware.
Following this guide will take you through the steps required to setup NetFoundry on a single offsite location enabling Azure Virtual WAN connectivity to the Azure Cloud. Sample topology:
1. Must have an Azure account and the appropriate permissions to administer resources.
2. Determine Cloud resource Geography for HUB, connected Virtual Networks and on-premise connections.
3. Is this for testing? If so, is the testing environment known?
4. Determine the location to place Branch Gateway software?
5. What type of virtualization Hypervisor will be used? Do you have access to the Hypervisor with admin permissions for hardware/software installation.
6. External facing IP to register with Azure Virtual WAN. Likely a primary NAT address servicing your LAN users.
7. LAN IP & subnet for virtual machine instance created on Hypervisor.
Step 1. NetFoundry Initial Configuration
Starting from NetFoundry's Console, click on the "get started" icon. Our subscription model and use cases are outlined for the appropriate solution base.
Select a customized URL for your console site name unique to you or the organization.
Your custom url is displayed for your records and hit next.
Insert your email and "Let's Get Started"
An email will be sent providing you a link to complete the sign in process and to ACCEPT your site name. Please remember this name as you will need it for future logins.
NOTE: The site is unique to the parent organization and will contain only NetFoundry networks.
Create password and Login once accepted
You will be prompted to create a New Network and provide a name.
Once you have created the network, you will land on the Dashboard Page. Notice the network name in upper left corner.
In the upper right corner under username/initials, select Manage Organization...
Select the "Manage Subscription" option...here you will set your Azure subscription information. This information will be gathered from the Azure portal in the next few steps and requires your Microsoft Azure credentials.
Name -- Choose a name that complies to your organizational naming conventions.
Step 2. Create & document Azure subscription parameters.
The remaining fields on the Subscription For Azure page can be found in the Azure portal per the diagrams below. Once you have created the resources in Azure, return to the NetFoundry console to complete the Subscription for Azure in Step 1.
Subscription ID - This can be found in the billing account management section.
Application ID - (App Registration or Service Principal) This will need to be created for NetFoundry Virtual WAN integration. First select Active Directory > App Registration. Select + New application registration and provide name, WebApp/API and URL https://console.netfoundry.io.
Tenant ID - Can be found by going to the Portal.azure.com, selecting 'Azure Active Directory(AAD) in the left panel, then selecting Properties in the middle pane, and Copying and Pasting the Directory ID. (*note there is a useful copy/paste functionality included with the Paper icon at the end of the line.
Get the Tenant ID, which is the ID of the AAD directory in which you created the application.
Secret key - Create the Secret Key. The secret key is associated to the App Registration account created in the steps above.
First Selection 'Azure Active Directory' > 'App registration' > Name of your App Registration.
Select Setting > New Pane will open...
Select Keys > New Pane will open...
Create a key by inputting Description | Duration and Value then select save, The key will show up ONCE, or until you leave the page. If you forget your Key, you will have to create a new one.
Copy the authentication key string to the text editor, and label the string as Client Secret Key. Save in a file if needed for future reference.
Step 3. Azure Virtual WAN Configuration
Grant Service Principal(App Registration) permissions to desired Azure Resource group. Select the desired Resource Group and add the Service Principal IAM account to the Contributor role.
Hit Access Control(IAM) to open the permissions page.
Hit Add to add Service Principal account to the Resource Group.
Select the Contributor role from the drop down list and select your Service Principal account by name or the Application ID then hit Save.
Virtual WAN Creation - Create a Virtual WAN in a desired Resource Group in the location nearest to your Data Centers and Azure resources. From Home Dashboard in Azure portal use the + Create a Resource plus sign in the upper left outside corner.
From the Azure Marketplace area, type in virtual wan and hit search.
Select the Azure product Virtual WAN and double click.
Hit CREATE from the Virtual WAN product description page to get started.
Basic Virtual WAN configuration.
1. Select a name corresponding to the desired naming scheme.
2. Select the desired subscription this resource will be sourced within.
3. Select the desired Resource Group for the Virtual WAN.
4. Select the desired Resource Group location.
Next create the HUB for the desired region and associated resources. Accept the default parameters.
Add Virtual Network Connections to HUB. This process will take a few minutes to complete. NOTE: connecting Azure Virtual Networks to ExpressRoute AND VirtualWAN is not supported.
Select the HUB and the Virtual Network you will expose to the Virtual WAN.
Step 4. NetFoundry Gateway instance creation.
This step requires the physical or virtual assets be implemented to host the the NetFoundry Gateway. You can choose to implement vCPE, AWS or Azure resources to connect to Azure Virtual WAN. Once the assets have been created, we will create the NetFoundry site and register it with Azure and NetFoundry.
Various images can be downloaded from the following site: https://netfoundry.io/resources/support/downloads under the NetFoundry Gateways section.
Azure and Amazon both have NetFoundry Gateway available in their respective Marketplaces.
Follow this guide to install the NetFoundry Cloud gateway into the Azure Cloud with the purpose of connecting to Azure Virtual WAN or NetFoundry AppWAN's. Azure has networking solutions in place for routing within virtual networks so the gateway is best utilized in a network not connected to a Virtual WAN hub.
Note: Unlike other pre-built images with set credentials. During the launch of the NetFoundry Cloud Gateway in Azure you will be prompted for using SSH public key or provide password. IMPORTANT: Select SSH Keys. Generate a SSH-2 RSA public key and save the public & private keys to your host. The public key can be used for Virtual Machines in the future. The private key will be used to authenticate with Azure instance(s) upon login. You may use any SSH-2 RSA key generator.
Here is an example with Puttygen. Copy the key into the Azure SSH public key field.
Step 5. NetFoundry Console Endpoint Configuration
The Endpoint software will be installed at the desired location on the server implemented in the previous step...e.g. Public Cloud, Branch, Data Center etc. First we will create the Gateway on the NetFoundry console. Console quick-start guide can be found here for additional reference.
1. Create gateway
or if you have existing gateway(s) D
2. Create Azure site endpoint in the NetFoundry console:
A) SITE NAME
The site name should adhere to Azure naming standards found here. Valid characters are Alphanumeric, hyphen, underscore, and period.
NOTE: No spaces " " in a name.
B) CLOUD REGION
Pick a region that is closest to your Branch offices or Azure regions you wish to attach to the Primary Cloud resources.
C) AZURE RESOURCE GROUP NAME
List is Auto generated from Azure Via API calls to your subscription. You may give API access to multiple Resource Groups by providing Contributor role access to the App Registration account created in earlier steps. When building sites in Azure, you will choose the Resource Group containing the NetFoundry Gateway which in most cases will not be the same Resource Group as your primary Azure Cloud resources. If you are using vCPE, select the Resource Group containing your Virtual WAN and HUB.
D) AZURE VIRTUAL WAN
List is Auto generated from Azure Via API calls to your subscription. The Azure Virtual WAN is a global resource.
E) AZURE DATA CENTER LOCATION
Pick the region where Azure Cloud Resources reside.
F) PUBLIC IP ADDRESS
xxx.xxx.xxx.xxx - external interface of NetFoundry Gateway
G) PRIVATE ADDRESS SPACE
NOTE: Copy the registration key and save as Text file for installation on host in Step 6.
3. Next, using the key from the previous step, it is necessary to activate the NetFoundry Gateway software on your Branch/Remote host. Registering your endpoint binds your new NFN Gateway/Endpoint to your organizations NetFoundry Cloud console.
Register the NFN Gateway and look for errors in the registration process output or verify "Success when the registration completes. NOTE: Register gateway with "-a" switch for Azure.
>sudo nfnreg -a [key]
Validate the VM is now active on the NetFoundry Network by checking the status of the NetFoundry service.
>sudo systemctl status dvn
NOTE: Most common causes for registration to fail are: Not having an reachable IP assigned, not having a default gateway defined or not having a valid DNS resolver specified.
Within the NetFoundry console validate your Site Registration has completed. Your Azure site should indicate online with a Green indicator.
Step 6. Finish Azure Virtual WAN Configuration
NOTE: It is recommended to allow 15 minutes prior to starting this portion of the setup to allow for all scripts to complete.
Notice the NetFoundry site is now populated within the Azure Virtual WAN VPN sites page. It will need to have an association to the desired HUB. It should be in a provisioned status at this point.
Associate HUB to VPN site.
Confirm VPN site connection from Branch to Azure.
NOTE: Allow 20-30 minutes for connection scripts to recycle and for the connection to complete. Reboot NetFoundry gateway should it take longer than expected.
Verify you have a Virtual network gateway entry in your Effective routes table for your NetFoundry Gateway instance IP Interface as below.
Best Practice: Implement Azure Connection Monitor for each site.
Testing connectivity - Branch NetFoundry Gateway to Azure server resources. From the Gateway in your Branch try to access a host in Azure with SSH, RDP, ICMP or HTTP.
Example: Host 10.0.2.4 is a web server sitting in Azure.
Additional testing for end to end connectivity - test connection status from resources behind Branch gateways to resources on virtual networks connected to the Azure Hub.
Managing Azure Virtual WANs
1. Adding Sites to your Azure VWAN subscription.
From the NetFoundry console - follow the same step performed in the original create documentation but select the appropriate Network information for the new Branch site.
Download and/or launch the desired Gateway appropriate for the Branch Use case.
NOTE: Copy and/or make note of new Gateway Registration key to be used in the selected Gateway initial configuration/registration. See Section NetFoundry Endpoint Configuration step 3.
The new site will now populate via API to the Azure Virtual WAN. Within Azure portal, navigate to Home>Resource Groups>Virtual WAN>"Your Virtual WAN". You will now see a new site in the portal with a "provisioned" status requiring HUB association. The new site will need to be associated with a HUB to become active in the Virtual WAN. Check the new site & select New HUB association and select the HUB in use for the GEO of that Branch.
NOTE: Security or Routing will need to be implemented at the Branch sites.
2. Removing VPN sites from Azure and NetFoundry.
From the Azure portal, navigate to your Virtual WAN and select VPN Sites from the pane. On the right side of the main resource screen select the site to be removed by clicking the 3 white dots. Select remove association.
Once the site is dissociated with the Hub, select the 3 dots again and Delete site.
On the NetFoundry console, remove any AppWAN and/or Services definitions which are associated with the site to be deleted. Proceed to the to the Gateways section and remove the desired site.