Create and manage Azure Virtual WAN sites

Introduction - NetFoundry for Azure Virtual WAN. 

NetFoundry integrates with Microsoft Azure Virtual WAN to provide instant-on Azure connectivity without private circuits, VPNs, or networking hardware.

Following this guide will take you through the steps required to setup NetFoundry on a single offsite location enabling Azure Virtual WAN connectivity to the Azure Cloud. Sample topology: 

 

virtualwanoverview.png

Planning requirements: 

1. Must have an Azure account and the appropriate  permissions to administer resources.

2. Determine Cloud resource Geography for HUB, connected Virtual Networks and on-premise connections.

3. Is this for testing? If so, is the testing environment known?

4. Will need to determine where to place Branch Gateway software? 

5. What type of virtualization hypervisor will be used. Access to hypervisor with admin permissions for hardware/software.

6. External facing IP to register with Azure Virtual WAN. Likely a primary NAT address servicing your LAN users. 

7. LAN IP & subnet for virtual machine instance created on hypervisor.

 

Step 1. NetFoundry Initial Configuration

Starting* from NetFoundry's Console, click on the "get started" icon. Our subscription model and use cases are outlined for the appropriate solution base.

 

 

 Provide a Site Name and your Organization's information.

 site_name.png

 

A confirmation screen will confirm your new site name. An email will be sent providing you a link to complete the sign in process and to ACCEPT your site name. Please remember this name as you will need it for future logins. 

NOTE: The site is unique to the parent organization and will contain only NetFoundry networks.  

 

confirmation.png

 

Login once accepted

 

 

You will be prompted to create a New Network and provide a name.

 

newnet.png

 

Once you have created the network, you will land on the Dashboard Page. Notice the network name in upper left corner.

 

 networkconfirm.png

  

In the upper right corner under username/initials, select Manage Organization...

manageorg.png

Select the "Manage Subscription" option...here you will set your Azure subscription information. This information will be gathered from the Azure portal in the next few steps and requires your Microsoft Azure credentials.

 

Name -- Choose a name that complies to your organizational naming conventions. 

  

managesub.png

   

azuresub.png

 

Step 2. Create & document Azure subscription parameters.

The remaining fields on the Subscription For Azure page can be found in the Azure portal per the diagrams below. Once you have created the resources in Azure, return to the NetFoundry console to complete the Subscription for Azure in Step 1.

          

Subscription ID - This can be found in the billing account management section.

 

subid.png

 

 Application ID - (App Registration or Service Principal) This will need to be create for NetFoundry Virtual WAN integration. First select Active Directory > App Registration.

 

appd.png

 

Tenant ID - Can be found by going to the Portal.azure.com, selecting 'Azure Active Directory(AAD) in the left panel, then selecting Properties in the middle pane, and Copying and Pasting the Directory ID. (*note there is a useful copy/paste functionality included with the Paper icon at the  end of the line.

Get the Tenant ID, which is the ID of the AAD directory in which you created the application.

 

tenantid.png

 

Secret key - Create the Secret Key. The secret key is associated to the App Registration account created in the steps above.


First Selection 'Azure Active Directory' > 'App registration' > Name of your App Registration.

 secretkeyreg.png

 

Select Setting > New Pane will open... 
Select Keys > New Pane will open... 

Create a key by inputting Description | Duration and Value then select save, The key will show up ONCE, or until you leave the page. If you forget your Key, you will have to create a new one.

Copy the authentication key string to the text editor, and label the string as Client Secret Key. Save in a file if needed for future reference.

 

secretkeycopy.png

 

Step 3. Azure Virtual WAN Configuration

Grant Service Principal(App Registration) permissions to desired Azure Resource group. Select the desired Resource Group and add the Service Principal IAM account to the Contributor role.

 

appreg1.png

 

Hit Access Control(IAM) to open the permissions page.

 

appreg2.png

 

Hit Add to add Service Principal account to the Resource Group.

 

appreg3.png

 

Select the Contributor role from the drop down list and select your Service Principal account by name or the Application ID then hit Save.

 

appreg4.png

 

Virtual WAN Creation - Create a Virtual WAN in a desired Resource Group in the location nearest to your Data Centers and Azure resources. From Home Dashboard in Azure portal use the + Create a Resource plus sign in the upper left outside corner. 

 

Createresourceazure.png

 

From the Azure Marketplace area, type in virtual wan and hit search.

 

virtualwan1.png

 

Select the Azure product Virtual WAN and double click.

 

virtualwan2.png

 

Hit CREATE from the Virtual WAN product description page to get started.

 

virtualwan3.png

 

Basic Virtual WAN configuration.

     1. Select a name corresponding to the desired naming scheme.

     2. Select the desired subscription this resource will be sourced within.

     3. Select the desired Resource Group for the Virtual WAN.

     4. Select the desired Resource Group location.

 

virtualwan4.png

 

 

Next create the HUB for the desired region and associated resources. Accept the default parameters.

 

createhub.png

 

Add Virtual Network Connections to HUB. This process will take a few minutes to complete. NOTE: connecting Azure Virtual Networks to ExpressRoute AND VirtualWAN is not supported. 

 

 virtual_networks1.png

 

Select the HUB and the Virtual Network you will expose to the Virtual WAN.

 

virtual_networks2.png

 

Step 4. NetFoundry Gateway instance creation.

This step requires the physical or virtual assets be implemented to host the the NetFoundry Gateway. You can choose to implement vCPE, AWS or Azure resources to connect to Azure Virtual WAN. Once the assets have been created, we will create the NetFoundry site and register it with Azure and NetFoundry.

Various images can be downloaded from the following site:  https://netfoundry.io/resources/support/downloads under the NetFoundry Gateways section.

Azure and Amazon both have NetFoundry Gateway available in their respective Marketplaces.

 

Azure Cloud Gateway 

Follow this guide to install the NetFoundry Cloud gateway into the Azure Cloud with the purpose of connecting to Azure Virtual WAN or NetFoundry AppWAN's. Azure has networking solutions in place for routing within virtual networks so the gateway is best utilized in a network not connected to a Virtual WAN hub.

Note: Unlike other pre-built images with set credentials. During the launch of the NetFoundry Cloud Gateway in Azure you will be prompted for using SSH public key or provide password. IMPORTANT: Select SSH Keys. Generate a SSH-2 RSA public key and save the public & private keys to your host. The public key can be used for Virtual Machines in the future. The private key will be used to authenticate with Azure instance(s) upon login. You may use any SSH-2 RSA key generator.

Here is an example with Puttygen. Copy the key into the Azure SSH public key field.

 

puttygen.png

 

 

key.png

 

AWS Cloud Gateway 

OVA for VMware ESXi 5.0 or greater - Branch

Microsoft Hyper-V VHD Image - Branch

KVM QCOW2 Image -  Branch

OVA for VirtualBox - Branch

 

 

Step 5. NetFoundry Console Endpoint Configuration

The Endpoint software will be installed at the desired location on the server implemented in the previous step...e.g. Public Cloud, Branch, Data Center etc. First we will create the Gateway on the NetFoundry console. Console quick-start guide can be found here for additional reference.

 

create_gateway.png

 

1. Create gateway

 

creategw2.png

 

or if you have existing gateway(s) D

 

creategw3.png

 

2. Create Azure site endpoint in the NetFoundry console:

 

createazuresite.png

 

A) SITE NAME 
The site name should adhere to Azure naming standards found here. Valid characters are Alphanumeric, hyphen, underscore, and period.

NOTE:  No spaces " " in a name.

B) CLOUD REGION
Pick a region that is closest to your Branch offices or Azure regions you wish to attach to the Primary Cloud resources. 

C) AZURE RESOURCE GROUP NAME
List is Auto generated from Azure Via API calls to your subscription. You may give API access to multiple Resource Groups by providing Contributor role access to the App Registration account created in earlier steps. When building sites in Azure, you will choose the Resource Group containing the NetFoundry Gateway which in most cases will not be the same Resource Group as your primary Azure Cloud resources. If you are using vCPE, select the Resource Group containing your Virtual WAN and HUB.

D) AZURE VIRTUAL WAN
List is Auto generated from Azure Via API calls to your subscription. The Azure Virtual WAN is a global resource.

E) AZURE DATA CENTER LOCATION
Pick the region where  Azure Cloud Resources reside.

F) PUBLIC IP ADDRESS

xxx.xxx.xxx.xxx - external interface of NetFoundry Gateway

G) PRIVATE ADDRESS SPACE
x.x.x.x/24

 

NOTE: Copy the registration key and save as Text file for installation on host in Step 6.

 

copyazurekey.png

 

3. Next, using the key from the previous step,  it is necessary to activate the NetFoundry Gateway software on your Branch/Remote host. Registering your endpoint binds your new NFN Gateway/Endpoint to your organizations NetFoundry Cloud console. 

 

Register the NFN Gateway and look for errors in the registration process output or verify "Success when the registration completes. NOTE: Register gateway with "-a" switch for Azure.

>sudo nfnreg -a  [key]

Validate the VM is now active on the NetFoundry Network by checking the status of the NetFoundry service.

>sudo systemctl status dvn

NOTE: Most common causes for registration to fail are: Not having an reachable IP assigned, not having a default gateway defined or not having a valid DNS resolver specified.

Within the NetFoundry console validate your Site Registration has completed. Your Azure site should indicate online with a Green indicator.

azure_site.png

 

 

 

 

Step 6. Finish Azure Virtual WAN Configuration

NOTE: It is recommended to allow 15 minutes prior to starting this portion of the setup to allow for all scripts to complete.

 

Notice the NetFoundry site is now populated within the Azure Virtual WAN VPN sites page. It will need to have an association to the desired HUB. It should be in a provisioned status at this point.

 

virtualwan5.png

 

Associate HUB to VPN site.

 

hubassoc.png

 hubassoc2.png

 

 

 

 

 

Confirm VPN site connection from Branch to Azure. 

NOTE: Allow 20-30 minutes for connection scripts to recycle and for the connection to complete. Reboot NetFoundry gateway should it take longer than expected.

 

vpnconnection.png

 

Verify you have a Virtual network gateway entry in your Effective routes table for your NetFoundry Gateway instance IP Interface as below. 

 

effective_routes.png

 

Best Practice: Implement Azure Connection Monitor for each site. 

 

connectionmonitor.png

 

 

Testing connectivity - Branch NetFoundry Gateway to Azure server resources. From the Gateway in your Branch try to access a host in Azure with SSH, RDP, ICMP or HTTP.

Example: Host 10.0.2.4 is a web server sitting in Azure.

 

testing1.png

 

Additional testing for end to end connectivity - test connection status from resources behind Branch gateways to resources  on virtual networks connected to the Azure Hub.

 

__________________________________________________

 

 

Managing Azure Virtual WANs

1. Adding Sites to your Azure VWAN subscription. 

From the NetFoundry console - follow the same step performed in the original create documentation but select the appropriate Network information for the new Branch site. 

 

newsite.png

 

Download and/or launch the desired Gateway appropriate for the Branch Use case.

NOTE: Copy and/or make note of new Gateway Registration key to be used in the selected Gateway initial configuration/registration. See Section NetFoundry Endpoint Configuration step 3.

 

reg_key.png

 

The new site will now populate via API to the Azure Virtual WAN. Within Azure portal, navigate to Home>Resource Groups>Virtual WAN>"Your Virtual WAN". You will now see a new site in the portal with a "provisioned" status requiring HUB association. The new site will need to be associated with a HUB to become active in the Virtual WAN. Check the new site & select New HUB association and select the HUB in use for the GEO of that Branch.

 

newsitehubassoc.png

 

hubassoc2.png

 

NOTE: Security or Routing will need to be implemented at the Branch sites.

 

2. Removing VPN sites from Azure and NetFoundry.

 

From the Azure portal, navigate to your Virtual WAN and select VPN Sites from the pane. On the right side of the main resource screen select the site to be removed by clicking the 3 white dots. Select remove association.   dots.png 

 

removesite.png   

Once the site is dissociated with the Hub, select the 3 dots again and Delete site.

 

deletesite.png

 

On the NetFoundry console, remove any AppWAN and/or Services definitions which are associated with the site to be deleted. Proceed to the to the Gateways section and remove the desired site.

 

removegateway.png

\

 

 

 

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.