It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Deploy a High Availability Cluster with Cloud Integration from the Microsoft Azure Marketplace

  • Last updated on

You can install the Barracuda CloudGen Firewall as a virtual machine in the Microsoft Azure public cloud. The Azure solution template deploys either a single firewall or a high availability cluster into a dedicated subnet of a new or existing virtual network. For more information on the deployment of a single firewall, see How to Deploy a CloudGen Firewall from the Microsoft Azure Marketplace. You can deploy a high availability cluster from the marketplace with Cloud Integration. In case of a failover, the Azure route table is rewritten to use the active firewall. Due to the limitation of Azure networking, all active sessions will time-out whenever a failover occurs. For more information on high availability and high availability in Azure, see High Availability and High Availability in Azure.

You can choose between the following images in the Azure Marketplace:

  • Bring Your Own License (BYOL) – Uses licenses purchased directly from Barracuda Networks. Barracuda Networks offers a 30-day evaluation license.
  • Pay As You Go (PAYG) – No dedicated licenses required. Licensing fees are included in the hourly price of the virtual machine. All charges are billed directly through your Microsoft Azure account.

Before You Begin

Deployment of the Firewall from Marketplace

Step 1. Basics
  1. Go to the Azure portal: https://portal.azure.com
  2. In the upper-left corner, click + Create a resource
  3. Search the Marketplace for Barracuda CloudGen Firewall & SD-WAN for Azure and click Barracuda CloudGen Firewall & SD-WAN for Azure.
    market_place_search.png

  4. In the next window, click Create.
    market_create_cgf_sdwan.png
  5. In the Basics blade, configure the following settings:
    • Subscription – Select your subscription.
    • Resource Group – Select an existing resource group to deploy to, or click Create new for a new resource group.
    • Region – Select the desired location the firewall will be deployed to. 
    • Firewall Name – Enter the hostname for the CloudGen Firewall.
    • License scheme – Select either PAYG or BYOL.
    • Firmware version – Select one of the available firmware versions. Barracuda Networks recommends deploying the highest available version.
      basic_blade.png
  6. Click Next : High Availability >.
Step 2. High Availability

In this blade, you can create either a high availability cluster or a single firewall.

  1. High availability mode – Select Active/passive HA cluster from the drop-down menu. 
    HA_cluster.png
  2. Click Next : Size and Networking >.

If possible, the high availability cluster will be deployed into an availability zone. Otherwise, it will be deployed into an availability set.

Step 3. Size and Networking
  1. In the Size and Networking blade, configure the following settings:
    • Choose a firewall VM size – Select the size of the virtual machine.

      To enable Azure accelerated networking either during this deployment or later through CLI, the size of your virtual machine must meet the requirements of Microsoft.

    • VM disk type Select the disk type of your firewall virtual machine.
    • Virtual network Select an existing Virtual network , or create a new one. 
    • HA firewalls cluster subnet – Select an existing subnet, or create a new one. This subnet will host your firewalls. The firewalls must be placed in a different subnet than the protected instances.
    • Primary firewall's public IP address name – Select an existing Public IP address, or create a new one. 

      For a high availability cluster, you must select a Standard SKU public IP address. Note that regardless of the option selected, the Barracuda CloudGen Firewall is always deployed with a standard SKU public IP address for enhanced performance. For example, if you select a basic SKU IP address, the CloudGen Firewall will still be deployed with a standard SKU IP address.

      To create a new public IP address, click Create new and select Standard SKU. Click OK.
      PIP.png

    • Primary firewall's domain name label – Enter a domain name for your primary firewall.
    • Secondary firewall's public IP address name – Select an existing Public IP address, or create a new one. 

      For a high availability cluster, you must select a Standard SKU public IP address.

      To create a new public IP address, click Create new and select Standard SKU. Click OK.

    • Secondary firewall's domain name label – Enter a domain name for your secondary firewall.
      size_networking_ha.png
  2. Click Next : Firewall Management >.
Step 4. Firewall Management
  1. In the Firewall Management blade, configure the following settings.
    • Management ACL – Introduces a network security group that restricts access to management ports of the firewall. Enter 0.0.0.0/0 to allow access from any network and to skip creating a network security group.

    • Root password – Enter the password for the root user of the firewall.

    • Confirm password – Retype the password for the root user of the firewall.
      fmgmt.png
  1. Click Next : Advanced >.  
Step 5. Advanced
  1. In the Advanced blade, configure the following settings.
    • Private IP address of the primary firewallEnter a static private IP address from the subnet the firewalls are deployed to. The first four and the last IP addresses in the subnet are reserved by Azure.
    • Private IP address of the secondary firewall – Enter a static private IP address from the subnet the firewalls are deployed to. The first four and the last IP addresses in the subnet are reserved by Azure.
    • VM size – If not already configured, change the virtual machine size.
    • Accelerated networking – Enable or disable Azure accelerated networking if the size of your virtual machine meets the requirements of Microsoft.

      Azure accelerated networking creates, for each existing interface, a second interface for accelerated networking (one for the hv_netvsc driver, and one for Mellanox). Use only every second interface in boxnet (e.g., eth0, eth2, eth4). On devices with DHCP enabled, eth0 is replaced with the DHCP interface. On DHCP-enabled devices, as well, use only every second interface (e.g. eth0, eth2, eth4).

    • SSH management access – Select Enabled to allow SSH access to the Barracuda CloudGen Firewall, and enter the SSH public key.
      advanced_ha.png
  2. Click Next : Review + create >.
Step 6. Summary
  1. The basic configuration of the Barracuda CloudGen Firewall is validated, and if no errors are found, the virtual machine is ready for provisioning. For automated deployments, you can download the configuration template.
    summary_ha.png
  2. Click Create
  3. Wait for Microsoft Azure to finish the deployment of your firewalls. 
  4. Go to Virtual machines, click on the primary firewall VM, and locate the Public IP address  used to connect to your firewall. Use this IP address to connect to your firewall via Barracuda Firewall Admin. The username is root and the password is the password you configured in Step 4.

Configure Cloud Integration

Configure the Cloud Integration to automatically rewrite the Azure routing table in case of a failover to use the active firewall.

Step 1. Get Your Subscription ID
  1. Log into the Azure portal: https://portal.azure.com      
  2. In the left menu, click Subscriptions  
  3. Copy the Subscription ID in the Subscription ID column. 
    subid.png
Step 2. Enable Managed Identities for Azure Resources
  1. Go to the Azure portal: https://portal.azure.com.
  2. Go to the resource group containing your high availability cluster.
  3. Open the virtual machine of your primary firewall.
  4. Click Identity.
  5. Set System assigned to On.
    ha_identiy_primary.png
  6. Click Save.
  7. Open the virtual machine of your secondary firewall.
  8. Click Identity.
  9. Set System assigned to On.
  10. Click Save.
  11. Go to the resource group containing your high availability cluster.
  12. Click Access control (IAM).
    rg_iam.png
  13. Click +Add and click Add role assignment.
    add_role.png
  14. For Role, select Contributor from the list.
  15. For Assign access to, select Virtual Machine from the list.
  16. For Select, enter the name of the primary firewall and click on the corresponding entry.
  17. Click in the Select field again.
  18. Enter the name of the secondary firewall, and click on the corresponding entry.
  19. Click Save.
    role_assignment.png
Step 3. Configure Cloud Integration on Your CloudGen Firewall
  1. Locate the public IP address of the virtual machine of your primary firewall in Azure.
  2. Log into the primary firewall of your high availability cluster with user root. For the password, see Step 4 of the deployment.
  3. Go to CONFIGURATION > Configuration Tree > Advanced Configuration > Cloud Integration.
  4. On the left side, click Azure Networking.
  5. Click Lock.
  6. In the Azure Networking section, specify values for the following:
    • Azure Deployment Type – Select Azure Resource-Manager-(ARM) from the drop-down menu.
    • Subscription ID – Enter your subscription ID.
    • Resource Group – Enter the name of the resource group containing the high availability cluster.
    • Virtual Network – Enter the name of the virtual network the high availability cluster is attached to.
      cloud_integration.png
  7. Click Send Changes and Activate.
  8. (Optional) Go to DASHBOARD and verify that Cloud Integration is Configured in the CLOUD INFORMATION section.
    dashboard_CI.png

Next Steps

Configure a user-defined routing table for the backend VMs to send traffic through the firewall.