We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Deploy an F-Series Firewall in Microsoft Azure using PowerShell and ARM

  • Last updated on

For most advanced networking features in the Microsoft Azure Cloud, such as multiple network interfaces or user images, you must deploy the Barracuda NextGen Firewall F via PowerShell. You can either enter the commands directly into the Azure PowerShell or combine the commandlets to a custom deployment script. Using a custom PowerShell script allows for rapid deployment and fast recovery in case of failure. The NextGen Control Center for Microsoft Azure is deployed just like the NextGen Firewall F except that it is limited to one network interface. The maximum number of network interfaces depends on the Instance size. To organize the resources in the cloud, it is recommend to use multiple resource groups. This way it is possible to separate storage from networking and the VMs. You can also assign different permissions in Azure to control access to the resources. We are using three resource groups in total:

  • Storage resource group – Contains the storage accounts holding user-defined images and OS disk images for the VMs.
  • Networking resource group – Contains the Azure Virtual network. For HA clusters, the loadbalancer would also be placed in this resource group. You can also add VNET to VNET Azure VPN Gateways to this group. For stand-alone NGF VMs, you can also add the UDR route table to this resource group. 
  • NextGen Firewall F resource group – Contains the firewall VM as well as NICs, public IP addresses, and, if needed, the UDR routing table for HA clusters.

Microsoft Azure charges apply. For more information, see the Microsoft Azure Pricing Calculator.

azure_arm_single_backend_diagram-01.png

In this article:

Example Deployment Script

You can combine the PowerShell commandlets to customize the deployment of your Barracuda NextGen Firewall F-Series in the Microsoft Azure cloud. See below for an example deployment script. This script assumes that you already configured a virtual network and storage account and their respective resource groups and that you are logged in to your Azure Account from the PowerShell.

Fill in the variable at the top of the script, then execute it to deploy the NextGen Firewall F.

#################################################
# Modify the variables below
#################################################
# Enable verbose output and stop on error
$VerbosePreference = 'Continue'
$ErrorActionPreference = 'Stop'

# Location 
$location = 'your_location' # E.g., West Europe

# Storage Account Name 
$storageAccountName = 'your_storage_account_name' 
$storageAccountContainerName = 'your_blob_container_name'
$storageAccountResourceGroupName = 'your_storage_resource_group_name'

# Enter to use a User Defined VM image E.g., https://docstorage0.blob.core.windows.net/vhds/GWAY-6.2.0-216-Azure.vhd 
# Leave empty to use the latest image from the Azure Marketplace 
$customSourceImageUri = '' 

# Select the License type 
$vmLicenseType = 'hourly' # set this to 'hourly' to use the PAYG image, or 'byol' for the BYOL image

# Set the product type 
$vmProductType ='barracuda-ng-firewall' # Use 'barracuda-ng-firewall' for F-Series Firewall or 'barracuda-ng-cc' for the NextGen Control Center

# VNET 
$vnetName = 'your_virtual_network_name'
$vnetResourceGroupName = 'your_virtual_network_resource_group_name'

# Availability Set
# always set a availability set in case you want to deploy a second firewall for HA later. 
$vmAvSetName ='NGF-AV-SET'

# Static IP address for the NIC
$nic1InternalIP = '' # always make sure this IP address is available or leave this variable empty to use the next available IP address

# Barracuda NextGen Firewall F VM settings
$NGFResourceGroupName = 'NGF_RG'
$rootPassword = 'NGf1r3wall$$'
$vmSuffix = 'NGF' #
$vmName = '{0}' -f $vmSuffix
$vmSize = 'Standard_A3' 
$nicName = '{0}-NIC1' -f $vmSuffix
$nicName2 = '{0}-NIC2' -f $vmSuffix
$ipName = '{0}-IP' -f $vmSuffix
$domName = $vmSuffix.ToLower()
$diskName = 'osdisk'


#############################################
#
# No configuration variables past this point 
#
#############################################

Write-Host 'Starting Deployment - this may take a while' 

# Authenticate
Login-AzureRmAccount

# Create the ResourceGroup for the Barracuda NextGen Firewall F 
Write-Verbose ('Creating NGF Resource Group {0}' -f $NGFresourceGroupName)
New-AzureRmResourceGroup -Name $NGFresourceGroupName -Location $location -ErrorAction Stop


# Use existing storage account
$storageAccount = Get-AzureRmStorageAccount -Name $storageAccountName -ResourceGroupName $storageAccountResourceGroupName 

# Use an existing Virtual Network
Write-Verbose ('Using VNET {0} in Resource Group {1}' -f $vnetNamem,$vnetResourceGroupName )
$vnet = Get-AzureRmVirtualNetwork -Name $vnetName -ResourceGroupName $vnetResourceGroupName

# Create Availability Set if it does not exist yet
$vmAvSet = New-AzureRmAvailabilitySet -Name $vmAvSetName -ResourceGroupName $NGFResourceGroupName -Location $location -WarningAction SilentlyContinue

# Create the NIC and new Public IP
Write-Verbose 'Creating Public IP'  
$pip = New-AzureRmPublicIpAddress -ResourceGroupName $NGFresourceGroupName -Location $location -Name $ipName -DomainNameLabel $domName -AllocationMethod Static


Write-Verbose 'Creating NIC'  
if ($nic1InternalIP -eq '')
{
    $nic = New-AzureRmNetworkInterface -ResourceGroupName $NGFresourceGroupName -Location $location -Name $nicName -PublicIpAddressId $pip.Id -SubnetId $vnet.Subnets[0].Id -EnableIPForwarding 
}
else
{
    $nic = New-AzureRmNetworkInterface -ResourceGroupName $NGFresourceGroupName -Location $location -Name $nicName -PrivateIpAddress $nic1InternalIP -PublicIpAddressId $pip.Id -SubnetId $vnet.Subnets[0].Id -EnableIPForwarding 
}

# NIC #2 - OPTIONAL
#$nic2 = New-AzureRmNetworkInterface -ResourceGroupName $NGFresourceGroupName -Location $location -Name $nicName2 -SubnetId $vnet.Subnets[1].Id -EnableIPForwarding -PrivateIpAddress $nic2IP


# Create the VM Configuration 

Write-Verbose 'Creating NGF VM Configuration'  

$vm = New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $vmAvSet.Id

# Set root password 
$cred = New-Object PSCredential 'placeholderusername', ($rootPassword | ConvertTo-SecureString -AsPlainText -Force)
$vm = Set-AzureRmVMOperatingSystem -VM $vm -Linux -ComputerName $vmName -Credential $cred -ErrorAction Stop

# Add primary network interface 
$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic.Id -ErrorAction Stop -Primary

# Add NIC #2 
#$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic2.Id -ErrorAction Stop

# generate the name for the OS disk 
$osDiskUri = '{0}vhds/{1}{2}.vhd' -f $storageAccount.PrimaryEndpoints.Blob.ToString(), $vmName.ToLower(), $diskName

# Set the name and storage for the OS Disk image. 
$vm = Set-AzureRmVMOSDisk -VM $vm -Name $diskName -VhdUri $osDiskUri -CreateOption fromImage


# Specify the OS disk with user image 
if ($customSourceImageUri -eq '')
{
    Write-Verbose 'Using lasted image from the Azure Marketplace'  
    $vm.Plan = @{'name'= $vmLicenseType; 'publisher'= 'barracudanetworks'; 'product' = $vmProductType}
    $vm = Set-AzureRmVMSourceImage -VM $vm -PublisherName 'barracudanetworks' -Skus $vmLicenseType -Offer $vmProductType -Version 'latest' -ErrorAction Stop
    $vm = Set-AzureRmVMOSDisk -VM $vm -Name $diskName -VhdUri $osDiskUri -CreateOption fromImage
}
else
{
    Write-Verbose ('Using user defined image {0}' -f $customSourceImageUri)
    $vm = Set-AzureRmVMOSDisk -VM $vm -Name $diskName -VhdUri $osDiskUri -CreateOption fromImage -SourceImageUri $customSourceImageUri -Linux
}


Write-Verbose 'Creating Barracuda NextGen Firewall F VM. This can take a while ....'  
$result = New-AzureRmVM -ResourceGroupName $NGFresourceGroupName -Location $location -VM $vm


if($result.IsSuccessStatusCode -eq 'True') {  
   $result
   Write-Host ('Barracuda NextGen Firewall F VM ''{0}'' was successfully deployed.  Connect to the firewall at {2} with the username: root and password: {1}' -f $vmName, $rootPassword, (Get-AzureRmPublicIpAddress -ResourceGroupName $NGFResourceGroupName -Name $ipName).IpAddress)
} else {
    Write-Host ('Deployment Failed. {0}' -f $result.ReasonPhrase)
}

Before You Begin

  • Install Azure PowerShell version 1.1.0 or higher.
  • Log into your Azure account with Login-AzureRmAccount.
  • Purchase a Barracuda NextGen Firewall F or Control Center for Azure license, or request a evaluation license from the Barracuda Networks Evaluation page.

Step 1. Store Location in a Variable

It is required that all resource groups and their resources be in the same location. Store the location to a variable.

  1. Open the Azure PowerShell.
  2. Store the location to a variable 

    For a list of available locations enter:

    PS C:\> ((Get-AzureRmResourceProvider -ProviderNamespace Microsoft.Compute).ResourceTypes | Where-Object ResourceTypeName -eq virtualMachines).Locations

    $location = 'YOUR_LOCATION'

    ARM_PS_00.png

Step 2. Create an Azure VNET

Create an Azure Virtual Network (VNET). The F-Series firewall VM must be deployed into it's own subnet, for User defined Azure route table to be applied. Create additional subnets for the backend VMs. These VMs connect to the Internet or your onpremise resources through the firewall VM. To be able to easily replace the VMs, it is recommended to use a separate resource group for the virtual network.

  1. Open the Azure PowerShell.

  2. (recommended) Create an Azure Resource Group for the networking resources:

    New-AzureRmResourceGroup -Name NETWORK_RESOURCE_GROUP_NAME -Location $location

    ARM_PS_01.png

  3. Define the subnets for the firewall and the backend, and then create the virtual network. Select an address prefix that does not overlap with your on-premise network.

    $NGFSubnet = New-AzureRmVirtualNetworkSubnetConfig -Name NGF_SUBNET_NAME -AddressPrefix 10.8.1.0/24
    $backendSubnet = New-AzureRmVirtualNetworkSubnetConfig -Name BACKEND_SUBNET_NAME -AddressPrefix 10.8.2.0/24
    New-AzureRmVirtualNetwork -Name VNET_NAME -ResourceGroupName NETWORKING_RG_NAME -Location $location -AddressPrefix 10.8.0.0/16 -Subnet $NGFSubnet, $backendSubnet

    ARM_PS_02.png

You can now deploy the firewall VM to the NGF subnet.

Step 3. Create an Azure Storage Account

To be able to use user-defined images, you must create an Azure storage account that is not in the resource group the firewall VM is deployed to. This allows you to delete the resource group the firewall is in without having to re-upload the VHD disk images. Skip this step to use an existing Azure storage account.

  1. Open an Azure PowerShell.

  2. Create a resource group for the your storage account(s). The name of the storage account must be lowercase letters and numbers only.

    New-AzureRmResourceGroup -Name RESOURCE_GROUP_NAME -Location $location

    ARM_PS_03.png

  3. Create a storage account.

    New-AzureRmStorageAccount -ResourceGroupName RG_NAME -Name STORAGE_ACCOUNT_NAME -Type Standard_LRS -Location $location

    azure_vhd_upload_02.png

Step 4. Create a Resource Group for the Firewall VM

Create the resource group for the F-Series Firewall VM.

  1. Open an Azure PowerShell.

  2. Create the resource group:

    New-AzureRmResourceGroup -Name NGF_RESOURCE_GROUP_NAME -Location $location

Step 5. Create an Availability Set

To be able to add the firewall to a high availability cluster later, you need to add it to an Availability Set.

  1. Open an Azure PowerShell.

  2. Create the availability set:

    # Create Availability Set 
    $vmAvSet = New-AzureRmAvailabilitySet -Name AV_SET_NAME -ResourceGroupName NGF_RESOURCE_GROUP_NAME -Location $location

    ARM_PS_02a.png

Step 6. Create Network Interfaces and Public IP

Create the network interface(s) and the Public IP address to use for the VM. Multiple network interfaces must be supported by the Azure Instance the firewall is deployed on. Using multiple network interfaces is not possible if you want to use the VM in a high availability cluster.

  1. Open an Azure PowerShell.

  2. Store the virtual network in a variable:

    $vnet = Get-AzureRmVirtualNetwork -Name VNET_NAME -ResourceGroupName NETWORKING_RESOURCE_GROUP_NAME

    ARM_PS_04.png

  3. Create a static Azure Public IP:

    $pip = New-AzureRmPublicIpAddress -ResourceGroupName NGF_RESOURCE_GROUP_NAME -Location $location -Name PIP_NAME -DomainNameLabel DOMAIN_NAME -AllocationMethod Static

    ARM_PS_05.png

  4. Create the first Network interface:

    $nic = New-AzureRmNetworkInterface -ResourceGroupName NGF_RESOURCE_GROUP_NAME  -Location $location -Name NIC1_NAME -PublicIpAddressId $pip.Id -SubnetId  $vnet.Subnets[0].Id -EnableIPForwarding

    ARM_PS_06.png

  5. (optional) To use multiple NICs on Instances that support it, create a second network interface. Multiple network interfaces are not possible for HA deployments.

    $nic2 = New-AzureRmNetworkInterface -ResourceGroupName NGF_RESOURCE_GROUP_NAME -Location $location -Name NIC2_NAME -SubnetId $vnet.Subnets[1].Id 

Step 7. Create the Firewall VM Configuration and Deploy the VM

Create the configuration for the F-Series Firewall VM and deploy the VM.

  1. Open an Azure PowerShell.

  2. Store the storage account in a variable:

    $storageAccount = Get-AzureRmStorageAccount -Name STORAGE_ACCOUNT_NAME -ResourceGroupName STORAGE_RESOURCE_GROUP_NAME 

    ARM_PS_07.png

  3. Create the VM configuration:

    $vm = New-AzureRmVMConfig -VMName VM_NAME -VMSize VM_SIZE -AvailabilitySetId $vmAvSet.Id

    ARM_PS_08.png

  4. Create the credentials objects for the VM. The username must be entered, but is ignored by the firewall VM. Make sure the password matches the Microsoft Azure Password requirements. E.g., NGF1r3wall$$

    $cred = New-Object pscredential 'placeholderusername', ('YOUR_ROOT_PASSWORD' | ConvertTo-SecureString -AsPlainText -Force)

    ARM_PS_09.png

  5. Set the operating system type to Linux  and credentials for the VM:

    $vm = Set-AzureRmVMOperatingSystem -VM $vm -Linux -ComputerName NAME_OF_VM -Credential $cred 

    ARM_PS_10.png

  6. Add the network interface created in step 3 to the VM:

    $vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic.Id -Primary 

    ARM_PS_11.png

  7. (optional) Add the second network interface to the VM:

    $vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic2.Id
  8. Set the OS disk. You can use either the marketplace images, or use an VHD disk image you uploaded to your storage account:

    • Marketplace Image:
      Set the plan information and source image to use the latest Marketplace image. To use the PAYG image, set Skus to hourly. Otherwise, set Skus to byol for the BYOL image:

      The VhdUri is determined as follows: BLOB endpoint of your storage account + container name + disk name with the extension.vhd. E.g., https://docstorage0.blob.core.windows.net/vhds/NGF1.vhd

      The BLOB endpoint of your storage endpoint can be obtained by entering: $storageAccount.PrimaryEndpoints.Blob in Azure PowerShell.  The disk name must be unique.

      $vm.Plan = @{'name'= 'byol'; 'publisher'= 'barracudanetworks'; 'product' = 'barracuda-ng-firewall'}
      $vm = Set-AzureRmVMSourceImage -VM $vm -PublisherName 'barracudanetworks' -Skus 'byol' -Offer 'barracuda-ng-firewall' -Version  'latest' 
      $vm = Set-AzureRmVMOSDisk -VM $vm -Name $diskName -VhdUri URI_TO_OS_DISK -CreateOption fromImage 

      ARM_PS_12.png

    • User Image:
      (uploaded VHD). For more information, see How to Upload Azure VHD Images for User Defined Images using ARM

      $vm = Set-AzureRmVMOSDisk -VM $vm -Name NAME_OF_DISK -VhdUri DISK_URI -CreateOption fromImage -SourceImageUri UPLOADED_VHD_DISK_IMAGE_URI -Linux
  9. Create the firewall VM:

    New-AzureRmVM -ResourceGroupName NGF_RESOURCE_GROUP_NAME -Location $location -VM $vm

    ARM_PS_13.png

Step 8. (optional) Network Security Groups

You can put Network Security Groups in place as an additional safeguard to isolate your backend subnets in case Azure Routing table fails or is misconfigured. Network Security Groups can be associated with a network interface attached to a VM or a subnet of a virtual network. Each NSG can include up to 200 rules for incoming and outgoing traffic. NSG rules can only be created for TCP and UDP traffic. ICMP is always allowed inside the virtual network. You do not need a NSG for the Firewall VM.

Step 9. Get the IP Address for the F-Series Firewall VM

To connect to the Barracuda NextGen Firewall F VM you just deployed in Azure, you must find out the public IP address that is assigned to the VM.

  1. Open an Azure PowerShell.

  2. Get the Public IP address for the firewall VM:

    (Get-AzureRmPublicIpAddress -ResourceGroupName NGF_RESOURCE_GROUP_NAME -Name PUBLIC_IP_NAME).IpAddress

    ARM_PS_Get_PIP_01.png

Step 10. Configure Barracuda NextGen Admin

Verify that Barracuda NextGen Admin is configured to use SPoE as the connection method.

  1. Launch Barracuda NextGen Admin.
  2. Verify that SPoE is enabled in the NextGen Admin settings. For more information, see NextGen Admin Settings.
  3. Select Box.
  4. Enter the login information:
    • Management IP –  Enter the public IP address of your firewall VM from step 5.
    • Username – Enter root.
    • Password – Enter the password you set during deployment.
  5. Click Log In.

You are now successfully logged in to your Barracuda NextGen Firewall F VM.

Next Steps

Last updated on