We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure Azure Route Table Rewriting for HA Clusters using ARM

  • Last updated on

Azure User Defined Routing allows you to use the Firewall F-Series high availability cluster in the frontend subnet as the default gateway for all your VMs running in the backend networks. You must enable IP forwarding for the firewall VMs and create and apply an Azure routing table to the backend networks. Using a management certificate and the Azure subscriber ID, the firewall VMs can change the Azure routing table on the fly when the virtual server fails over from one VM to the other. Azure route table rewriting must be configured on the primary and secondary F-Series Firewall. Multiple network interfaces are not supported.

In this article:

Example Script

$pathToCERfile = 'PATH_TO\arm.cer' $ADAppName = 'DOCNGF' $roleDefName = 'owner' # Set the resource group the Azure Route Table is in $resourceGroupName = 'RESOURCE_GROUP_NAME' # the identifier must be unique $identifier = 'http://localhost' $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate($pathToCERfile) $key = [System.Convert]::ToBase64String($cert.GetRawCertData()) $app = New-AzureRmADApplication -DisplayName $ADAppName -HomePage $identifier -IdentifierUris $identifier -KeyValue $key -KeyType AsymmetricX509Cert New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId -Verbose New-AzureRmRoleAssignment -RoleDefinitionName $roleDefName -ServicePrincipalName $app.ApplicationId

Before You Begin

  • Deploy your Barracuda NextGen F-Series Firewall, and configure Azure UDR using the Azure Resource Manager (ARM).
  • Install Azure PowerShell 2.1.0 or higher.

  • Verify that a DNS server is configured. For more information, see How to Configure DNS Settings.
  • Log in to your Azure Account using Login-AzureRmAccount

Step 1. Create the Azure Management Certificate

For the firewall to be able to connect to the Azure backend, you must create and upload a management certificate. The certificate must be valid for at least two years.

  1. Log into via ssh.
  2. Create the certificate:

    openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout arm.pem -out arm.pem
  3. Answer the questions at the prompt. The Common Name is used to identify this certificate in the Azure web interface.
  4. Convert the certificate to CER, as required by Azure: 

    openssl x509 -inform pem -in arm.pem -outform der -out arm.cer
  5. Extract the RSA key:

    openssl rsa -in arm.pem -out arm.key.pem

You now have three certificates: arm.pem, arm.key.pem and arm.cer.

Step 2. Upload the Azure Management Certificate via Azure PowerShell

  1. Launch Azure PowerShell.
  2. Execute the following commands to import arm.cer as a management certificate:

    Login-AzureRmAccount $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("PATH_TO_CER_FILE") $key = [System.Convert]::ToBase64String($cert.GetRawCertData()) $app = New-AzureRmADApplication -DisplayName "DISPLAY_NAME" -HomePage "http://localhost" -IdentifierUris "http://localhost" -CertValue $key # note down the application ID ($app.ApplicationID is the "client ID" in NextGen Admin) New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId # in the command below, you can use "-Scope" to restrict permissions to specific resource groups New-AzureRmRoleAssignment -RoleDefinitionName "Owner" -ServicePrincipalName $app.ApplicationId

Write down the Application ID for Step 4.

Step 3. Configure User Defined Routing

You must enter your Azure ARM IDs and upload the management certificate created in Step 1 to allow the F-Series Firewall to change the Azure User Defined Routing Table via ARM.

  1. Go to CONFIGURATION > Configuration Tree > Box > Network.
  2. Click Lock.
  3. In the left menu, expand the Configuration Mode section, and click on Switch to Advanced View.
  4. In the left menu, click Azure Networking.
  5. Select Azure Resource Manager (ARM) from the Azure Deployment Type drop-down list.
  6. Enter your Azure Subscription ID.
  7. Enter your Azure Tenant ID.
  8. Enter your Azure Application ID
  9. Enter the Resource Group name.
  10. Enter the Virtual Network Name. E.g., DOC-VNET
  11. Enter the Route Check Interval. Default: 300
  12. Next to Management Certificate click Ex/Import and select Import from PEM File. The File browser window opens.
  13. Select the arm.pem certificate created in Step 1, and click Open.
  14. Next to Management Key click Ex/Import and select Import from File. The File browser window opens.
    Select the arm.key.pem certificate created in Step 1, and click Open.


  15. Click Send Changes and Activate.

Step 4. Perform a Soft Network Activation

  1. Go to CONTROL > Box.
  2. In the left menu, expand the Network section, and click Activate new network configuration
  3. Click Soft.

The Azure routing table is now updated every time the virtual server fails over.

Next Steps

Repeat this configuration for the other NextGen F-Series Firewall VM in the HA cluster.


Go to NETWORK > Azure UDR to see the UDR Routing table for all subnets in the firewalls VNET. A green status icon before the route where the destination is a F-Series firewall. A UDR HA failover is progress is visualized by a red icon.


All activity is logged to the Box\Control\daemon log file

Last updated on