Azure User Defined Routing allows you to use the Firewall F-Series high availability cluster in the frontend subnet as the default gateway for all your VMs running in the backend networks. You must enable IP forwarding for the firewall VMs and create and apply an Azure routing table to the backend networks. Using a management certificate and the Azure subscriber ID, the firewall VMs can change the Azure routing table on the fly when the virtual server fails over from one VM to the other. Azure route table rewriting must be configured on the primary and secondary F-Series Firewall. Multiple network interfaces are not supported.
In this article:
$pathToCERfile = 'PATH_TO\arm.cer' $ADAppName = 'DOCNGF' $roleDefName = 'owner' # Set the resource group the Azure Route Table is in $resourceGroupName = 'RESOURCE_GROUP_NAME' # the identifier must be unique $identifier = 'http://localhost' $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate($pathToCERfile) $key = [System.Convert]::ToBase64String($cert.GetRawCertData()) $app = New-AzureRmADApplication -DisplayName $ADAppName -HomePage $identifier -IdentifierUris $identifier -KeyValue $key -KeyType AsymmetricX509Cert New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId -Verbose New-AzureRmRoleAssignment -RoleDefinitionName $roleDefName -ServicePrincipalName $app.ApplicationId
Before You Begin
- Deploy your Barracuda NextGen F-Series Firewall, and configure Azure UDR using the Azure Resource Manager (ARM).
Install Azure PowerShell 2.1.0 or higher.
- Verify that a DNS server is configured. For more information, see How to Configure DNS Settings.
Log in to your Azure Account using
Step 1. Create the Azure Management Certificate
For the firewall to be able to connect to the Azure backend, you must create and upload a management certificate. The certificate must be valid for at least two years.
- Log into via ssh.
Create the certificate:
openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout arm.pem -out arm.pem
- Answer the questions at the prompt. The Common Name is used to identify this certificate in the Azure web interface.
Convert the certificate to CER, as required by Azure:
openssl x509 -inform pem -in arm.pem -outform der -out arm.cer
Extract the RSA key:
openssl rsa -in arm.pem -out arm.key.pem
You now have three certificates: arm.pem, arm.key.pem and arm.cer.
Step 2. Upload the Azure Management Certificate via Azure PowerShell
- Launch Azure PowerShell.
Execute the following commands to import arm.cer as a management certificate:
Login-AzureRmAccount $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("PATH_TO_CER_FILE") $key = [System.Convert]::ToBase64String($cert.GetRawCertData()) $app = New-AzureRmADApplication -DisplayName "DISPLAY_NAME" -HomePage "http://localhost" -IdentifierUris "http://localhost" -CertValue $key # note down the application ID ($app.ApplicationID is the "client ID" in NextGen Admin) New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId # in the command below, you can use "-Scope" to restrict permissions to specific resource groups New-AzureRmRoleAssignment -RoleDefinitionName "Owner" -ServicePrincipalName $app.ApplicationId
Write down the Application ID for Step 4.
Step 3. Configure User Defined Routing
You must enter your Azure ARM IDs and upload the management certificate created in Step 1 to allow the F-Series Firewall to change the Azure User Defined Routing Table via ARM.
- Go to CONFIGURATION > Configuration Tree > Box > Network.
- Click Lock.
- In the left menu, expand the Configuration Mode section, and click on Switch to Advanced View.
- In the left menu, click Azure Networking.
- Select Azure Resource Manager (ARM) from the Azure Deployment Type drop-down list.
- Enter your Azure Subscription ID.
- Enter your Azure Tenant ID.
- Enter your Azure Application ID.
- Enter the Resource Group name.
- Enter the Virtual Network Name. E.g.,
- Enter the Route Check Interval. Default:
- Next to Management Certificate click Ex/Import and select Import from PEM File. The File browser window opens.
- Select the arm.pem certificate created in Step 1, and click Open.
Next to Management Key click Ex/Import and select Import from File. The File browser window opens.
Select the arm.key.pem certificate created in Step 1, and click Open.
- Click Send Changes and Activate.
Step 4. Perform a Soft Network Activation
- Go to CONTROL > Box.
- In the left menu, expand the Network section, and click Activate new network configuration.
- Click Soft.
The Azure routing table is now updated every time the virtual server fails over.
Repeat this configuration for the other NextGen F-Series Firewall VM in the HA cluster.
Go to NETWORK > Azure UDR to see the UDR Routing table for all subnets in the firewalls VNET. A green status icon before the route where the destination is a F-Series firewall. A UDR HA failover is progress is visualized by a red icon.
All activity is logged to the Box\Control\daemon log file