Azure Cloud integration allows the firewall to connect directly to the Azure service fabric to rewrite Azure User Defined Routes and to monitor the IP Forwarding setting of the NIC of your firewall VM. Azure User Defined Routing allows you to use the Firewall F-Series high availability cluster in the public subnet as the default gateway for all your VMs running in the backend networks. You must enable IP forwarding for the firewall VMs and create and apply an Azure routing table to the backend networks. Using a management certificate and the Azure subscriber ID, the firewall VMs can change the Azure routing table on the fly when the virtual server fails over from one VM to the other. Azure route table rewriting must be configured on the primary and secondary F-Series Firewall. If a global HTTP proxy is configured, all REST API calls are sent via the proxy. The Azure AD Application and the management certificate must be valid for the same length of time. By default the Azure AD application is valid for exactly one year. This value can be extended when creating the Azure Application to match the expiration date of the certificate.
Example script for Azure PowerShell 3.5
Create the certificates according to the steps in the article. Use the example script below to configure Cloud Integration without having to enter the PowerShell commands one-by-one. Set the variables in the script to match your setup.
Example scripts for older Azure PowerShell versions
It is recommended to update to the latest PowerShell version to be able to use the newest version of this script. If this is not possible, use the example scripts below that match your Azure PowerShell version. Custom firewall role definitions are not supported for older Azure PowerShell versions. The scripts for older Azure PowerShell versions create an Azure AD application valid for one year. To find out which Azure PowerShell version you are using, enter the following PowerShell command:
Get-Module -ListAvailable -Name Azure -Refresh
Before you begin
- Deploy your Barracuda NextGen F-Series Firewall, and configure Azure UDR using the Azure Resource Manager (ARM).
Verify that you are using Azure PowerShell 3.5.0 or higher.
- Verify that a DNS server is configured. For more information, see How to Configure DNS Settings.
Log into your Azure account using
Login-AzureRmAccount
Step 1. Verify the Azure PowerShell version
Verify that you are using the required Azure PowerShell version (see Before you begin). If you must use an older version, use the example scripts above that match your version.
- Launch Azure PowerShell.
Get the Azure PowerShell version:
Get-Module -ListAvailable -Name Azure -Refresh
3. If needed, update Azure PowerShell to match the required version.
Step 2. Create the Azure management certificate
For the firewall to be able to connect to the Azure backend, you must create and upload a management certificate. The certificate must be valid for at least two years.
- Log into the firewall via ssh.
Create the certificate:
openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout arm.pem -out arm.pem
- Answer the questions at the prompt. The Common Name is used to identify this certificate in the Azure web interface.
Convert the certificate to CER, as required by Azure:
openssl x509 -inform pem -in arm.pem -outform der -out arm.cer
Extract the RSA key:
openssl rsa -in arm.pem -out arm.key.pem
You now have three certificates: arm.pem, arm.key.pem and arm.cer.
Step 3. Create a custom Azure access control role for Cloud Integration
Create a custom role to use with Cloud Integration.
- Launch Azure PowerShell.
Create a new role by cloning an existing role. Clear all privileges and then add only the privileges needed for Cloud Integration. The subscription ID must be entered in the following format:
"/subscriptions/abcdefg1234567891011212"
.# Create a custom role for NGF Cloud Integration. An existing role is cloned, all rights removed and then assigned proper privileges $role = Get-AzureRmRoleDefinition "Virtual Machine Contributor" $role.Id = $null $role.Name = 'NGF Role' $role.Description = "Barracuda NextGen Firewall Cloud Integration" $role.Actions.Clear() # Add role definitions to the empty role $role.Actions.Add("Microsoft.Compute/virtualMachines/*") $role.Actions.Add("Microsoft.Network/*") $role.AssignableScopes.Clear() $role.AssignableScopes.Add(YOUR_SUBSCRIPTION_ID) $firewallRole = New-AzureRmRoleDefinition -Role $role
Step 4. Upload the Azure management certificate via Azure PowerShell
The Azure AD application and the certificate must be valid for the same length of time. Otherwise Authentication errors will occur.
- Launch Azure PowerShell.
Store the EndDate in a variable. it is recommended to set the EndDate or the Azure AD application and the expiration date of the certificate to the same value.
$endDate = [System.DateTime]::Parse((date).ToString("yyyy.MM.dd")) $timespan = New-TimeSpan -Days VALID_FOR_NUM_DAYS $endDate = $endDate + $timespan
Execute the following commands to import arm.cer as a management certificate:
Login-AzureRmAccount $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("PATH_TO_CER_FILE") $key = [System.Convert]::ToBase64String($cert.GetRawCertData()) $app = New-AzureRmADApplication -DisplayName "DISPLAY_NAME" -HomePage "http://localhost" -IdentifierUris "http://localhost" -CertValue $key -EndDate $endDate # write down the application ID ($app.ApplicationID is the "client ID" in NextGen Admin) $princ = New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId # wait for the service principal to be created Start-Sleep -Seconds 30 # in the command below, you can use "-Scope" to restrict permissions to specific resource groups New-AzureRmRoleAssignment -RoleDefinitionName $firewallRole.Name -ServicePrincipalName $princ.ServicePrincipalNames[0]
Get the Application ID.
Get-AzureRmADApplication -DisplayNameStartWith "YOUR_ADAPPNAME"
Write down the ApplicationId for step 5.
Step 5. Configure User Defined Routing and IP Forward Protection
You must enter your Azure ARM IDs and upload the management certificate created in Step 1 to allow the F-Series Firewall to change the Azure User Defined Routing Table and to monitor the IP Forwarding setting via ARM.
- Go to CONFIGURATION > Configuration Tree > Box > Advanced Configuration > Cloud Integration.
- Click Lock.
- In the left menu, click Azure Networking.
- Select Azure Resource Manager (ARM) from the Azure Deployment Type drop-down list.
- Enter your Azure Subscription ID.
- Enter your Azure Tenant ID.
- Enter your Azure Application ID.
- Enter the Resource Group name.
- Enter the Virtual Network Name. E.g.,
DOC-VNET
- Enter the Route Check Interval. Default:
300
- Next to Management Certificate click Ex/Import and select Import from PEM File. The File browser window opens.
- Select the arm.pem certificate created in Step 1, and click Open.
Next to Management Key click Ex/Import and select Import from File. The File browser window opens.
Select the arm.key.pem certificate created in Step 1, and click Open.
From the Protect IP Forwarding Settings select yes to monitor the IP Forwarding setting of the NIC.
- Click Send Changes and Activate.
The Azure routing table is now updated every time the virtual server fails over.
Step 6. (optional) Set the Azure environment
If you are running your firewall in a non-default Azure environment, such as Azure Germany, govcloud, Azure China, or Azure Stack, you must configure the Azure environment.
- Go to CONFIGURATION > Configuration Tree > Box > Advanced Configuration > Cloud Integration.
- Click Lock.
- In the left menu, click Azure Networking.
- Select the Azure Environment from the list. If your Azure environment is not in the list, select Explicit.
- (Explicit only) In the left menu, expand the Configuration Mode section and click Switch to Advanced View.
- (Explicit only) Enter the following setting for your Azure environment:
- Service Manager URL
- Resource Manager URL
- Active Directory Authority
- Token Issuer Service URL
- Click Send Changes and Activate.
Next steps
Repeat steps 3 and 4 of this configuration for the other firewall VM in the HA cluster.
Getting tenant ID and subscription ID for existing setups
It might take a couple of minutes for the user to be propagated in Azure AD.
- Launch Azure PowerShell.
The SubscriptionId and TenantId are listed after logging in via the Login-AzureRmAccount commandlet.
Getting application ID for existing setups
It might take a couple of minutes for the user to be propagated in Azure AD.
- Go to the Access control (IAM) settings of your virtual network.
- Locate the ADAppname in the User column of the custom role you created for your firewall.
- Launch Azure PowerShell.
Retrieve the ADApplication using the username:
Get-AzureRmADApplication -DisplayNameStartWith "YOUR_ADAPPNAME"
Monitoring
Go to NETWORK > Azure UDR to see the UDR routing table for all subnets in the firewall's VNET. Routes using the firewall VM as the nexthop are marked with a green icon. This icon changes to red during the UDR HA failover process.
All activity is logged to the Box\Control\daemon log file