We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure Azure Cloud Integration using ASM

  • Last updated on

Azure Cloud integration allows the firewall to connect directly to the Azure service fabric to rewrite Azure User Defined Routes and to monitor the IP Forwarding setting of the NIC of your firewall VM.  Azure User Defined Routing allows you to use the Firewall F-Series high availability cluster in the frontend subnet as the default gateway for all your VMs running in the backend networks. You must enable IP Forwarding for the firewall VMs and create and apply an Azure routing table to the backend networks. Using a management certificate and the Azure subscriber ID, the firewall VMs can change the Azure routing table on the fly when the virtual server fails over from one VM to the other. Azure route table rewriting must be configured on the primary and secondary F-Series Firewall. If a global HTTP proxy is configured, all REST API calls are sent via the proxy.

Before You Begin

Step 1. Create the Azure Management Certificate

For the firewall to be able to connect to the Azure backend, you must create and upload a management certificate. The certificate must be valid for at least one year.

  1. Log into the NextGen Firewall F-Series via ssh.
  2. Create the certificate:
    openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout mycert.pem -out mycert.pem

    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mycert.pem -out mycert.pem
  3. Answer the questions at the prompt. The Common Name is used to identify this certificate in the Azure web interface.
  4. Convert the certificate to CER, as required by Azure: 
    openssl x509 -inform pem -in mycert.pem -outform der -out mycert.cer

    openssl x509 -inform pem -in mycert.pem -outform der -out mycert.cer

If you are using an OpenSSL version that generates PKCS#8 keys, you must extract the RSA key separately:

openssl rsa -in mycert.pem -out mycert.key.pem

In this case, upload mycert.pem as the Azure Management Certificate and mycert.key.pem as the Management Key on the firewall.

You now have two certificates: mycert.pem and mycert.cer.

Step 3. Upload the Azure Management Certificate
  1. Log into the Microsoft Azure Management Portal (https://manage.windowsazure.com).
  2. On the bottom of the left menu, click on SETTINGS.
  3. In the top navigation, click on MANAGEMENT CERTIFICATES.
  4. On the bottom, click UPLOAD. 
  5. Select the mycert.cer certificate created in Step 2, and click OK.

The management certificate is now listed with the Common Name of the certificate used as the Name.

Step 4. Configure Cloud Integration

You must enter your Azure SubscriptionId, VNET name, and the management certificate to allow the firewall to connect to the Azure service fabric.

  1. Go to CONFIGURATION > Configuration Tree > Box > Advanced Configuration > Cloud Integration
  2. Click Lock.
  3. In the left menu, click Azure Networking.
  4. Select Azure Service Management (ASM) from the Azure Deployment Type drop-down list.
  5. Enter your Azure Subscription ID. Use Get-AzureSubscription in Azure PowerShell to display your SubscriptionId.
  6. Enter the Virtual Network Name.
  7. Next to Management Certificate, click Ex/Import and select Import from PEM File. The File browser window opens.
  8. Select the mycert.pem certificate created in Step 2, and click Open.
  9. Next to Management Key click Ex/Import and select Import from File. The File browser window opens.
    Select the mycert.pem certificate created in Step 2, and click Open.

    If you are using an OpenSSL version that generates PKCS#8 keys, import the mycert.key.pem file as the Management Key on the firewall.

  10. From the Protect IP Forwarding Settings list, select yes to monitor the IP Forwarding setting of the NIC attached to your firewall VM.
    UDR_HA_ASM.png
  11. Click Send Changes and Activate.

The Azure routing table and the IP Forwarding settings are now monitored. If used in a HA cluster, the routes in the Azure route table are rewritten when the virtual server fails over.

Monitoring

Go to NETWORK > Azure UDR to see the UDR routing table for all subnets in the firewalls VNET. The green status icon is displayed for routes where the destination is a F-Series firewall. The icon changes to a red icon  when a HA failover is in progress.

ARM-UDR_01.png

Log File

All activity is logged to the Box\Control\daemon log file

ARM-UDR_02.png

Last updated on