Azure Cloud Integration allows the firewall to connect directly to the Azure service fabric in order to rewrite Azure user-defined routes and to monitor the IP forwarding setting of the NIC of your firewall VM. On the Azure side, an Azure AD application is created. Certificate authentication is used to authenticate the firewall when accessing the Azure API endpoints. The certificate must be valid for at least 1 year. The end date of the certificate is used by the setup script to also determine the end date for the Azure AD application. When the certificate or the Azure AD application expires, the firewall can no longer use Azure Cloud Integration features until the Azure AD application and the corresponding certificate have been replaced. If a global HTTP proxy is configured, all calls to the Azure REST API are sent via the proxy.
Cloud Integration is required for the following features:
- Barracuda Firewall Admin dashboard cloudinfo element
- UDR route rewriting for CloudGen Firewall high availability clusters
- IP forward protection
Cloud Integration Script for Azure PowerShell 4.2.1
Create the certificates according to the steps in the article. Use the example script below to configure Cloud Integration without having to enter the PowerShell commands one-by-one. Set the variables in the script to match your setup.
Cloud Integration Script for Older Azure PowerShell Versions
It is recommended to update to the latest PowerShell version to be able to use the newest version of this script. If this is not possible, use the example scripts below that match your Azure PowerShell version. Custom firewall role definitions are not supported for older Azure PowerShell versions. The scripts for older Azure PowerShell versions create an Azure AD application valid for one year. To find out which Azure PowerShell version you are using, enter the following PowerShell command:
Get-Module -ListAvailable -Name Azure -Refresh
Before You Begin
- Deploy your CloudGen Firewall, and configure Azure UDR using the Azure Resource Manager (ARM).
Verify that you are using Azure PowerShell 4.2.1 or higher.
- Verify that a DNS server is configured. For more information, see How to Configure DNS Settings.
Log into your Azure account using
Login-AzureRmAccount
Step 1. Verify the Azure PowerShell Version
Verify that you are using the required Azure PowerShell version (see Before you begin). If you must use an older version, use the example scripts above that match your version.
- Launch Azure PowerShell.
Get the Azure PowerShell version:
Get-Module -ListAvailable -Name Azure -Refresh
3. If needed, update Azure PowerShell to match the required version.
Step 2. Create the Azure Management Certificate
For the firewall to be able to connect to the Azure backend, you must create and upload a management certificate. The certificate must be valid for at least two years.
- Log into the firewall via ssh.
Create the certificate:
openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout arm.pem -out arm.pem
- Answer the questions at the prompt. The Common Name is used to identify this certificate in the Azure web interface.
Convert the certificate to CER, as required by Azure:
openssl x509 -inform pem -in arm.pem -outform der -out arm.cer
Extract the RSA key:
openssl rsa -in arm.pem -out arm.key.pem
You now have three certificates: arm.pem, arm.key.pem and arm.cer.
Step 3. Upload the Azure Management Certificate via Azure PowerShell
- Edit the Cloud Integration PowerShell script matching your Azure PowerShell version to set the following variables:
$pathToCERfile – Enter the path to the certificates created in Step 2. E.g.,
'c:\Azure\certs\arm.cer'
- $ADAppName – Enter a unique name for the ADAppName.
- $resourceGroupName – Enter the name of the Azure resource group containing the VNET.
- $subscriptionID – Enter the Azure SubscriptionID in the following format:
'/subscriptions/YOURSUBSCRIPTIONID'
. Use Get-AzureRmSubscriptionID to get your Azure subscription ID. - $identifier – Enter an identifier in the format
'http://localhost'
. The identifier must be unique. - $roleName – Enter a unique name for the role.
Execute the script.
Write down the Subscription ID (without the /subscription/ prefix), the Tenant ID, and Application ID for use in the firewall configuration.
Step 4. Configure User-Defined Routing and IP Forward Protection on the Firewall
You must enter your Azure ARM IDs and upload the management certificate created in Step 2 and 3 to allow the firewall to change the Azure user-defined routing table and to monitor the IP forwarding setting via ARM.
- Go to CONFIGURATION > Configuration Tree > Box > Advanced Configuration > Cloud Integration.
- Click Lock.
- In the left menu, click Azure Networking.
- Select Azure Resource Manager (ARM) from the Azure Deployment Type drop-down list.
Enter your Azure Subscription ID.
- Enter your Azure Tenant ID.
- Enter your Azure Application ID.
- Enter the Resource Group name the VNET is in. This is the same resource group as entered in the script in Step 3.
- Enter the Virtual Network Name. E.g.,
DOC-VNET
- Enter the Route Check Interval. Default:
300
- Next to Management Certificate click Ex/Import and select Import from PEM File. The File browser window opens.
- Select the arm.pem certificate created in Step 1, and click Open.
Next to Management Key click Ex/Import and select Import from File. The File browser window opens.
Select the arm.key.pem certificate created in Step 1, and click Open.
From the Protect IP Forwarding Settings select yes to monitor the IP Forwarding setting of the NIC.
- Click Send Changes and Activate.
The Azure routing table is now updated every time the virtual server fails over.
Step 5. (optional) Set the Azure Environment
If you are running your firewall in a non-default Azure environment, such as Azure Germany, govcloud, Azure China, or Azure Stack, you must configure the Azure environment.
- Go to CONFIGURATION > Configuration Tree > Box > Advanced Configuration > Cloud Integration.
- Click Lock.
- In the left menu, click Azure Networking.
- Select the Azure Environment from the list. If your Azure environment is not in the list, select Explicit.
- (Explicit only) In the left menu, expand the Configuration Mode section and click Switch to Advanced View.
- (Explicit only) Enter the following setting for your Azure environment:
- Service Manager URL
- Resource Manager URL
- Active Directory Authority
- Token Issuer Service URL
- Click Send Changes and Activate.
Next steps
For managed high availability clusters repeat Step 4 and, optionally, Step 5 for the other firewall VM in the high availability cluster, or use a repository entry to share the configuration across the cluster. For standalone high availability clusters, the settings are propagated automatically.
Getting Tenant ID and Subscription ID for Existing Setups
It might take a couple of minutes for the user to be propagated in Azure AD.
- Launch Azure PowerShell.
The SubscriptionId and TenantId are listed after logging in via the Login-AzureRmAccount commandlet.
Getting the Application ID for Existing Setups
It might take a couple of minutes for the user to be propagated in Azure AD.
- Go to the Access control (IAM) settings of your virtual network.
- Locate the ADAppname in the User column of the custom role you created for your firewall.
- Launch Azure PowerShell.
Retrieve the ADApplication using the username:
Get-AzureRmADApplication -DisplayNameStartWith "YOUR_ADAPPNAME"
Monitoring
Go to NETWORK > Azure UDR to see the UDR routing table for all subnets in the firewall's VNET. Routes using the firewall VM as the next hop are marked with a green icon. This icon changes to red during the UDR HA failover process.
All activity is logged to the Box\Control\daemon log file