We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure Automatic Connectivity to Azure Virtual WAN

  • Last updated on

VPN connections from a CloudGen Firewall to the Azure Virtual WAN hub can be provisioned automatically. The automatic configuration provides a robust and redundant connection by introducing two active-active IPsec IKEv2 VPN tunnels with the respective BGP setup and fully automated Azure Virtual WAN site creation on Microsoft Azure. The finished deployment allows for both branch-to-branch and branch-to-cloud connections.


Before You Begin

Control Center admins who can modify Cloud Integration to connect a Control Center-managed box to Microsoft Azure Virtual WAN can implicitly create the required services (VPN and BGP) if they are not present, even though the admins might not have the permission to do so. This is because the virtual WAN connectivity automatically establishes those services if they are needed. Control Center admins cannot do that directly; they can, however, indirectly trigger the services via the virtual WAN setup.


Step 1. Configure Microsoft Azure Virtual WAN Service

  1. Log into the Azure portal: https://portal.azure.com
  2. In the left menu, click Create a resource and search for Virtual WAN.
  3. Click Virtual WAN.
  4. In the next blade, click Create.
  5. In the Create WAN blade, enter the Virtual WAN Name and select an existing Resource Group or create a new one.
  6. Click Create to finish Virtual WAN creation.

The CloudGen Firewall can now trigger the connection process to the Azure Virtual WAN.

Step 2. Create a Hub in Your Azure Virtual WAN

Creating a hub takes up to 30 minutes.

  1. Log into the Azure portal: https://portal.azure.com
  2. In the left menu, click All services and search for Resource groups.
  3. Click on the resource group your vWAN is attached to. It was created in Step 1.
  4. Click on your vWAN created in Step 1.
  5. On the left side, click Hubs.
  6. In the next blade, click New Hub.
  7. The Create virtual hub blade opens.
    1. Region – Select a region from the drop-down list, e.g., West Europe.
    2. Name – Enter a name for the hub, e.g., doc-vwan-hub.
    3. Hub private address space – Enter the hub's address range in CIDR, e.g., .
  8. Click Next: Site to site >.
  9. The Site to site blade opens.
    1. Do you want to create a Site to site (VPN gateway) – Select Yes.
    2. Gateway scale units – Select a scale unit from the drop-down menu according to your requirements.
      site to site vpn_gateway.png
  10. Click Review + create.
  11. Review your settings and click Create to start the creation of the hub. This can take up to 30 minutes.

Step 3. Trigger Virtual WAN connection

  1. Log into the CloudGen Firewall with Firewall Admin.
  2. Go to CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your Box > Advanced Configuration > Cloud Integration and select Azure Virtual WAN in the left menu.
  3. Click Lock.
  4. In the Azure Virtual WAN Connections section, click +.
  5. Enter a name for your virtual WAN and click OK....
  6. The window opens.
    1. Virtual WAN Name – Enter the name of the virtual WAN created in Step 1.
    2. Subscription Id – Enter the ID of the subscription containing the Virtual WAN.
    3. Tenant Id – Enter the tenant ID of the Azure account containing the Virtual WAN.
    4. Client Id – Enter the ID of the application used to authenticate to the Azure API.
    5. Client Password Enter the password for the application used to authenticate to the Azure API.
    6. Resource Group – Enter the name of the resource group containing the virtual WAN.
    7. Virtual Hub Name – Enter the name of the hub created in Step 2.

  7. Click OK
  8. Click Send Changes and Activate.

A VPN site entry is automatically created, and the firewall starts to check for an available configuration every 30 seconds. Wait for the new hub association to complete. The firewall automatically picks up the new configuration and connects to the Virtual WAN.

Step 4. Verify Connectivity and Routing

For redundancy reasons, the CloudGen Firewall automatically creates two IPSec-IKEv2 VPN tunnels and the required BGP routes to the Microsoft Azure Virtual Hub. Both tunnels are in active-active mode. In case one tunnel fails, the routing is changed to automatically use the other tunnel.

  1. Log into the CloudGen Firewall.
  2. Go to VPN > Site-to-Site.
  3. Verify if two IPSec-IKEv2 tunnels are up and running.
  4. Go to CONTROL > Network and open the BGP tab.
  5. Verify that, along with the VPN tunnels, all associated BGP autonomous systems and neighbors are present.

Step 5. Configure the Forwarding Firewall Rule Set

To manage and restrict network traffic from and to the Azure Virtual Hub, the forwarding firewall rule set needs to be adapted to allow traffic as required.

For more information, see How to Create a Pass Access Rule.

Next Steps

Attach an Azure Virtual Network to the Virtual WAN hub to use the VPN connection for branch-to-cloud connectivity.

Last updated on