We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure Automatic Connectivity to Azure Virtual WAN with Selective Traffic Backhauling

  • Last updated on

Connecting Barracuda CloudGen Firewalls to a Microsoft Azure Virtual WAN hub can be done automatically. The automatic configuration provides robust and redundant connections by introducing two active-active IPSec IKEv2 VPN tunnels with the corresponding BGP setup and fully automated Azure Virtual WAN site creation on Microsoft Azure for selective traffic backhauling. Selective traffic backhauling means that all network traffic, except connections to Office 365, will be routed to the Microsoft Azure public cloud. However, for compliance and regional experience, Office 365 traffic routing will be enforced by the Azure Virtual WAN settings to be routed to the regional Office 365 datacenters of your on-premises sites.


Before You Begin

Step 1. Configure Microsoft Azure Virtual WAN Service

  1. Log into the Azure portal: https://portal.azure.com
  2. In the left menu, click All services and click Virtual WANs located in the OTHER category.
  3. Click Add to create a new Virtual WAN and fill out the required information.
  4. Click Create to finish Virtual WAN creation.
  5. Access your Virtual WAN via the respective Azure Resource group.
  6. In the Configuration section, select one of the available Office 365 local breakout policy options and Branch-to-branch connectivity policy.
  7. On-premises CloudGen Firewalls (sites) can now be added through the CloudGen Firewall configuration.

Step 2. Configure and Connect the CloudGen Firewall

The Azure Virtual WAN is now ready for automatic site creation via the CloudGen Firewall. The configuration needs to be done directly on the firewall that should be connected to the Azure Virtual Hub.

  1. Log into the CloudGen Firewall.
  2. Go to CONTROL > Box.
  3. Click Microsoft Azure Virtual WAN and select Connect to Virtual WAN.
  4. Enter the required Azure Authentication information.
  5. In the Azure Virtual WAN section, enter the name of the Azure Virtual WAN.
  6. Enable Backhaul all traffic and enforce O365 policy to backhaul all internet traffic to Microsoft Azure, but allow local breakout of Microsoft Office 365 traffic to the Office 365 datacenter geography of the site. Enabling traffic backhauling will automatically apply a custom Connection Object to the default access rule LAN-2-Internet that enables the local breakout.


  7. Click Connect to start the automatic site configuration process with Microsoft Azure.
  8. The site will be created and is then available in the Azure Virtual WAN Settings.
  9. To verify the connection status, click Check Connection Status.

Step 3. Associate Sites to the Hub

As soon as the automatically created site is available on the Azure Virtual WAN, it needs to be associated to the corresponding Azure Virtual WAN Hub.

  1. Log into the Azure portal: https://portal.azure.com
  2. In your Azure Resource group, open your Azure Virtual WAN.
  3. Select Sites from the SETTINGS section.
  4. The Unassociated sites tab lists all automatically created sites that are not yet associated to the Azure Virtual WAN Hub.
  5. Select the desired site and click Confirm to associate this site to the hub.
  6. After the site has been added to the hub, it will be listed in the Sites associated to hubs tab.
  7. The automatic site configuration is now completed, and the CloudGen Firewall is connected to Azure Virtual WAN.

Step 4. Verify Connectivity and Routing

For redundancy reasons, the CloudGen Firewall automatically creates two IPSec-IKEv2 VPN tunnels and the required BGP routes to the Azure Virtual Hub. Both tunnels are in active-active mode while only one tunnel is tunneling data to the Azure Virtual WAN. The firewall automatically switches between the tunnels to ensure robust connectivity to Azure.

  1. Log into the CloudGen Firewall.
  2. Go to VPN > Site-to-Site.
  3. Verify that two IPSec-IKEv2 tunnels are up and running.
  4. Go to CONTROL > Network and open the BGP tab.
  5. Verify that, along with the VPN tunnels, all associated BGP autonomous systems and neighbors are present.

Step 5. Configure the Forwarding Firewall Rule Set

To manage and restrict network traffic from and to the Azure Virtual Hub, the forwarding firewall rule set needs to be adapted to allow traffic as required.

For more information, see: Access Rules.

Next Steps

Attach an Azure Virtual Network to the Virtual WAN Hub to use the VPN connection for branch-to-cloud connectivity.

Last updated on