It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure Automatic Connectivity to Azure Virtual WAN with Selective Traffic Backhauling

  • Last updated on

Connecting Barracuda CloudGen Firewalls to a Microsoft Azure Virtual WAN hub can be done automatically. The automatic configuration provides robust and redundant connections by introducing two active-active IPSec IKEv2 VPN tunnels with the corresponding BGP setup and fully automated Azure Virtual WAN site creation on Microsoft Azure for selective traffic backhauling. Selective traffic backhauling means that all network traffic, except connections to Office 365, will be routed to the Microsoft Azure public cloud. However, for compliance and regional experience, Office 365 traffic routing will be enforced by the Azure Virtual WAN settings to be routed to the regional Office 365 datacenters of your on-premises sites.

vpn_hub_a_o365.png 

Before You Begin

  • This configuration requires CloudGen Firewall 7.2.3, hotfix-896, and Barracuda Firewall Admin 7.2.3 - 207.

  • Create an Azure service principal to allow the firewall to authenticate to the Azure Virtual WAN APIs. For more information, see How to Create a Service Principal for Azure Virtual WAN.

Step 1. Create Virtual WAN Service in Microsoft Azure 

  1. Log into the Azure portal: https://portal.azure.com
  2. In the left menu, click  Create a resource  and search for Virtual WAN.
  3. Click Virtual WAN
    marketplace_vwan1.png
  4. In the next blade, click Create.
  5. In the Create WAN blade, specify values for the following:
    • Resource Group – Select an existing resource group from the drop-down menu, or create a new one.

      The resource group must be the same one as used by the service principal. Otherwise, the firewall will not have sufficient permissions to authenticate to Azure Virtual WAN APIs that enable automated connectivity. For more information, see How to Create a Service Principal for Azure Virtual WAN.

    • Resource group location – Select the region of the Virtual WAN, e.g., West Europe.
    • Name – Enter a name for your Virtual WAN.
    • Type – Select Standard if you want to use hub-to-hub/routing mesh for peered VNETs, or if you want to connect the hubs in Azure. Otherwise, select Basic.
    create_vwan_blade.png
  6. Click Review + Create.
  7. Click Create to finish Virtual WAN creation.

 

Step 2. Create a Hub in Your Azure Virtual WAN

Creating a hub takes up to 30 minutes.

  1. Log into the Azure portal: https://portal.azure.com
  2. In the left menu, click  All services and search for Resource groups.
  3. Click on the resource group your vWAN is attached to. It was created in Step 1.
  4. Click on your vWAN created in Step 1.
  5. On the left side, click Hubs.
  6. In the next blade, click + New Hub.
    create_hubs_1.png
  7. The Create virtual hub blade opens. Specify values for the following:
    • Region  – Select a region from the drop-down list, e.g., West Europe.
    • Name  – Enter a name for the hub, e.g., doc-vwan-hub.
    • Hub private address space  – Enter the hub's address range in CIDR, e.g., 10.0.0.0/24 . 
      create_hub2.png
  8. Click Next: Site to site >.
  9. The Site to site blade opens. Specify the values for the following:  
    • Do you want to create a Site to site (VPN gateway) – Select Yes.
    • Gateway scale units – Select a scale unit from the drop-down menu according to your requirements. 
    create_hub3.png
  10. Click Review + create.
  11. Review your settings and click Create to start the creation of the hub. This can take up to 30 minutes.

Step 3. Trigger Virtual WAN connection

  1. Log into the CloudGen Firewall with Firewall Admin.
  2. Go to CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your Box > Advanced Configuration > Cloud Integration.
  3. Select Azure Virtual WAN in the left menu.
  4. Click Lock.
  5. In the Azure Virtual WAN Connections section, click +.
  6. Enter a name for your Virtual WAN and click OK.
  7. The Azure Virtual WAN Connections window opens. Specify values for the following:
    • Virtual WAN Name – Enter the name of the Virtual WAN created in Step 2.
    • Subscription Id  – Enter the ID of the subscription containing the Virtual WAN.
    • Tenant Id  – Enter the tenant ID of the Azure account containing the Virtual WAN.
    • Client Id  – Enter the ID of the application used to authenticate to the Azure API.
    • Client Password  – Enter  the password for the application used to authenticate to the Azure API.
    • Resource Group  – Enter the name of the resource group containing the Virtual WAN.
    vwan_cgf.png
  8. Click OK.
  9. Click Send Changes and Activate. 

Step 4. Associate Site to the Hub 

The Virtual WAN VPN site must be associated to the geographically nearest Virtual WAN hub by the admin.  

  1. Log into the Azure portal: https://portal.azure.com
  2. In your Azure Resource group, open your Azure Virtual WAN created in Step 1.
  3. In the left menu of the Virtual WAN blade, click VPN Sites
  4. Select the check box of the Virtual WAN VPN site created by the firewall in Step 3 and click New hub connection
    connect_hub.png
  5. The Connect sites with one hub blade opens. 
    1. Select the Hub created in Step 2 from the drop-down menu.
    2. Select the check box of the Virtual WAN VPN site created by the firewall in Step 3. 
      connecthub2.png
  6. Click Confirm.

Wait for the new hub association to complete. The firewall automatically picks up the new configuration and connects to the Virtual WAN.

Step 5. Configure Routes to Be Advertised via BGP 

Only routes with the parameter Advertise set to yes will be propagated via BGP.     

  1. Go to CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your Box > Network.
  2. Click Configuration Mode.
  3. Click Switch to Advanced.
  4. Click Lock.
  5. (optional) Click IP Configuration. In the Management IP and Networks section, set Advertise Route to yes in order to propagate the management network.
  6. In the left menu, click Routing.
  7. Double-click on the Routes you want to propagate, and set Advertise Route to yes.
  8. Click OK
  9. Click Send Changes and Activate.

Step 6. Configure Local Breakout in Microsoft Azure Cloud Shell 

  1. Log into the Azure portal: https://portal.azure.com.
  2. To open the Cloud Shell, click on the shell icon in the upper-right corner.
    cloud_shell.png
  3. Select Bash in the Cloud Shell menu.
  4. Select Power Shell from the cloud shell drop-down menu.
    ps.png
  5. (Optional) If you have not installed the virtual WAN extension for Azure Power Shell, type az extension add --name virtual-wan and press enter to install the extension.
    vwan_ext.png
  6. Enter az network vwan update --name <your_virtual_WAN_name> --resource-group <name_of_resource_group_containing_your virtual WAN> --office365-category <value> to select the breakout category that meets your requirements.
    updated.png
  7. After the update was succsessful, the new configuration is displayed on the command-line interface.

The following values are available:

ValueName
0optimize
1optimize and allow
2all
3none

For more information on the categories, see Microsoft article https://docs.microsoft.com/en-us/cli/azure/ext/virtual-wan/network/vwan?view=azure-cli-latest .

Step 7. Verify Connectivity and Routing

For redundancy reasons, the CloudGen Firewall automatically creates two IPSec-IKEv2 VPN tunnels and the required BGP routes to the Azure Virtual Hub. Both tunnels are in active-active mode while only one tunnel is tunneling data to the Azure Virtual WAN. The firewall automatically switches between the tunnels to ensure robust connectivity to Azure.

  1. Log into the CloudGen Firewall.
  2. Go to VPN > Site-to-Site.
  3. Verify that two IPSec-IKEv2 tunnels are up and running.
    conn_routing.png
  4. Go to CONTROL > Network and open the BGP tab.
  5. Verify that, along with the VPN tunnels, all associated BGP autonomous systems and neighbors are present.
    conn_routing01.png

Step 8. Configure the Forwarding Firewall Rule Set

To manage and restrict network traffic from and to the Azure Virtual Hub, the forwarding firewall rule set needs to be adapted to allow traffic as required.

For more information, see: Access Rules.

Next Steps

Attach an Azure Virtual Network to the Virtual WAN Hub to use the VPN connection for branch-to-cloud connectivity.