We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Adding an Additional Public IP Address on Microsoft Azure

  • Last updated on

This article will show you how to set up public access to multiple services of the same kind (e.g., HTTP, HTTPS) that are configured on the Barracuda CloudGen WAF without altering the public port on the public IP/DNS for the service(s). To do so, you must associate an additional public IP address to the Barracuda CloudGen WAF VM and map the public port with the internal IP address and port of the service configured on the Barracuda CloudGen WAF.

Multiple Public IP Addresses.png

Understanding the Problem

Let’s imagine you have two web servers: Server1 and Server2 with the internal IP address 2.2.2.11 and 2.2.2.12 respectively, which you want to both protect by using the Barracuda CloudGen WAF (internal IP address: 1.1.1.1 and public IP address: 50.50.50.50) and have access to through the public IP/DNS.

Under current Microsoft Azure limitations, you can have only one internal IP address per VM. Thus, your Barracuda CloudGen WAF VM will also have only one internal IP address, which can be used to create the services. The servers you want to protect here are HTTP, so HTTP services on the Barracuda CloudGen WAF will look as follows:

  • Service1 with the internal IP address 1.1.1.1 and Port 80 on the Barracuda CloudGen WAF, which is protecting Server1 (internal IP: 2.2.2.11)
  • Service2 with the internal IP address 1.1.1.1 and Port 82 on the Barracuda CloudGen WAF, which is protecting Server2 (internal IP: 2.2.2.12)

The web servers are currently accessible over the Internet via the Barracuda CloudGen WAF on the following URLs:

  • http://50.50.50.50 for Service1
  • http://50.50.50.50:82 for Service2

Service1 is on port 80, so it can be accessed without appending the port in the URL. However, Service2 is on port 82, so you must enter the port number in the URL (i.e. http://50.50.50.50:82 ) to access the service over the Internet. To access the service without entering the port, you must assign an additional public IP address (for example, 99.99.99.99 is the additional Public IP address) to your Barracuda CloudGen WAF VM and map that to port 82 on the internal IP of Barracuda CloudGen WAF (i.e. 99.99.99.99, Port: 80 mapped to internal IP: 1.1.1.1 Port: 82, which is Service2).

You can now directly access Service2 using the new public IP address without appending the port in the URL i.e. http://99.99.99.99.

  • You can add multiple public IP addresses only through Azure PowerShell.
  • Barracuda recommends using reserved IP addresses for public IP addresses. For more information, refer to Reserved IP addresses for Cloud Services.
  • Any operation performed using the PowerShell can be reverted or deleted only through PowerShell. For more information, refer to Multiple VIPs per cloud service.

Before You Begin

Verify you have the following before beginning: 

  • Cloud service name to which you want to allocate additional public IP addresses.
  • VM name(s) deployed in the cloud service mentioned above.
  • Latest Azure PowerShell installed on your machine. Refer to How to Install and Configure Azure PowerShell.
  • Azure subscription.

How to Add an Additional Public IP Address to a Stand-alone Barracuda CloudGen WAF

The steps below will show you how to add an additional public IP address to a stand-alone Barracuda CloudGen WAF.

  1. Run the Azure PowerShell as Administrator
  2. Connect to your subscription through Azure PowerShell using the Add-AzureAccount command. For more information on how to connect to your subscription, refer to How to Install and Configure Azure PowerShell.
  3. Add a random name for the public IP address that will be allocated to the Cloud Service. This is called the Virtual IP Name in Microsoft Azure. Run the command below to do this:

    Add-AzureVirtualIP -VirtualIPName -ServiceName


    Where:

    NameDescription
    NAME_FOR_VIRTUAL_IPEnter a random name for the Virtual IP.
    CLOUD_SERVICE_NAMEEnter the cloud service name to which you want to add an additional public IP address.

    Example: In the example below, we are adding “Vip2” as Virtual IP Name for the cloud service “barracuda-waf”.

    Add-AzureVirtualIP -VirtualIPName 'Vip2' -ServiceName 'barracuda-waf'

     

  4. To ensure the Virtual IP Name is added successfully, execute the following two commands one after the other:

    $deployment = Get-AzureDeployment -ServiceName $deployment.VirtualIPs

    Where:

    NameDescription
    CLOUD_SERVICE_NAMEEnter the cloud service name to which you want to add an additional public IP address.

    Example: In the example below, we are verifying that the Virtual IP Name “Vip2” is added to the cloud service “barracuda-waf”.

    $deployment = Get-AzureDeployment -ServiceName 'barracuda-waf' $deployment.VirtualIPs

    Output:

    Address                                : 23.100.80.88

    IsDnsProgrammed              : True

    Name                                    : barracuda-waf

    ReservedIPName                :

    ExtensionData                     :

     

    Address                               :

    IsDnsProgrammed             :

    Name                                   Vip2

    ReservedIPName               :

    ExtensionData                    :

  5. Associate the new public IP address to the cloud service and add the relevant endpoints using the command below:

    Get-AzureVM -ServiceName -Name `

    | Add-AzureEndpoint -Name -Protocol tcp -LocalPort -PublicPort   -VirtualIPName   `

    | Update-AzureVM


    Where:

    NameDescription
    CLOUD_SERVICE_NAMEEnter the cloud service name to which you want to add an additional public IP address.
    VM_NAMEEnter the name of the VM associated to the cloud service.
    NAME_FOR_ENDPOINTEnter a random name for the endpoint.
    LOCAL_PORTEnter the port of the service configured on the Barracuda CloudGen WAF that needs direct public access.
    PUBLIC_PORTEnter the public NATed port for the service created on the Barracuda CloudGen WAF.
    NAME_FOR_VIRTUAL_IPEnter a name for the Virtual IP created in step 3.

    Example: In the example below, we are getting a new public IP address whose public TCP port/endpoint 80 is NATed to local port 82 to the Barracuda CloudGen WAF VM “wafVM1” under Cloud Service “barracuda-waf”.

    Get-AzureVM -ServiceName 'barracuda-waf' -Name 'wafVM1' `

    | Add-AzureEndpoint -Name 'Endpoint1' -Protocol tcp -LocalPort 82 -PublicPort 80 -VirtualIPName 'Vip2' `

    | Update-AzureVM

     

  6. To ensure the public IP address is added successfully, execute the following command and note down the allocated public IP address:

    $deployment = Get-AzureDeployment -ServiceName $deployment.VirtualIPs

    Where:

    NameDescription
    CLOUD_SERVICE_NAMEEnter the cloud service name to which you want to add an additional public IP address.

    Example: In the example below, we are verifying that the Virtual IP Name “Vip2” is added to the cloud service “barracuda-waf”.

    $deployment = Get-AzureDeployment -ServiceName 'barracuda-waf' $deployment.VirtualIPs

     

    Output :

    Address                                 : 23.100.80.88

    IsDnsProgrammed               : True

    Name                                      : barracuda-waf

    ReservedIPName                  :

    ExtensionData                       :

    Address                                 104.43.131.78

    IsDnsProgrammed               :

    Name                                     Vip2

    ReservedIPName                 :

    ExtensionData


After executing the above commands, the service on the Barracuda CloudGen WAF with port 82 will be mapped/NATed to the new public IP address on port 80 and can be accessed at http://PublicIP2 (as per the example above, Service2 will be accessible on http://104.43.131.78).

How to Add an Additional Public IP Address to the Clustered Barracuda CloudGen WAFs and Load Balance the Traffic Between Them

The following steps will show you how to add an additional public IP address to clustered Barracuda CloudGen WAFs (i.e., wafVM1 and wafVM2) and to load balance the traffic between them.

  1. Run the Azure PowerShell as Administrator
  2. Connect to your subscription through Azure PowerShell using the Add-AzureAccount command. For more information on how to connect to your subscription, refer to How to Install and Configure Azure PowerShell.
  3. Add a random name for the Public IP address that will be allocated to the Cloud Service. This is called the Virtual IP Name in Microsoft Azure. Run the command below to do this:

    Add-AzureVirtualIP -VirtualIPName -ServiceName

    Where:

    NameDescription
    NAME_FOR_VIRTUAL_IPEnter a random name for the Virtual IP.
    CLOUD_SERVICE_NAMEEnter the cloud service name to which you want to add an additional public IP address.

    Example: Here we are adding “Vip2” as Virtual IP Name for the cloud service “barracuda-waf”.

    Add-AzureVirtualIP -VirtualIPName 'Vip2' -ServiceName 'barracuda-waf'

  4. To ensure the Virtual IP Name is added successfully, execute the following two commands one after the other:

    $deployment = Get-AzureDeployment -ServiceName $deployment.VirtualIPs

    Where:

    NameDescription
    CLOUD_SERVICE_NAMEEnter the cloud service name to which you want to add an additional public IP address.

    Example: Here we are verifying that the Virtual IP Name “Vip2” is added to the cloud service “barracuda-waf”.

     $deployment = Get-AzureDeployment -ServiceName 'barracuda-waf' $deployment.VirtualIPs

    Output:

    Address                                 : 23.100.80.88

    IsDnsProgrammed               : True

    Name                                     : barracuda-waf

    ReservedIPName                 :

    ExtensionData                      :

     

    Address                                 :

    IsDnsProgrammed               :

    Name                                      Vip2

    ReservedIPName                 :

    ExtensionData                      :

  5. Associate the new public IP address to the cloud service and add the load balancing endpoint to load balance the traffic between Barracuda CloudGen WAFs (i.e. “wafVM1” and “wafVM2”). Execute the following two commands one after the other:

    Get-AzureVM -ServiceName -Name `

    | Add-AzureEndpoint -Name -LoadBalancedEndpointSetName `  -Protocol tcp -LocalPort -PublicPort -VirtualIPName -DefaultProbe `

    | Update-AzureVM

     

    Get-AzureVM -ServiceName -Name `

    | Add-AzureEndpoint -Name -LoadBalancedEndpointSetName `   -Protocol tcp -LocalPort -PublicPort -VirtualIPName -DefaultProbe `

    | Update-AzureVM

    Where:

    NameDescription
    CLOUD_SERVICE_NAMEEnter the cloud service name to which you want to add an additional public IP address.
    VM1_NAMEEnter the name of the VM1 associated to the cloud service.
    VM2_NAMEEnter the name of the VM2 associated to the cloud service.
    ENDPOINT_NAMEEnter a random name for the endpoint.
    LB_NAMEEnter a random name for load balancer endpoint set.
    LOCAL_PORTEnter the port of the service configured on the Barracuda CloudGen WAF that needs direct public access.
    PUBLIC_PORTEnter the public NATed port for the service created on the Barracuda CloudGen WAF.
    NAME_FOR_VIRTUAL_IPEnter a name for the Virtual IP created in step 3.

    Example: Here we are getting a new public IP address whose public TCP port/endpoint 80 is:

    • NATed to local port 82 on the Barracuda CloudGen WAF VMs “wafVM1” and “wafVM2” under the cloud service 'barracuda-waf'
    • Load balancing the traffic between the Barracuda CloudGen WAF VMs “wafVM1” and “wafVM2”.

    Get-AzureVM -ServiceName 'barracuda-waf' -Name 'wafVM1' `

    | Add-AzureEndpoint -Name 'Endpoint1' -LoadBalancedEndpointSetName 'LbSet' ` -Protocol tcp -LocalPort 82 -PublicPort 80 -VirtualIPName 'Vip2' -DefaultProbe `

    | Update-AzureVM

     

    Get-AzureVM -ServiceName 'barracuda-waf' -Name 'wafVM2' `

    | Add-AzureEndpoint -Name 'Endpoint1' -LoadBalancedEndpointSetName 'LbSet' ` -Protocol tcp -LocalPort 82 -PublicPort 80 -VirtualIPName 'Vip2' -DefaultProbe `

    | Update-AzureVM

     

  6. To ensure the public IP address is added successfully, execute the following command and note down the allocated public IP address:

    $deployment = Get-AzureDeployment -ServiceName $deployment.VirtualIPs

    Where:

    NameDescription
    CLOUD_SERVICE_NAMEEnter the cloud service name to which you want to add an additional public IP address.

    Example: Here we are verifying that the Virtual IP Name “Vip2” is added to the cloud service “barracuda-waf”.

    $deployment = Get-AzureDeployment -ServiceName 'barracuda-waf' $deployment.VirtualIPs

    Output:

    Address                                 : 23.100.80.88

    IsDnsProgrammed               : True

    Name                                      : barracuda-waf

    ReservedIPName                  :

    ExtensionData                       :

     

    Address                                 104.43.131.78

    IsDnsProgrammed               :

    Name                                     Vip2

    ReservedIPName                 :

    ExtensionData                      :

After executing the commands above, the service on the Barracuda CloudGen WAF with port 82 will be mapped/NATed to the new public IP address on port 80 and can be accessed at http://PublicIP2 where traffic is load balanced between the Barracuda CloudGen WAF VMs, i.e., “wafVM1” and “wafVM2”. (As per the example above, Service2 will be accessible on http://104.43.131.78 where the traffic is load between the Barracuda CloudGen WAF.) 

Last updated on