Configuring Azure Site to Site VPN for Enterprise Networks

To set up an Azure Site to Site VPN, you'll need to create a virtual network gateway in the Azure portal. This gateway will serve as the connection point between your on-premises network and Azure.

The virtual network gateway will be created in a resource group, which is a logical container for related resources. You can create a new resource group or use an existing one.

Azure supports multiple VPN protocols, including IKEv2 and OpenVPN. IKEv2 is the recommended protocol for Azure Site to Site VPNs due to its high performance and security features.

To set up an Azure Site to Site VPN, you'll need a few things in place first.

You'll need a FortiGate with an Internet-facing IP address.

A valid Microsoft Azure account is also required, which you can create for free if you don't already have one.

To ensure a smooth setup, you should coordinate with someone who can provide you with the IP address range prefixes from your on-premises network configuration.

None of the subnets of your on-premises network can overlap with the virtual network subnets you want to connect to.

Here's a quick rundown of the prerequisites:

Configuring Azure VPN involves several steps, starting with creating a virtual network in the Azure portal. You'll need to set the public IP address, create a virtual network gateway, and configure the local network gateway. This will involve obtaining the IP address of your FortiGate's external IP address.

To configure your VPN device, you'll need the shared key, public IP addresses of your virtual network gateway instances, and the virtual network settings. You can obtain the public IP address of your virtual network gateway by navigating to Virtual network gateways in the Azure portal.

You'll also need to specify the vnet subnets under the private subnet field in the Meraki dashboard located on the site-to-site VPN page. For VPN connectivity between MacStadium and Azure, you have two options: Active/Active Disabled or Active/Active Enabled.

Here are the configuration steps for each option:

It's recommended to use a configuration template for Site-to-Site VPN, especially if you're new to Azure and ASA/ASAv configurations. You can find the configuration template in the VPN configuration script downloaded from Azure.

To confirm if the VPN has been successfully established, you can use the following commands: show vpn-sessiondb l2l and show crypto ipsec sa. Make sure to save the configuration with the ASA CLI command: write memory.

Azure VPN Setup is a crucial step in establishing a secure and reliable connection between your MacStadium environment and Azure. There are two options for VPN connectivity: Active/Active Disabled and Active/Active Enabled.

To create a virtual network gateway, you'll need to specify the following values: Name, Gateway type, SKU, Generation, Virtual network, Gateway subnet address range, Public IP address, and Public IP address name.

The process of creating a virtual network gateway typically takes 45 minutes or more, depending on the selected gateway SKU. You can track the deployment status on the Overview page for your gateway.

To enable active-active mode, you'll need to select the option and specify a second public IP address name, which will be used for the second instance of the VPN gateway.

BGP routing is supported between MacStadium and Azure, and you can configure it by selecting the option and specifying an Autonomous system number (ASN) and a custom Azure APIPA BGP IP address.

Here's a summary of the required settings for creating a virtual network gateway:

Device Configuration is a crucial step in setting up an Azure Site-to-Site VPN. To configure your VPN device, you'll need to obtain the shared key and public IP addresses of your virtual network gateway instances. You can find the shared key when creating your site-to-site VPN connection, and the public IP addresses can be viewed in the Azure portal.

The VPN device you're using may have specific configuration requirements, so be sure to check the device manufacturer's documentation for the latest information. You'll also need to specify the vnet subnets under the private subnet field in the Meraki dashboard. If you're using a configuration template, make sure to add the MacStadium private network and mask to the BGP configuration section.

Here are some key configuration parameters to consider:

By following these configuration steps and considering the specific requirements of your VPN device, you'll be well on your way to establishing a secure and reliable Azure Site-to-Site VPN connection.

To configure your device, you'll need a shared key, which is the same one you specify when creating your site-to-site VPN connection. This key is crucial for establishing a secure connection.

You'll also need to obtain the public IP addresses of your virtual network gateway instances. If your gateway is in active-active mode, you'll have an IP address for each gateway VM instance. Be sure to configure your device with both IP addresses, one for each active gateway VM.

For S2S connections with an active-active mode VPN gateway, ensure tunnels are established to each gateway VM instance. If you establish a tunnel to only one gateway VM instance, the connection will go down during maintenance.

Depending on the VPN device you have, you might be able to download a VPN device configuration script. For more information, see Download VPN device configuration scripts.

Here are some compatible VPN devices you can use:

Each device has its own configuration requirements, so be sure to check the documentation for your specific device.

In some cases, you may need to configure your device using a configuration template. This can save you time and ensure that your configuration is correct.

To configure your device, you'll need to:

1. Obtain the shared key and public IP addresses of your virtual network gateway instances.

2. Download the VPN device configuration script (if available).

3. Configure your device using the script or configuration template.

4. Test your connection to ensure it's working correctly.

Remember to check the documentation for your specific device and follow the instructions carefully to ensure a successful configuration.

Change a SKU can be a bit tricky, but don't worry, I've got the scoop. You can change a gateway SKU, and there are specific rules depending on the SKU your gateway is currently using.

If you're currently using a specific SKU, you might be able to change it, but you need to check the rules first. For more information, see Resize or change gateway SKUs.

Changing a SKU can be a great way to upgrade or downgrade your device, but make sure you follow the rules to avoid any issues.

If you haven't already, you'll need to deploy an Azure Virtual Network Gateway. In the Azure portal, search for 'Virtual Network Gateway' and create a new one.

To get started, select Create on the Virtual Network Gateway page. This will open the Create virtual network gateway page, where you'll need to fill in the basics.

You'll need to choose between route-based and policy-based routing, but keep in mind that Azure VPN type: Route-based only supports IKEv2, while Azure VPN type: Policy-based only supports IKEv1.

Here are the key differences to consider:

Creating VPN connections in Azure is a straightforward process. You can create a site-to-site VPN connection between your virtual network gateway and your on-premises VPN device.

To properly configure highly available connectivity, you must establish a tunnel between each VM instance and your VPN device. Both tunnels are part of the same connection.

To create a connection, you'll need to configure the following values: Local network gateway name, Connection name, and Shared key. The shared key must match on both sides of the connection.

You can add multiple connections to a gateway, but address spaces can't overlap between any of the connections.

A connection can be VNet-to-VNet or site-to-site. You'll need to specify the shared key and connection type when creating a new connection.

To create a VPN connection, you'll need to provide a name, set the connection type to Site-to-Site (IPsec), and select the correct region.

You'll also need to select the virtual network gateway and local network gateway that were previously created, and provide an IPSec pre-shared key. Keep a record of the pre-shared key, as it will be used later.

When creating a VPN connection, you'll need to confirm IKEv2 is selected and enable BGP. You'll also need to select custom BGP addresses and set IKE Phase 1 and IKE Phase 2.

Here are the steps to create a VPN connection:

After creating the VPN connection, you may need to enable inbound traffic from the other site to Azure. This can be done by configuring the Cisco firewall to recognize the connection and let traffic into the private cloud.

To verify the Azure Site to Site VPN connection, you can check the connection status in the Azure portal. Navigate to the connection, and you'll see the status of each connection. The Status will be 'Succeeded' and 'Connected' when you have made a successful connection.

You can also access the VPN Status page to view more information. From the Organization > Monitor > VPN Status tab, or the Security & SD-WAN > Monitor > VPN Status tab, you can see the status of your connection, along with other details.

To troubleshoot any issues, check the non-Meraki peers tab, where you'll find the following information:

Resetting a gateway can be a helpful troubleshooting step, especially when you're experiencing cross-premises VPN connectivity issues. This can happen when your on-premises VPN devices are working correctly, but can't establish IPsec tunnels with the Azure VPN gateways.

To reset an Azure VPN gateway, you can use the portal, PowerShell, or CLI. If you need to reset an active-active gateway, you can reset both instances using the portal.

You can also use PowerShell or CLI to reset each gateway instance separately using instance VIPs. For more information, see Reset a connection or a gateway.

To reset a gateway using the portal, follow these steps:

Resetting the gateway causes a gap in VPN connectivity and might limit future root cause analysis of the issue.

Verifying the connection is a crucial step in ensuring your VPN is working smoothly. To do this, navigate to the Azure portal and select All resources or search for All resources from any page.

You can view the connection status of a Resource Manager VPN Gateway by navigating to the connection. To do this, select your virtual network gateway, then click Connections on the blade. This will show you the status of each connection.

The Essentials page provides more information about your connection, including the Status, which should be 'Succeeded' and 'Connected' when you have made a successful connection.

Alternatively, you can access the VPN Status page by navigating to the Organization > Monitor > VPN Status tab, or by navigating to the Security & SD-WAN > Monitor > VPN Status tab. On this page, you can view the status of your non-Meraki peers, including their status, name, public IP, and subnets.

Here are the details you can view on the VPN Status page:

By checking the connection status and details on the VPN Status page, you can ensure your VPN is working correctly and troubleshoot any issues that may arise.