Configure a Site-to-Site VPN with Microsoft Azure

This document explains how to deploy a site-to-site (S2S) tunnel from Azure Virtual Network to Cisco Secure Access.

Microsoft Azure supports several methods of connecting to its VPN Gateway. The S2S VPN topology consists of two IPsec tunnels supported by two Azure S2S VPN Gateways that connect as clients to the primary and secondary cloud native headend (CNHE) service supported by Secure Access.

An Azure S2S VPN in Secure Access will support the following:

• Connection over IPsec (Internet Protocol Security) with authentication negotiated and traffic encrypted by IKEv2 (Internet Key Exchange, version 2).
• Static or dynamic (BGP) routing.
• Tunnel redundancy with high availability when the Azure VPN Gateway is deployed in active-active mode and two Azure local network gateways are deployed with availability zones (AZs).

For more information, see Microsoft documentation:

• What is Azure VPN Gateway?
• Azure VPN Gateway topology and design: Site-to-site VPN
• Design highly available gateway connectivity for cross-premises and VNet-to-VNet connections: Active-active VPN gateways
• Tutorial: Create a site-to-site VPN connection in the Azure portal
• Azure: Create, change, or delete a route table

Table of Contents

• Prerequisites
• Procedure

Prerequisites

• An Azure account with an active subscription.

Procedure

Follow these four steps to create a S2S tunnel connection on IPsec/IKEv2 between Microsoft Azure and Secure Access.

• Step 1: Create a VPN Gateway in Microsoft Azure
• Step 2: Create a network tunnel group in Secure Access
• Step 3: Create two local network gateways in Azure
• Step 4: For static routing only, create a route table in Azure

For more detailed instructions, refer to Microsoft's documentation, Tutorial: Create a site-to-site VPN connection in the Azure portal. Please note that Microsoft may update their documentation without notice.

Step 1: Create a VPN Gateway in Microsoft Azure

The Azure S2S IPsec tunnel is sourced from the VPN Gateway. If you have already deployed a VPN Gateway in your Azure environment, you can skip this section.

1. From the Azure admin portal, navigate to All resources > Add.
2. Search for Virtual Network Gateway.
3. Click Create.

4. The following settings are required for the Azure S2S VPN to work with Secure Access:

• Type: Generation2/VpnGw2AZ
• Active-Active mode
• Create two Public IPs in two different availability zones (AZs)
• If you will use dynamic routing, enable Configure BGP and enter an Autonomous system number (ASN).

Step 2: Create a network tunnel group in Secure Access

Create a network tunnel group in Secure Access with the following configuration. For a more detailed procedure, see Add a Network Tunnel Group.

1. Step 1 - General Settings: Set Type to AZURE.
2. Step 2 - Tunnel ID and Passphrase: Enter the primary and secondary public IPs that you created for the Azure AZs.
3. Step 3 - Routing
   1. Option 1, Enable NAT / Outbound only: Enable NAT / Outbound only if you determine that the IP address space behind the tunnel group overlaps with other IP address spaces in your network. Note: Enabling NAT for outbound traffic disables the routing options described below. Private applications hosted behind these tunnels will not be accessible.
   2. Option 2, Static routing: Add all public and private address ranges (IPv4 or IPv6) used internally for your Azure virtual network.
   3. Option 3, Dynamic routing:
      1. Enter the ASN configured for the Azure BGP.
      2. Enter two IP addresses to use as BGP peer addresses.

📘

Note about custom BGP peer addresses

Secure Access CNHE listens for connection requests from BGP peers at the APIPA address 169.254.0.0/24. Azure S2S VPN does not initiate BGP connections in the APIPA range. Therefore, the Azure network tunnel group in Secure Access requires configuration of two custom IP addresses as BGP peer addresses that Azure can use to request connection from CNHE. They should be RFC 1918 private IPs and should not overlap IP prefixes assigned to branches that also connect to Secure Access.

4. Step 4 - Data for Tunnel Setup: Copy or download the primary and secondary tunnel IDs, data center (DC) IP addresses, and passphrase (preshared key). Note: This is the only time your passphrase will be displayed.

Step 3: Create two local network gateways in Azure

Create, configure, and connect two local network gateways in Azure.

A local network gateway is the remote site—the other side of the IPsec connection. In this case, one of the Secure Access IPsec data centers.

Configuration: Routing option

1. If you configured the Secure Access network tunnel group for NAT or static routing:
   1. In each local network gateway, configure one of the two DC IPs from Secure Access Step 4 - Data for Tunnel Setup.
   2. Add one or more Address space(s) for branches that will connect that will connect to the Secure Access network tunnel group. Address spaces are IP ranges that should not overlap with ranges of other networks that you want to connect to. Azure will route these IP range to the Secure Access CNHE.
2. If you configured the Secure Access network tunnel group for dynamic routing:
   1. IP address: In each local network gateway, configure one of the two DC IPs from Secure Access Step 4 - Data for Tunnel Setup.
   2. BGP peer IP address: In each local network gateway, configure one of the two BGP peer addresses that you configured in Secure Access Step 3 - Routing.
   3. Leave Address space(s) blank.
3. This is mandatory when Nik uses static and nat routing while creating NTG and should be empty when Nik uses BGP routing. The values will be prefixes of internet and prefixes of other branches connected to CSA.

Connections

1. Create a connection of type Site-to-Site to each local network gateway.
2. Select the Cipher parameters.
   1. For Cipher parameters supported by Azure, see Microsoft documentation on Default IPsec/IKE parameters.
   2. For Cipher parameters supported by Secure Access, see Supported IPsec Parameters. The image below shows an Azure local network gateway configured according to Secure Access supported IPsec parameters.

3. PSK: Enter the passphrase you used when you created the network tunnel group in Secure Access.

Step 4: For static routing only, create a route table in Azure

1. Add a table of branch routes and internet routes to the primary VPN gateway.
2. Associate the route table with any required subnets.
3. Run this command in Azure CloudShell to identify the next hop IP addresses for the route table:

az network vnet-gateway show --resource-group \<Resource Group Name> -n \<VNET Gateway Name> | jq .bgpSettings.bgpPeeringAddress

For more information, see Azure: Create, change, or delete a route table.

Configure Tunnels with NEC IX2000 Series Router < Configure a Site-to-Site VPN with Microsoft Azure > Manage Resource Connectors and Groups