In this article we will outline the steps required to create an active-active VPN tunnel with BGP dynamic routing between Microsoft Azure and the Total Uptime Cloud Platform.
By default, Total Uptime requires your devices (servers) to have internet-routable IPv4 or IPv6 addresses so we can direct traffic to them. By creating VPN tunnels between the Total Uptime platform and Microsoft Azure, you can avoid the requirement for public IP space and securely route traffic to your cloud devices with a very high degree of availability.
Regardless of whether you use a VPN or not, Total Uptime already has direct network connectivity to Microsoft Azure with private peering to ensure high performance connectivity. Adding a VPN simply encrypts that traffic and allows you to use RFC1918 space.
To begin you will require a few things.
The Virtual network is the private, non-routable subnet that will be used in Azure. IP addresses will be assigned from this range to your devices which will become accessible via the Total Uptime cloud.
If you already have infrastructure at Azure, you most likely already have this network. In this case, please confirm with Total Uptime that the subnet you are already using is available for linking to the Total Uptime cloud. If you are new to Azure, please request an unused subnet from Total Uptime for use in Azure. This will make things much simpler and cleaner.
To add the virtual network:
Once deployed you will receive an on-screen notification. In that notification click the ‘Go to resource’ button to open the new virtual network that was just created. We now need to create a Gateway Subnet. This subnet is a smaller portion of the larger subnet. We recommend nothing smaller than a /28. From this range IP addresses will be assigned automatically by Azure for the local BGP peers.
The name will be ‘GatewaySubnet’ and cannot be changed. Specify the address range and click the ‘OK’ button.
We now need to create virtual network gateways. These are essentially small VPN VMs that will receive a public IP address for Total Uptime to build a tunnel to. They will also map/allow the virtual network from step 1 for announcement via BGP.
You will create two local network gateways in this step. These will represent the public IP addresses of the Total Uptime routers that the VPN tunnels will be built to.
Now we build the two tunnel configurations between Azure and Total Uptime. We will be creating an IPsec/IKE policy and the two connections using the Azure cloud shell.
Open the Azure cloud shell by clicking on the ‘>_’ button in the top toolbar as depicted below:
Declare your variables for use in the subsequent commands. Edit to match your setup.
$RG1 = "<YourResourceGroupName>"
$Location1 = "<YourLocation>"
$GWName1 = "<YourVirtualNetworkGatewayName>"
$LNGName1 = "<YourFirstLocalNetworkGatewayName>"
$LNGName2 = "<YourSecondLocalNetworkGatewayName>"
$Connection1 = "<YourFirstConnectionName>"
$Connection2 = "<YourSecondConnectionName>"
Now run the following to create the IPsec/IKE policy.
$ipsecpolicy1 = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA256 -DhGroup DHGroup14 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup None -SALifeTimeSeconds 14400 -SADataSizeKilobytes 102400000
Next you will create the site-to-site VPN connections. Edit to match your setup.
$vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
$lng1 = Get-AzureRmLocalNetworkGateway -Name $LNGName1 -ResourceGroupName $RG1
$lng2 = Get-AzureRmLocalNetworkGateway -Name $LNGName2 -ResourceGroupName $RG1
New-AzureRmVirtualNetworkGatewayConnection -Name $Connection1 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng1 -Location $Location1 -
ConnectionType IPsec -IpsecPolicies $ipsecpolicy1 -SharedKey ‘<YourSharedKey>’ -EnableBgp $True
New-AzureRmVirtualNetworkGatewayConnection -Name $Connection2 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng2 -Location $Location1 -
ConnectionType IPsec -IpsecPolicies $ipsecpolicy1 -SharedKey ‘<YourSharedKey>’ -EnableBgp $True
Click ‘All Services’ in the navigation pane, search for ‘Connections,’ and click on the service. You should see the two new connections you just created.
If you click on a connection, the blade that opens provides an option to download the configuration script for several devices.
We require the “Generic Samples” configuration script in order to complete the Total Uptime side. Please note you may get an error when trying to download the script when BGP is enabled on the connection. In that case you will need to disable BGP in the connection’s configuration first, and then enable it after downloading the script.
Please provide the following items to your contact at Total Uptime:
Information about whether or not you currently have any virtual machines in this environment that are behind Total Uptime already (most likely via a public IP).
If you have existing virtual machines behind the WAF or Load Balancer, we will need to turn up BGP during a mutually agreeable maintenance window since the IP space that the load balancers use will shift to the tunnels. If you do not, then we can turn up BGP immediately and provide test parameters.