Site-2-Site IPSEC VPN Tunnel from Microsoft Azure to On-Premises with Citrix NetScaler

NetScaler provides the ability to extend your enterprise network to the Cloud. The NetScaler CloudBridge Connector enables you to move your applications to the cloud to reduce cost and increase reliability. In addition to using CloudBridge Connector between a datacenter and a cloud, you can use it to connect two datacenters for a high-capacity secure and accelerated link.

In this post I will share some guidelines on how to extend Microsoft Azure Cloud to your network by leveraging site-to-site IPSec VPN – basically ensuring connectivity between Azure and On-Premises in a hybrid solution.

Several alternatives do indeed exist for creating site-2-site VPN tunnels to Microsoft Azure, but this post will only focus on how to use NetScaler ADC (Application Delivery Controller) for our objective.


Key takeaways and benefits:

  • Establish connection between two separate private networks over the public internet (low cost).
  • Networks connected, works like a single network transparent to the end-user, enabling delivery of infrastructure services in a Hybrid model.
  • Alternative to dedicated MPLS, Express Routes etc. utilizing Internet connection as opposed to dedicated expensive lines.

Connecting Public Cloud with on-premises with NetScaler:




Requirements / Assumptions

  • NetScaler Platinum (CloudBridge Connector needed).
    • Enabled Cloud Bridge Advanced Feature.
  • Public IP – On-Premises Firewall allows Inbound UDP traffic on 4500 / 500.
    • NAT traffic to NetScaler Subnet IP (SNIP Address).
  • No overlapping IPs between Azure vNets and On-premises vLANs.
  • If On-Premises services/resources should have connectivity to Azure, proper routing rules has to be implemented.
    • Local network should route traffic towards Azure vNets/Subnets through NetScaler SNIP as default gateway.

NetScaler Guidelines

Following sections will list steps required to setup NetScaler as IPSec endpoint for Microsoft Azure.

Obs. All configuration was done and tested on NetScaler 12.0 Build 57.19.

Creating the Tunnel on NetScaler

This configuration will create the IPSEC Tunnel on NetScaler.


Create IPSec Profile under System>CloudBridge Connector> IPSec Profile.

Following security parameters are currently supported and needed when running NetScaler CloudBridge Connector together with Azure Virtual Network Gateway in Policy-based mode.



Create IPSec Tunnel under System>CloudBridge Connector> IP Tunnels.

In above config, you point to the Public IP of the Azure Virtual Network Gateway, use your Subnet IP for IPSec and bind the previous created IPSec Profile.

Create PBR (Policy Based Routing) :


Above rule enables routing between internal network and Azure network thorugh the IPSec tunnel.


Here are the NetScaler commands used.

Create IPSec Profile and IPTunnel.

Create Policy Based Routing (PBR Rule)

If you need to delete and start over – you will need to do the following:

1. Delete PBR rule and Apply PBRS
2. Delete IPSec Tunnel
3. Delete IPSec Profile


Microsoft Azure Guidelines

All steps done via

Add a new Address Space for Gateway Subnet

In Virtual Networks add a new address space for the Gateway Subnet:



Create a new Gateway Subnet

Create a new Gateway Subnet:




Define Gateway Subnet:





Create the Azure Virtual Network Gateway

Remember to create VPN Type of “Policy-based” for support with NS.

Add Virtual Network Gateway:




Create the Azure Local Network Gateway

Add Local Network Gateway:


Connections (Add Pre-Shared Key)

Add Connection and insert Shared Key (PSK):




Verify Tunnel connection




Issue “sh ipTunnel” from CLI:




Verify that you can ping on-premises hosts from Azure VMs and vice versa.

If any failures, check ns.log and Firewall/routing rules.

Reference Links

About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections

Citrix Docs: Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud (not updated)

Leave a Reply

Your email address will not be published. Required fields are marked *