NetScaler provides the ability to extend your enterprise network to the Cloud. The NetScaler CloudBridge Connector enables you to move your applications to the cloud to reduce cost and increase reliability. In addition to using CloudBridge Connector between a datacenter and a cloud, you can use it to connect two datacenters for a high-capacity secure and accelerated link.
In this post I will share some guidelines on how to extend Microsoft Azure Cloud to your network by leveraging site-to-site IPSec VPN – basically ensuring connectivity between Azure and On-Premises in a hybrid solution.
Several alternatives do indeed exist for creating site-2-site VPN tunnels to Microsoft Azure, but this post will only focus on how to use NetScaler ADC (Application Delivery Controller) for our objective.
Key takeaways and benefits:
- Establish connection between two separate private networks over the public internet (low cost).
- Networks connected, works like a single network transparent to the end-user, enabling delivery of infrastructure services in a Hybrid model.
- Alternative to dedicated MPLS, Express Routes etc. utilizing Internet connection as opposed to dedicated expensive lines.
Connecting Public Cloud with on-premises with NetScaler:
Requirements / Assumptions
- NetScaler Platinum (CloudBridge Connector needed).
- Enabled Cloud Bridge Advanced Feature.
- Public IP – On-Premises Firewall allows Inbound UDP traffic on 4500 / 500.
- NAT traffic to NetScaler Subnet IP (SNIP Address).
- No overlapping IPs between Azure vNets and On-premises vLANs.
- If On-Premises services/resources should have connectivity to Azure, proper routing rules has to be implemented.
- Local network should route traffic towards Azure vNets/Subnets through NetScaler SNIP as default gateway.
Following sections will list steps required to setup NetScaler as IPSec endpoint for Microsoft Azure.
Obs. All configuration was done and tested on NetScaler 12.0 Build 57.19.
Creating the Tunnel on NetScaler
This configuration will create the IPSEC Tunnel on NetScaler.
Create IPSec Profile under System>CloudBridge Connector> IPSec Profile.
Following security parameters are currently supported and needed when running NetScaler CloudBridge Connector together with Azure Virtual Network Gateway in Policy-based mode.
Create IPSec Tunnel under System>CloudBridge Connector> IP Tunnels.
In above config, you point to the Public IP of the Azure Virtual Network Gateway, use your Subnet IP for IPSec and bind the previous created IPSec Profile.
Create PBR (Policy Based Routing) :
Above rule enables routing between internal network and Azure network thorugh the IPSec tunnel.
Here are the NetScaler commands used.
Create IPSec Profile and IPTunnel.
add ipsec profile cb-Azure-IPSec-profile -ikeVersion V1 -encAlgo AES -hashAlgo HMAC_SHA1 -lifetime 3600 -psk XXXXXXXX -livenessCheckInterval 10 -replayWindowSize 9216 -ikeRetryInterval 60 -retransmissiontime 1
add ipTunnel cb-azure-tunnel 52.138.xxx.xxx 255.255.255.255 10.50.0.xxx -protocol IPSEC -ipsecProfileName cb-Azure-IPSec-Profile
Create Policy Based Routing (PBR Rule)
add ns pbr pbr-local2azure-pol ALLOW -srcIP = 10.40.0.0-10.40.0.255 -destIP = 10.1.0.0-10.1.0.255 -ipTunnel cb-azure-tunnel -priority 10
If you need to delete and start over – you will need to do the following:
1. Delete PBR rule and Apply PBRS
2. Delete IPSec Tunnel
3. Delete IPSec Profile
rm pbr pbr-local2azure-pol
rm iptunnel cb-Azure-Tunnel
rm ipsec profile cb-Azure-IPSec-Profile
Microsoft Azure Guidelines
All steps done via https://portal.azure.com
Add a new Address Space for Gateway Subnet
In Virtual Networks add a new address space for the Gateway Subnet:
Create a new Gateway Subnet
Create a new Gateway Subnet:
Define Gateway Subnet:
Create the Azure Virtual Network Gateway
Remember to create VPN Type of “Policy-based” for support with NS.
Add Virtual Network Gateway:
Create the Azure Local Network Gateway
Add Local Network Gateway:
Add Connection and insert Shared Key (PSK):
Verify Tunnel connection
Issue “sh ipTunnel” from CLI:
Verify that you can ping on-premises hosts from Azure VMs and vice versa.
If any failures, check ns.log and Firewall/routing rules.
About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections
Citrix Docs: Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud (not updated)https://docs.citrix.com/en-us/netscaler/12/system/cloudbridge-connector-introduction/cloudbridge-connector-azure.html