NetScaler provides the ability to extend your enterprise network to the Cloud. The NetScaler CloudBridge Connector enables you to move your applications to the cloud to reduce cost and increase reliability. In addition to using CloudBridge Connector between a datacenter and a cloud, you can use it to connect two datacenters for a high-capacity secure and accelerated link.
In this post I will share some guidelines on how to extend Microsoft Azure Cloud to your network by leveraging site-to-site IPSec VPN – basically ensuring connectivity between Azure and On-Premises in a hybrid solution.
Several alternatives do indeed exist for creating site-2-site VPN tunnels to Microsoft Azure, but this post will only focus on how to use NetScaler ADC (Application Delivery Controller) for our objective.
Key takeaways and benefits:
- Establish connection between two separate private networks over the public internet (low cost).
- Networks connected, works like a single network transparent to the end-user, enabling delivery of infrastructure services in a Hybrid model.
- Alternative to dedicated MPLS, Express Routes etc. utilizing Internet connection as opposed to dedicated expensive lines.
Connecting Public Cloud with on-premises with NetScaler:
Table of Contents
Requirements / Assumptions
- NetScaler Platinum (CloudBridge Connector needed).
- Enabled Cloud Bridge Advanced Feature.
- Public IP – On-Premises Firewall allows Inbound UDP traffic on 4500 / 500.
- NAT traffic to NetScaler Subnet IP (SNIP Address).
- No overlapping IPs between Azure vNets and On-premises vLANs.
- If On-Premises services/resources should have connectivity to Azure, proper routing rules has to be implemented.
- Local network should route traffic towards Azure vNets/Subnets through NetScaler SNIP as default gateway.
NetScaler Guidelines
Following sections will list steps required to setup NetScaler as IPSec endpoint for Microsoft Azure.
Obs. All configuration was done and tested on NetScaler 12.0 Build 57.19.
Creating the Tunnel on NetScaler
This configuration will create the IPSEC Tunnel on NetScaler.
GUI
Create IPSec Profile under System>CloudBridge Connector> IPSec Profile.
Following security parameters are currently supported and needed when running NetScaler CloudBridge Connector together with Azure Virtual Network Gateway in Policy-based mode.
Create IPSec Tunnel under System>CloudBridge Connector> IP Tunnels.
In above config, you point to the Public IP of the Azure Virtual Network Gateway, use your Subnet IP for IPSec and bind the previous created IPSec Profile.
Create PBR (Policy Based Routing) :
Above rule enables routing between internal network and Azure network thorugh the IPSec tunnel.
CLI
Here are the NetScaler commands used.
Create IPSec Profile and IPTunnel.
1 2 |
add ipsec profile cb-Azure-IPSec-profile -ikeVersion V1 -encAlgo AES -hashAlgo HMAC_SHA1 -lifetime 3600 -psk XXXXXXXX -livenessCheckInterval 10 -replayWindowSize 9216 -ikeRetryInterval 60 -retransmissiontime 1 add ipTunnel cb-azure-tunnel 52.138.xxx.xxx 255.255.255.255 10.50.0.xxx -protocol IPSEC -ipsecProfileName cb-Azure-IPSec-Profile |
Create Policy Based Routing (PBR Rule)
1 2 |
add ns pbr pbr-local2azure-pol ALLOW -srcIP = 10.40.0.0-10.40.0.255 -destIP = 10.1.0.0-10.1.0.255 -ipTunnel cb-azure-tunnel -priority 10 apply pbrs |
If you need to delete and start over – you will need to do the following:
1. Delete PBR rule and Apply PBRS
2. Delete IPSec Tunnel
3. Delete IPSec Profile
1 2 3 4 |
rm pbr pbr-local2azure-pol apply pbrs rm iptunnel cb-Azure-Tunnel rm ipsec profile cb-Azure-IPSec-Profile |
Microsoft Azure Guidelines
All steps done via https://portal.azure.com
Add a new Address Space for Gateway Subnet
In Virtual Networks add a new address space for the Gateway Subnet:
Create a new Gateway Subnet
Create a new Gateway Subnet:
Define Gateway Subnet:
Create the Azure Virtual Network Gateway
Remember to create VPN Type of “Policy-based” for support with NS.
Add Virtual Network Gateway:
Create the Azure Local Network Gateway
Add Local Network Gateway:
Connections (Add Pre-Shared Key)
Add Connection and insert Shared Key (PSK):
Verify Tunnel connection
NetScaler:
Issue “sh ipTunnel” from CLI:
Azure:
Verify that you can ping on-premises hosts from Azure VMs and vice versa.
If any failures, check ns.log and Firewall/routing rules.
Reference Links
About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices
Citrix Docs: Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud (not updated)https://docs.citrix.com/en-us/netscaler/12/system/cloudbridge-connector-introduction/cloudbridge-connector-azure.html