As I got an unlimited access to Windows Azure I wanted to check out how I could extend my lab into it and use it to store VMs workload (at first). Here what you need :
- Citrix NetScaler VPX (tested with NS10.1: Build 122.17.nc & NS10.1: Build 123.9.nc)
- Windows Azure Access
- Homelab (running on vSphere 5.5)
- Of course, you need licence for everything…
Before configuring a CloudBridge tunnel between a CloudBridge appliance in datacenter and Microsoft Azure, consider the following points:
- The CloudBridge appliance must have a public facing IPv4 address (type SNIP) to use as a tunnel end-point address for the CloudBridge tunnel. Also, the CloudBridge appliance should not be behind a NAT device. (or you’ll have to setup a route for your LAN computers, I’m explaining how to at the end of this blog)
- Azure supports the following IPSec settings for a CloudBridge tunnel. Therefore, you must specify the same IPSec settings while configuring the CloudBridge appliance for the CloudBridge tunnel.
- IKE version = v1
- Encryption algorithm = AES
- Hash algorithm = HMAC SHA1
- You must configure the firewall in the datacenter edge to allow the following.
- Any UDP packets for port 500
- Any UDP packets for port 4500
- Any ESP (IP protocol number 50) packets
- IKE re-keying, which is renegotiation of new cryptographic keys between the CloudBridge tunnel end points to establish new SAs, is not supported. When the Security Associations (SAs) expire, the tunnel goes into the DOWN state. Therefore, you must set a very large value for the lifetimes of SAs.
- You must configure Microsoft Azure before specifying the tunnel configuration on the CloudBridge appliance, because the public IP address of the Azure end (gateway) of the tunnel, and the PSK, are automatically generated when you set up the tunnel configuration in Azure. You need this information for specifying the tunnel configuration on the CloudBridge appliance.
First thing first, you need to use your Windows Azure account and follow the next step to begin to configure the IPSec tunnel by creating a local network
- In the left pane, click NETWORKS.
- In the lower left-hand corner of the screen, click + NEW.
- In the NEW navigation pane, click NETWORK, then click VIRTUAL NETWORK, and then click ADD LOCAL NETWORK.
- In the ADD A LOCAL NETWORK wizard, in the specify your local network details screen, set the following parameters:
- In the lower right corner of the screen, click -> (forward arrow mark).
- On the Specify the address space screen, set the following parameter:
- In the lower right corner of the screen, click the check mark.
- The local network entity is created in Windows Azure. You can verify it on the portal’s LOCAL NETWORK tab.
Next, to create a virtual network in Azure by using the Microsoft Windows Azure Management Portal
- In the left pane, click NETWORKS.
- In the lower left-hand corner of the screen, click + New.
- In the NEW navigation pane, click NETWORK, then click VIRTUAL NETWORK, and then click CUSTOM CREATE.
- In the CREATE A VIRTUAL NETWORK wizard, in the Virtual Network Details screen, set the following parameters:
- Click -> (forward arrow mark) in the lower right-hand corner of the screen.
- In the DNS Servers and VPN Connectivity screen, in SITE-TO-SITE CONNECTIVITY, select Configure Site-To-Site VPN and set the following parameter:
- In the Address Space and Subnets screen, set the following parameters:
- Click the check mark in the lower right-hand corner of the screen.
- The virtual network is created in Windows Azure and is listed on the VIRTUAL NETWORK tab.
To create a gateway by using the Microsoft Windows Azure Management Portal
- In the left pane, click NETWORKS.
- On the Virtual Network tab, in the Name column, click the virtual network entity for which you want to create a gateway.
- On the DASHBOARD page of the virtual network, at the bottom of the page, click + Create Gateway.
- When prompted to confirm you want the gateway created, chose STATIC and then click YES. Creating the gateway can take up to 15 minutes.
- When the gateway is created, the DASHBOARD page displays the gateway IP address, which is a public IP address.
To gather public IP address of the gateway and the pre-shared key information by using the Microsoft Windows Azure Management Portal
1. In the left pane, click NETWORKS.
2. On the Virtual Network tab, in the Name column, click the virtual network entity.
4. For the Pre Shared Key (PSK), at the bottom of the page, click MANAGE KEY.
5. In the MANAGE SHARED KEY dialog box, copy the SHARED KEY.
Configuring the CloudBridge appliance (NetScaler) – Homelab side
- Access the configuration utility by using a web browser to connect to the IP address of the CloudBridge appliance (NetScaler) in the datacenter.
- On the Configuration tab, in the navigation pane, click CloudBridge.
- In the right pane, under Getting Started, click Create/Monitor CloudBridge.
- Click Get Started.
Note: If you already have any network bridge configured on the CloudBridge appliance, this screen does not appear, and you are taken to the CloudBridge Setup pane.
- In the CloudBridge Setup pane, click Microsoft Windows Azure.
- In the Azure Settings pane, in the Gateway IP Address* field, type the IP address of the Azure gateway. The CloudBridge tunnel is then set up between the CloudBridge appliance and the gateway. In the Subnet (IP Range)* text boxes, specify a subnet range (in Azure cloud), the traffic of which is to traverse the CloudBridge tunnel. Click Continue.
- In the NetScaler Settings pane, from the Local Subnet IP*drop-down list, select a publicly accessible SNIP address configured on the CloudBridge appliance. In Subnet (IP Range)* text boxes, specify a local subnet range, the traffic of which is to traverse the CloudBridge tunnel. Click Continue.
- In the CloudBridge Setting pane, in the CloudBridge Name text box, type a name for the CloudBridge that you want to create.
- From the Encryption Algorithm and Hash Algorithm drop-down lists, select the AES and HMAC_SHA1 algorithms, respectively. In the Pre Shared Security Key text box, type the security key.
- Click Done.
Now it’s done on both side and the tunnel became up few seconds after I finished the setup. You can still use the connect button on your Windows Azure Management Portal.
I had some issue at first and have redo everything several time, no worry, you can erase everything on the Azure side, as well on the Netscaler. If everything is setup correctly and the tunnel doesn’t become up, check the file /tmp/iked.debug on the Netscaler.
Once everything has been setup and CloudBridge tunnel establish, I had to add a route (quick and dirty) to make allow machine from my network (home lab) to communicate with machines hosted in Windows Azure, for the Windows based machines, simply add a route with the following command :
route add 10.20.20.0 mask 255.255.255.0 192.168.0.250 ^Azure Sub ^Azure Mask ^NetScaler SubnetIP
To add a route on my Mac I had to run this command :
route -n add 10.20.20.0/24 192.168.0.250 ^Azure Sub ^NetScaler SubnetIP
Finally here are few links I gather along my installation and problems I had :
Windows Azure website : [here]
Citrix – CloudBridge for Microsoft Azure : [here] myCitrix account required
Microsoft – About VPN Devices for Virtual Network : [here]
Microsoft – Configure a Site-to-Site VPN in the Management Portal : [here]