Microsoft Azure and Cloud-Managed Firebox with Policy-Based BOVPN Integration Guide

This integration guide describes how to configure a policy-based BOVPN tunnel between a WatchGuard cloud-managed Firebox and Microsoft Azure.

Contents

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox with Fireware v12.7.1 or higher
  • Microsoft Azure

Topology

This diagram illustrates a policy-based BOVPN connection between a cloud-managed Firebox and Microsoft Azure.

Topology diagram of a BOVPN connection with static routing between a cloud-managed Firebox and Microsoft Azure

Before You begin

Before you begin these procedures, make sure that:

  • You have a Microsoft Azure administrator account.
  • You have a WatchGuard Cloud account.
  • You add a Firebox to WatchGuard Cloud as a cloud-managed device.

Configure Microsoft Azure

To configure Microsoft Azure:

  1. Create a Virtual Network
  2. Create a Gateway Subnet
  3. Create a VPN Gateway
  4. Create a Local Network Gateway
  5. Create a VPN Connection

Additional charges might apply for the use of Azure.

Create a Virtual Network

To create a virtual network, from the Microsoft Azure portal:

  1. Log in to the Microsoft Azure portal.
  2. From the navigation menu, in the Search Resources, Services, and Docs (G+/) text box, type Virtual Network.
  3. From the Marketplace section of the search results, select Virtual Network.
  4. Click Create.
    The Create Virtual Network page opens.

    5. Screenshot of Azure portal, Create Virtual Network page with Basics tab selected

  5. Select the Basics tab.
  6. On the Basics page:
    1. From the Subscription drop-down list, select your subscription.
    2. From the Resource Group drop-down list, select a group or, to create a new group, select Create New. In our example, we create a new group TestGroup.
    3. In the Virtual Network Name text box, type a name for your virtual network. In our example, we type VNet.
    4. From the Region drop-down list, select a region.
  7. Click Next until the IP Addresses page opens.

    8. Screenshot of Azure portal, Create Virtual Network page with IP Addresses tab selected

  8. On the IP Addresses page, to define the address space of your virtual network, type one or more IPv4 and IPv6 address ranges. In our example, we enter 10.1.0.0 as the starting address and /16 as the address space size.
  9. Keep the default values for all other settings.
  10. Click Review + Create.
  11. Click Create.
    Azure creates the virtual network.

Create a Gateway Subnet

To create a gateway subnet, from the Microsoft Azure portal:

  1. On the home page, click Resource Groups, and select the resource group you selected or created in the Create a Virtual Network section.
  2. Click the virtual network you created in the Create a Virtual Network section.
  3. From the navigation menu, select Settings > Subnets.
  4. Click + Subnet.
    The Add a Subnet page opens.

    5. Screenshot of Azure portal, Add a Subnet page

  5. From the Subnet Purpose drop-down list, select Virtual Network Gateway.
  6. In the Starting Address text box, type an IP address or keep the default value. In our example, we type 10.1.255.0.
  7. From the Size drop-down list, select a netmask. In our example, we select /27 (32 addresses).
  8. Keep the default values for all other settings.
  9. Click Add.
    Azure creates the gateway subnet.

    10. Screenshot of Azure portal, Subnets page for virtual networks

Create a VPN Gateway

To create a VPN gateway, from the Microsoft Azure portal:

  1. On the home page, in the Search Resources, Services, and Docs (G+/) text box, type Virtual Network Gateway.
  2. From the Marketplace search results, select Virtual Network Gateway.
    The Create Virtual Network Gateway page opens.

    3. Screenshot of Azure portal, Create Virtual Network Gateway page with Basics tab selected

  3. Select the Basics tab.
  4. In the Project Details section, from the Subscription drop-down list, select your subscription.
  5. In the Instance Details section:
    1. In the Name text box, type a name for your VPN gateway.
    2. From the Region drop-down list, select the same region as your virtual network.
    3. For Gateway Type, select VPN.
    4. From the SKU drop-down list, select a gateway SKU. In our example, we select VpnGw1AZ. For more information, go to About Gateway SKUs.
    5. From the Generation drop-down list, select the generation. In our example, we select Generation1.
    6. From the Virtual Network drop-down list, select the virtual network you created in the Create a Virtual Network section.
  6. In the Public IP Address section:
    1. For Public IP Address, select Create New.
    2. In the Public IP Address Name text box, type the public IP address name.
    3. For Enable Active-Active Mode, select Disabled.
  7. Keep the default values for all other settings.
  8. Click Review + Create.
  9. Click Create.
    Azure creates the VPN gateway. It might take more than 45 minutes to create and deploy the VPN gateway.

Get the VPN Gateway Public IP Address

To get the public IP address of the VPN gateway, from the Microsoft Azure portal:

  1. On the home page, click Resource Groups, and select the resource group you selected or created in the Create a Virtual Network section.
  2. Click the virtual network gateway Public IP address name you created in the Create a VPN Gateway section.
  3. From the navigation menu, select Overview.
  4. Copy the IP Address of the virtual network gateway.

    5. Screenshot of the virtual network gateway public IP address.

Create a Local Network Gateway

To create a local network gateway, from the Microsoft Azure portal:

  1. In the Search Resources, Services, and Docs (G+/) text box, type Local Network Gateway.
  2. From the Marketplace search results, select Local Network Gateway.
    The Create Local Network Gateway page opens.

    3. Screenshot of Azure portal, Create Local Network Gateway page with Basics tab selected

  3. Select the Basics tab.
  4. On the Basics page:
    1. From the Subscription drop-down list, select your subscription.
    2. From the Resource Group drop-down list, select a group or, to create a new group, select Create New.
    3. From the Region drop-down list, select the region.
    4. In the Name text box, type a name.
    5. For Endpoint, select IP Address or FQDN. In our example, we select IP Address.
    6. In the IP Address text box, type the IP address of the cloud-managed Firebox external network.
    7. In the Address Spaces text box, type the addresses of the internal network protected by the cloud-managed Firebox.
  5. Select the Advanced tab.
  6. For Configure BGP Settings, select No.
  7. Click Review + Create.
  8. Click Create.
    Azure creates the local network gateway.

Create a VPN Connection

To create a VPN connection, from the Microsoft Azure portal:

  1. On the home page, click Resource Groups, and select the resource group you selected or created in the Create a Virtual Network section.
  2. Click the virtual network gateway you created in the Create a VPN Gateway section.
  3. From the navigation menu, select Settings > Connections.
    The Connections page opens.
  4. Click + Add.
    The Create Connection page opens.

    5. Screenshot of Azure portal, Create Connection page with Basics tab selected

  5. Select the Basics tab.
  6. On the Basics page:
    1. From the Subscription drop-down list, select your subscription.
    2. From the Resource Group drop-down list, select the group.
    3. From the Connection Type drop-down list, select Site-to-Site (IPsec).
    4. In the Name text box, type a connection name.
    5. From the Region drop-down list, select the region for this connection.
  7. Select the Settings tab.

    8. Screenshot of Azure portal, Create Connection page with Settings tab selected

  8. From the Virtual Network Gateway drop-down list, select the virtual network gateway you created in the Create a VPN Gateway section.
  9. From the Local Network Gateway drop-down list, select the local network gateway you created in the Create a Local Network Gateway section.
  10. For the Authentication Method, select Shared Key(PSK).
  11. In the Shared Key(PSK) text box, type a shared key.
  12. For IKE Protocol, select IKEv2.
  13. For IPsec / IKE Policy, select Custom.
  14. In the IKE Phase 1 section:
    1. From the Encryption drop-down list, select AES256.
    2. From the Integrity/PRF drop-down list, select SHA256.
    3. From the DH Group drop-down list, select DHGroup14.
  15. In the IKE Phase 2(IPsec) section:
    1. From the IPsec Encryption drop-down list, select AES256.
    2. From the IPsec Integrity drop-down list, select SHA256.
    3. From the PFS Group drop-down list, select PFS2048.
  16. In the IPsec SA Lifetime in Seconds text box, type 28800.
  17. In the DPD Timeout in Seconds text box, type 20.
  18. Keep the default values for all other settings.
  19. Click Review + Create.
  20. Click Create.
    Azure creates the VPN connection.

Configure a Policy-Based BOVPN for a Cloud-Managed Firebox:

  1. Log in to WatchGuard Cloud with your WatchGuard Cloud operator account credentials.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. From the navigation menu, select Configure > VPNs.
  3. Click Add BOVPN.
    The Add BOVPN page opens.
  4. In the Name text box, type a descriptive name.
  5. From the VPN Connection Type drop-down list, select Policy-Based IPSec to Locally-Managed Firebox / Third-Party.
  6. From the Address Family drop-down list, select IPv4 Addresses.
  7. In the Endpoint A section, select your cloud-managed Firebox.
  8. In the Endpoint B section, in the Endpoint Name text box, type a name to identify the remote VPN endpoint. In our example, we type Microsoft Azure.

    9. Screenshot of WGC, WGC defined VPN endpoints

  9. Click Next.
  10. From the cloud-managed Firebox side, select External network.
  11. On the Azure side, in the IP or Domain Name or User on Domain text box, type the IP address of your Azure Get the VPN Gateway Public IP Address.
  12. In the Pre-Shared Key text box, type a pre-shared key. This pre-shared key matches the pre-shared key from when you configured Azure.

    13. Screenshot of WGC, WGC VPN Gateway

  13. Click Next.
  14. From the cloud-managed Firebox side, select the Internal network that you want to be accessible through the VPN tunnel.
  15. From the Azure side, click Add Network Resource.
  16. In the Network Resource text box, type the private network that Azure protects. In our example, we type 10.1.0.0/24.
  17. Click Add.

    18. Screenshot of WGC, WGC traffic private network

  18. For all other settings, keep the default values.
  19. Click Next.
    The Tunnel Routes page opens.

    20. Screenshot of WGC, WGC Tunnel Routes

  20. Click Next.
  21. In the Phase 1 Settings section, from the Authentication drop-down list, select SHA2-256.
  22. From the Encryption drop-down list, select AES-CBC (256-bit).
  23. In the SA Life text box, type 8.
  24. From the Diffie-Hellman Group drop-down list, select Diffie-Hellman Group14.
  25. In the Phase 2 Settings section, from the Authentication drop-down list, select SHA2-256.
  26. From the Encryption drop-down list, select AES-CBC (256-bit).
  27. Select the Use Perfect Forward Secrecy (PFS) check box.
  28. From the PFS Group drop-down list, select Diffie-Hellman Group14.

    29. Screenshot of WGC, WGC phase 1 and phase 2 settings

  29. Keep all other values as default settings.
  30. Click Add.
  31. (Optional) Click View Guide to open the VPN Configuration Summary page for the Firebox. To establish the VPN connection, use the guide to configure the required settings in Azure.
  32. Click Finish.

    33. When you add a BOVPN for a cloud-managed Firebox, WatchGuard Cloud immediately creates and deploys a configuration update for the cloud-managed Firebox.

Test the Integration

To test the integration of the policy-based BOVPN tunnel between your cloud-managed Firebox and Microsoft Azure:

  1. Log in to WatchGuard Cloud.
  2. From the navigation menu, select Monitor > Devices.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  3. Select your cloud-managed Firebox, then select Live Status > VPN > Branch Office VPN.
  4. Click the name of your BOVPN, and verify that the VPN is established.

    5. Screenshot of WatchGuard Cloud, VPN page

  5. Verify that the host behind the cloud-managed Firebox and Azure can ping each other successfully.