copyright 2015 1

Microsoft AzureConfiguration - Image DeliveryAzure Setup for VNS3:vpn, VNS3:net and VNS3:turret2015

copyright 2015 2

Introduction 3Create Azure Private VLAN 10Get VNS3 Image Delivered to your Account 15Launch VNS3 VM from Delivered Image 23VNS3 Configuration Document Links 30

Table of Contents

copyright 2015

Introduction

3

copyright 2015

Requirements

4

You have an Azure account. (For Free Azure trials visit http://azure.microsoft.com/en-us/pricing/free-trial/)

You agree to the VNS3 Terms and Conditions

Ability to configure a client (whether desktop based or cloud based) to use OpenVPN client software.

You have a compliant IPsec firewall/router networking device that can use NAT-Traversal Encapsulation (Azure does not allow Protocol 50 ESP Endpoint Configuration)

Preferred Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfSense, and Vyatta.

Best Effort Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5.

*Known Exclusions Checkpoint R65+ requires native IPSec connections as Checkpoint does not conform to NAT-Traversal Standards and Cisco ASA 8.4(2)-8.4(4) bugs prevent a stable connection from being maintained.

http://cohesive.net/Cohesive-Networks_VNS3-Production-Terms-2015.pdf

copyright 2015

Getting Help with VNS3

5

This guide covers a very generic VNS3 setup in the Azure cloud. If you are interested in more custom use cases and would like Cohesive to advise and help set up the topology, contact sales@cohesive.net for services pricing.Please review the VNS3 Support Plans and Contacts before sending support inquiries.

mailto:sales@cohesive.nethttp://www.cohesive.net/support/support-plans/http://www.cohesive.net/support/support-contacts/

copyright 2015

Firewall Considerations

6

VNS3 Controller instance use the following TCP and UDP ports. UDP port 1194

For client VPN connections; network cal or hypervisor access rule for the VNS3 Controller must allow UDP port 1194 from all servers that will join VNS3 topology as clients.

UDP 1195-1197 For peering between VNS3 Controller peers; must be accessible from all peers in a given topology. Free Edition and Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering (Single Controller Topologies).

TCP port 8000 HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure your VNS3 topology, also needs to be open to and from the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients.

UDP port 500, and UDP port 4500 IPsec connections to Azure support only NAT-Traversal encapsulation (UDP 500 and UDP 4500). Azure does not support native IPsec connections into their cloud.

NOTE: If you need to negotiate a native IPsec tunnel to serve an Azure deployment, contact support@cohesive.net for bridging solutions.

copyright 2015

Adress Considerations

7

Restrictions The Azure CIDR and Subnets cannot not overlap with the VNS3 Overlay Network Subnet.

The Azure public cloud does not currently allow virtual machine instances to act as networks gateways for unencrypted VLAN traffic. As a result when using Azure, you must use the Overlay Network when configuring your cloud servers.

copyright 2015

Sizing Considerations

8

Image Size and ArchitectureVNS3 Edition Controller Images (Free Edition and BYOL-UL) are available as 64bit images to allow the greatest flexibility for your use-case. We recommend Controller instances be launched with at least an A1 machine size. Smaller sizes are supported but the performance will depend on the use-case.

Clientpack Key SizeVNS3 Controllers currently generate 1024 bit keys for connecting the clients to the overlay network via the clientpacks. Smaller or larger encryption keys can be provided upon request (from 64 bit to 2048 bit). Future releases of VNS3 will provide the user control over key size and cipher during initialization and configuration.

copyright 2015

Remote Support

9

Note that TCP 22 (ssh) is not required for normal operations.

Each VNS3 Controller is running a restricted SSH daemon, with access limited only to Cohesive for debugging purposes controlled by the user via the Remote Support toggle and key exchange generation.

In the event Cohesive needs to observe runtime state of a VNS3 Controller in response to a tech support request, we will ask you to open Security Group access to SSH from our support IP range and Enable Remote Support via the Web UI.

Cohesive will send you an encrypted passphrase to generate a private key used by Cohesive Support staff to access your Controller. Access to the restricted SSH daemon is completely controlled by the user. Once the support ticket has been closed you can disable remote support access and invalidate the access key.

copyright 2015

Create Azure Private VLAN

10

copyright 2015

Create VLAN

11

Cohesive Networks recommends using a custom Azure Virtual Network or VLAN for all Azure cloud deployments. VLANs provide isolation and additional network configuration settings that may be needed for your use-case.

The following VLAN setup is the recommended best practice that uses separate subnets for VNS3 Controller instances and cloud server instances.

NOTE: The Azure VLAN CIDR you configure CANNOT overlap with the VNS3 Overlay Network you create during configuration of your VNS3 Controller instance.

copyright 2015

Create VLAN - Virtual Network Details

12

On the Azure Portal left menu, choose NEW at the bottom, then select NETWORK SERVICES > VIRTUAL NETWORK > CUSTOM CREATE.

This will pop up a window allowing you to name your private VLAN.

Give the VLAN a name and pick the Azure compute center for it to be created in.

NOTE: While Azure VLANs cannot span compute centers, that is one of the key capabilities of VNS3. Create an encrypted VNS3 Overlay Network that spans regions as well as clouds. It can also safely peer Azure VLANs between regions, as well as VLANs between clouds.

Click the arrow on the lower right to proceed.

copyright 2015

Create VLAN - DNS Servers

13

Unless you are setting up specific DNS servers, there are no needed configuration changes on this page.

Click the arrow to proceed.

copyright 2015

Create VLAN - Virtual Network Address Spaces

14

On the next page you can specify any Address Space in the private IP Address ranges set by RFC 1918 -10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16.

NOTE: You cannot create VLANs with Public IPv4 addresses. VNS3 allows this with its encrypted virtual VLANs.

You then create one or more subnets within that address space. In this example two were created. VLAN organization is outside the scope of this document, but there are often advantages to putting the VNS3 instance in a separate subnet from the rest of your deployment.

Click the checkbox to finish creating your VLAN.

http://tools.ietf.org/html/rfc1918

copyright 2015

Get VNS3 Image Deliveredto your Azure Account

15

copyright 2015

Azure Configuration: Create Storage for Template Delivery

16

Step 1 Create a Microsoft Azure storage account in order to have a destination used by Cohesive Networks to deliver the VNS3 template disk.

One can have many storage accounts in Azure. This is the where containers (folders sort of) and disks for images and instances are stored. You will be creating a dedicated storage account for Cohesive Networks to use to deliver the VNS3 template.

To create a storage account:- Login to the Azure portal. - At the bottom of the All Items left side menu, click New.- Select DataServices > Storage> Quick Create.

URL Type a unique storage name. This name must be globally unique across all Azure customers, so do not be surprised if some simple names like mystorage are not accepted.

Location/Affinity Group Select an Azure location.

Replication Select the level of redundancy for the storage account; locally redundant (copy kept in that cloud center), geo-redundant (a copy moved to another cloud center).

3. Click Create Storage Account.

copyright 2015

Azure Configuration: Get Storage Access Keys

17

Once you see the onscreen notification that the storage account was successfully created, you then need to retrieve the storage access keys.

At the bottom of the screen you will see a menu item for Manage Access Keys. When you click on it a pop up window is created as shown here to the right.

Copy the Secondary Access Key and keep it available for sharing with Cohesive Networks so the appropriate VNS3 template can be delivered to your account.

(Ideally you paste it into a plain text editor to avoid any changes to characters which might occur in Word, Pages, or OpenOffice.)

copyright 2015

Azure Configuration: Create Container for Template

18

The next step is to create a Container in the Storage account for storing the VNS3 Image Template.

Return to the left menu All Items and choose Storage.

You will see at list the storage account created in the previ