My previous blog post was about setting up IPSec VPN tunnel between AWS VPC and vCloud Director Org VDC. This time I will describe how to achieve the same with Microsoft Azure.
vCloud Director is not among Azure list of supported IPSec VPN endpoints however it is possible to set up such VPN although it is not straightforward.
I will describe the setup of both Azure and VCD endpoints very briefly as it is very similar to the one I described in my previous article.
- Resource Group (logical container object) – in my example RG UK
- Virtual network (large address space similar to AWS VPN subnet) – 172.30.0.0/16
- Subnets – at least one for VMs (172.30.0.0/24) and one for Gateway (172.30.255.0/29)
- Virtual Network Gateway – Azure VPN endpoint with public IP address associated with the Gateway subnet above. Gateway type is VPN, VPN type is Policy-based (this is because Route-based type uses IKE2 which is not supported by NSX platform used by vCloud Director).
- Local Network Gateway – vCloud VPN endpoint definition with its public IP address and subnets that should be reachable behind the vCloud VPN endpoint (81.x.x.x, 192.168.100.0/24)
- Connection – definition of the tunnel:
- Connection type: Site-to-site (IPSec)
- Virtual network gateway and local network gateway are straightforward (those created previously)
- Connection name: whatever
- Shared Key (PSK): create your own 32+ character key using upper and lower case characters and numbers
- Test VM connected to the VM subnet (IP 172.30.0.4)
As explained above we created Policy Based VPN endpoint in Azure. Policy Based VPN uses IKE version 1, Diffie-Hellman Group 2 and no Perfect Forward Secrecy.
However selection of DH group and PFS is not available to tenant in vCloud Director on the legacy Org VDC Edge Gateway. Therefore the following workaround is proposed:
Tenant configures VPN on his Org VDC Edge Gateway with the following:
- Name: Azure
- Enable this VPN configuration
- Establisth VPN to: a remote network
- Local Networks: 192.168.100.0/24 (Org VDC network(s))
- Peer Networks: 172.30.0.0/24
- Local Endpoint: Internet (interface facing internet)
- Local ID: 10.0.2.121 (Org VDC Edge GW internet interface)
- Peer ID: 51.x.x.x (public IP of the Azure Virtual network gateway)
- Peer IP: 51.x.x.x (same as previous)
- Encryption protocol: AES256
- Shared Key: the same as in Azure Connection definition
Now we need to ask the service provider to directly in NSX in the Edge VPN configuration disable PFS and change DH Group to DH2.
Note that this workaround is not necessary on Org VDC Edge Gateway that has been enabled with Advanced Networking services. This feature is at the moment only in vCloud Air, however soon will be available to all vCloud Air Network service providers.
If all firewall rules are properly set up we should be able to ping between Azure and vCloud VMs.