Azure Virtual WAN IPsec Tunnel Automation

VeloCloud Orchestrator supports integration and automation of Azure Virtual WAN from VeloCloud Gateway and VeloCloud Edge to enable Branch-to-Azure VPN Connectivity.

Azure Virtual WAN IPsec Tunnel Automation Overview

Azure Virtual WAN is a network service that facilitates optimized and automated Virtual Private Network (VPN) connectivity from enterprise branch locations to or through Microsoft Azure. Azure subscribers provision Virtual Hubs corresponding to Azure regions and connect branches (which may or may not be SD-WAN enabled) through IP Security (IPsec) VPN connections.

To establish branch-to-Azure VPN connectivity, VeloCloud Orchestrator supports Azure Virtual WAN and VeloCloud SD-WAN integration and automation by leveraging the Azure backbone. Currently, the following Azure deployment options are supported from the VeloCloud SD-WAN perspective:
  • IPsec from SD-WAN Gateway to Azure virtual WAN hub with automation.
  • Direct IPsec from SD-WAN Edge to Azure virtual WAN hub with automation.

Azure Virtual WAN SD-WAN Gateway Automation

The following diagram illustrates the IPsec tunnel from SD-WAN Gateway to Azure virtual WAN hub.

Figure 1. Azure Virtual WAN SD-WAN Gateway Automation Topology

Azure Virtual WAN SD-WAN Edge Automation

The following diagram illustrates the IPsec tunnel directly from SD-WAN Edge to Azure virtual WAN hub.

Figure 2. Azure Virtual WAN SD-WAN Edge Automation Topology
The following topics provide instructions for configuring the VeloCloud Orchestrator and Azure to enable branch-to-Azure VPN connectivity through the SD-WAN Gateway and SD-WAN Edge:

Prerequisite Azure Configuration

Enterprise network administrators must complete the following prerequisite configuration tasks at the Azure portal to ensure that the SASE Orchestrator application can function as the Service Principal (identity for the application) for the purposes of Azure Virtual WAN and SD-WAN Gateway integration.

Register VeloCloud Orchestrator Application

  • Ensure you have an Azure subscription. If not, create a free account.

Discusses how to register a new application in Azure Active Directory (AD).

To register a new application in Azure AD:

  1. Log in to your Microsoft Azure account. The Microsoft Azure home screen appears.
  2. Select All Services and search for Azure Active Directory.
  3. Select Azure Active Directory and go to App registrations > New registration . The Register an application screen appears.
    Figure 3. Register an Application
  4. In the Name field, enter the name for your VeloCloud Orchestrator application.
  5. Select a supported account type, which determines who can use the application.
  6. Select Register.

    Your VeloCloud Orchestrator application is registered and displayed in the All applications and Owned applications tabs.

    Make sure to note down the Directory (tenant) ID and Application (client) ID to be used during the VeloCloud Orchestrator configuration for Cloud Subscription.

Assign the VeloCloud Orchestrator Application to Contributor Role

  • Ensure you have an Azure subscription. If not, create a free account.

To access resources in your Azure subscription, you must assign the application to a role. You can set the scope at the level of the subscription, resource group, or resource. Permissions are inherited to lower levels of scope.

To assign a Contributor role at the subscription scope:

  1. Select All Services and search for Subscriptions.
  2. From the list of subscriptions, select the subscription to which you want to assign your application. If you do not see the subscription that you are looking for, select global subscriptions filter. Make sure the subscription you want is selected for the portal.
  3. Select Access control (IAM).
  4. Select +Add > Add role assignment . The Add role assignment dialog box appears.
    Figure 4. Add Role Assignment
  5. From the Role drop-down menu, select the Contributor role to assign to the application.

    To allow the application to execute actions like reboot, start, and stop, it is recommended that users assign the Contributor role to the App Registration.

  6. From the Assign access to drop-down menu, select Azure AD user, group, or service principal.

    By default, Azure AD applications are not displayed in the available options. To find your application, search for the name and select it.

  7. Select Save.

    The application is assigned to the Contributor role and it appears in the list of users assigned to a role for that scope.

Register a Resource Provider

To download Virtual WAN Virtual Private Network (VPN) configurations, the SASE Orchestrator requires a Blob Storage Account that acts as an intermediary data store from where the configurations can be downloaded. The SASE Orchestrator aims to create seamless user experience by provisioning a transient storage account for each of the download task. To download VPN site configurations, you must manually register the Microsoft.Storage resource provider on your Azure Subscription. By default, the Microsoft.Storage resource provider is not registered on Azure Subscriptions.
  • Ensure you have an Azure subscription. If not, create a free account.
  • Ensure you have the Contributor or Owner roles permission.

To register a resource provider for your subscription:

  1. Log in to your Microsoft Azure account.
  2. Select All Services and search for Subscriptions.
  3. From the list of subscriptions, select your subscription.
  4. Under the Settings tab, select Resource providers.
    Figure 5. Register a Resource Provider
  5. From the list of available resource providers, select Microsoft.Storage. and click Register.

    The resource provider is registered and configures your subscription to work with the resource provider.

    You can create the resources in Azure, for steps, see Configure Azure Virtual WAN for Branch-to-Azure VPN Connectivity.

Create a Client Secret

  • Ensure you have an Azure subscription. If not, create a free account.

Describes how to create a new client secret in Azure AD for the purpose of authentication.

To create a new client secret in Azure AD:

  1. Log in to your Microsoft Azure account. The Microsoft Azure home screen appears.
  2. Select Azure Active Directory > App registrations .
  3. On the Owned applications tab, select on your registered VeloCloud Orchestrator application.
  4. Go to Certificates & secrets > New client secret . The Add a client secret screen appears.
    Figure 6. Create a Client Secret
  5. Provide details such as description and expiry value for the secret and select Add.

    The client secret is created for the registered application.

    Note: Copy and save the new client secret value to be used during the Cloud Subscription in SASE Orchestrator.

Configure Azure Virtual WAN for Branch-to-Azure VPN Connectivity

This section discusses the procedures to configure Azure for integrating Azure Virtual WAN and SD-WAN Gateway to enable the branch-to-Azure VPN connectivity.

Before you begin to configure the Azure Virtual WAN and the other Azure resources:
  • Verify that none of the subnets of your on-premises network overlap with the existing virtual networks that you want to connect to. Your virtual network does not require a gateway subnet and cannot have any virtual network gateways. For steps to create a virtual network, see Create a Virtual Network.
  • Obtain an IP address range for your Hub region and ensure that the address range that you specify for the Hub region does not overlap with any of your existing virtual networks that you connect to.
  • Ensure you have an Azure subscription. If not, create a free account.
For step-by-step instructions about the various procedures that need to be completed in the Azure portal side for integrating Azure Virtual WAN and SD-WAN Gateway, see:

Create a Resource Group

  • Ensure you have an Azure subscription. If not, create a free account.

Discusses how to create a resource group in Azure.

To create a resource group in Azure:

  1. Log in to your Microsoft Azure account. The Microsoft Azure home screen appears.
  2. Select All Services and search for Resource groups.
  3. Select Resource groups, then select +Add. The Create a resource group screen appears.
    Figure 7. Create a Resource Group
  4. From the Subscription drop-down menu, select your Microsoft Azure subscription.
  5. In the Resource group text box, enter a unique name for your new resource group.

    A resource group name can include alphanumeric characters, periods (.), underscores (_), hyphens (-), and parenthesis (), but the name cannot end with a period.

  6. From the Region drop-down menu, select the location for your resource group, where the majority of your resources will reside.
  7. Select Review+create and then select Create.

    A resource group is created and appears on the Azure portal dashboard.

Create an Azure Virtual WAN. For steps, see Create a Virtual WAN.

Create a Virtual WAN

  • Ensure you have an Azure subscription. If not, create a free account.
  • Ensure you have a resource group created to add the Virtual WAN.

Discusses how to create a Virtual WAN in Azure.

To create a Virtual WAN in Azure:

  1. Log in to your Microsoft Azure account. The Microsoft Azure home screen appears.
  2. Select All Services and search for Virtual WANs.
  3. Select Virtual WANs, then select +Add. The Create WAN screen appears.
    Figure 8. Create a Virtual WAN
  4. From the Subscription drop-down menu, select your Microsoft Azure subscription.
  5. From the Resource group drop-down menu, select your resource group to add the Virtual WAN.
  6. From the Resource group location drop-down menu, select the location where the metadata associated with the Virtual WAN will reside.
  7. In the Name text box, enter a unique name for your Virtual WAN.
  8. From the Type drop-down menu, select Standard as the Virtual WAN type.
  9. Select Create.

    A Virtual WAN is created and appears on the Azure portal dashboard.

Create Virtual Hubs. For steps, see Create a Virtual Hub.

Create a Virtual Hub

  • Ensure you have an Azure subscription. If not, create a free account.
  • Ensure that you have a resource group created to add the Azure resources.

Describes how to create a Virtual Hub in Azure.

To create a Virtual Hub in Azure:

  1. Log in to your Microsoft Azure account. The Microsoft Azure home screen appears.
  2. Go to All resources and from the list of available resources, select the Virtual WAN that you have created.
  3. Under the Virtual WAN architecturearea, select Hubs.
  4. Select +New Hub. The Create virtual hub screen appears.
    Figure 9. Create a Virtual Hub Basics Tab
  5. In the Basics tab, enter the following Virtual Hub details.
    1. From the Region drop-down menu, select the location where the Virtual Hub resides.
    2. In the Name text box, enter the unique name for your Hub.
    3. In the Hub private address space text box, enter the address range for the Hub in Classless inter-domain routing (CIDR) notation.
  6. Select Next: Site to site > and enable Site to site (VPN gateway) before connecting to VPN sites by selecting Yes.
    Note: A VPN Gateway is required for tunnel automation to work, otherwise it is not possible to create VPN connections.
    Figure 10. Create a Virtual Hub Site to Site Tab

    From the Gateway scale units drop-down menu, select a scaling value.

  7. Select Review + Create.

    A Virtual Hub is created and appears on the Azure portal dashboard.

Create a Virtual Network

  • Ensure you have an Azure subscription. If not, create a free account.

Discusses how to create a Virtual Network in Azure.

To create a Virtual Network in Azure:

  1. Log in to your Microsoft Azure account. The Microsoft Azure home screen appears.
  2. Select All Services and search for Virtual networks.
  3. Select Virtual networks, then select +Add. The Create virtual network screen appears.
    Figure 11. Create a Virtual Network
  4. In the Name text box, enter the unique name for your virtual network.
  5. In the Address space text box, enter the address range for the virtual network in Classless inter-domain routing (CIDR) notation.
  6. From the Subscription drop-down menu, select your Microsoft Azure subscription.
  7. From the Resource groupdrop-down menu, select your resource group to add the virtual network.
  8. From the Location drop-down menu, select the location where the virtual network resides.
  9. Under the Subnet area, enter the name and address range for the subnet.

    Do not make any changes to the other default settings of DDoS protection, Service endpoints, and Firewall.

  10. Select Create.

    A Virtual network is created and appears on the Azure portal dashboard.

Create Virtual Connection between Hubs and Virtual Networks (VNets). For steps, see Create a Virtual Connection between VNet and Hub.

Create a Virtual Connection between VNet and Hub

  • Ensure you have an Azure subscription. If not, create a free account.
  • Ensure you have Virtual Hubs and Virtual Networks created.

Discusses how to create a virtual connection between Virtual Networks (VNets) and the Virtual Hub in a particular Azure region.

To create a virtual network connection between a VNet and a Virtual Hub in a particular Azure region:

  1. Log in to your Microsoft Azure account. The Microsoft Azure home screen appears.
  2. Go to All resources and from the list of available resources, select the Virtual WAN that you have created.
  3. Under the Virtual WAN architecture area, select Virtual network connections.
  4. Select +Add connection. The Add connection screen appears.
    Figure 12. Add connection
  5. In the Connection name text box, enter the unique name for the virtual connection.
  6. From the Hubs drop-down menu, select the Hub you want to associate with this connection.
  7. From the Subscription drop-down menu, select your Microsoft Azure subscription.
  8. From the Virtual network drop-down menu, select the virtual network you want to connect to this Hub.
  9. Select OK.

    A peering connection is established between the selected VNet and the Hub.

Configure VeloCloud Orchestrator for Azure Virtual WAN IPsec Automation from SD-WAN Gateway

You can configure VeloCloud Orchestrator for integrating Azure Virtual WAN and SD-WAN Gateway to enable the branch-to-Azure VPN connectivity.

Note: By default, the Azure Virtual WAN feature is deactivated. To enable the feature, an Operator Super user must set the session.options.enableAzureVirtualWAN system property to true.
Note: When using the Azure Virtual WAN Automation from SD-WAN Gateway feature, the Non SD-WAN Destination (NSD) tunnel only supports static routes. As a result, this feature is not currently compatible with BGP over IPsec.

Before you begin the VeloCloud Orchestrator configuration for Azure Virtual WAN- SD-WAN Gateway automation, ensure you have completed all the steps explained in the Prerequisite Azure Configuration and Configure Azure Virtual WAN for Branch-to-Azure VPN Connectivity sections.

For step-by-step instructions about the various procedures that need to be completed in the VeloCloud Orchestrator for integrating Azure Virtual WAN and SD-WAN Gateway, see:

To view the details of Non SD-WAN Destinations network services configured for an enterprise, see Monitor Non SD-WAN Destinations.

Associate a Microsoft Azure Non SD-WAN Destination to an SD-WAN Profile

After configuring a Non SD-WAN Destination of type Microsoft Azure Virtual Hub in VeloCloud Orchestrator, you must associate the Non SD-WAN Destination to the desired Profile to establish the tunnels between SD-WAN Gateways and Microsoft Azure Virtual Hub.

To associate a Non SD-WAN Destination to a Profile, perform the following steps:

  1. In the SD-WAN service of the Enterprise portal, go to Configure > Profiles . The Profiles page appears.
  2. Select a profile you want to associate your Microsoft Azure Non SD-WAN Destination with, and then select the View link in the Device column.
  3. In the Device settings page, under VPN services, activate Cloud VPN by turning on the toggle button.
    Figure 13. Associate a Microsoft Azure Non SD-WAN Destination to an SD-WAN Profile
  4. Under Edge to Non SD-WAN Sites, select the Enable Edge to Non SD-WAN via Gateway check box.
  5. From the drop-down menu, select your Non SD-WAN Destination of type Microsoft Azure Virtual Hub to establish VPN connection between the branch and the Microsoft Azure Non SD-WAN Destination.
  6. Select Save Changes.

    A tunnel is established between the branch and the Microsoft Azure Non SD-WAN Destination.

Edit a VPN Site

Discusses how to add SD-WAN routes into the Azure network manually.

Ensure you have completed provisioning the Azure VPN sites at the VeloCloud Orchestrator side.

To add SD-WAN routes manually into the Azure network:

  1. Log in to your Microsoft Azure account. The Microsoft Azure home screen appears.
  2. Go to All resources and from the list of available resources, select the Virtual WAN that you have created.
  3. Under the Virtual WAN architecture area, select VPN sites.
  4. From the available list of VPN sites, select your VPN site (for example, Non SD-WAN Destination name.primary), that is added as a result of Non SD-WAN Destination provisioning step done using the VeloCloud Orchestrator.
  5. Select the name of the selected VPN site and from the top of the next screen, select Edit site.
    Figure 14. Edit a VPN Site
  6. In the Private address space text box, enter the address range for the SD-WAN routes.
  7. Select Confirm.

    Similarly, you can edit your Redundant VPN site by following the above steps.

    Note: Currently, Azure vWAN supports only Active/Active tunnel mode, and it does not have the provision to specify priority or primary tunnel to the VPN site (Primary and Redundant sites), and therefore load balancing will be done by Azure on equal cost multi-path routing. This may cause asymmetric traffic flow and might increase the latency for those flows. The workaround to avoid the asymmetric flow is to remove the SD-WAN Gateway redundancy on the Azure vWAN Hub NVS tunnel; however removing of redundant Gateway tunnel may not be acceptable for all deployments and needs to handle with caution.

Synchronize VPN Configuration

After successful Non SD-WAN Destination provisioning, whenever there are changes in the endpoint IP address of the Azure Hub or static routes, you need to resynchronize Azure Virtual Hub and Non SD-WAN Destination configurations. Selecting the Resync configuration button in the Non-VeloCloud Sites area will automatically fetch the VPN configuration details from the Azure portal and will update the VeloCloud Orchestrator local configuration.

Configure VeloCloud Orchestrator for Azure Virtual WAN IPsec Automation from SD-WAN Edge

You can configure VeloCloud Orchestrator for integrating Azure Virtual WAN and SD-WAN Edge to enable the branch-to-Azure VPN connectivity directly from SD-WAN Edge.

Note: When using the Azure Virtual WAN Automation from SD-WAN Edge feature, the Non SD-WAN Destination (NSD) tunnel only supports static routes. As a result, this feature is not currently compatible with BGP over IPsec.

Before you begin the VeloCloud Orchestrator configuration for Azure Virtual WAN- SD-WAN Edge automation, ensure you have completed all the steps explained in the Prerequisite Azure Configuration and Configure Azure Virtual WAN for Branch-to-Azure VPN Connectivity sections.

For step-by-step instructions about the various procedures that need to be completed in the SASE Orchestrator side for integrating Azure Virtual WAN and SD-WAN Edge, see:

Associate a Microsoft Azure Non SD-WAN Destination to an SD-WAN Edge

After configuring a Non SD-WAN Destination of type Microsoft Azure Virtual Hub from SD-WAN Edge, you must associate the Non SD-WAN Destination to an Edge and configure tunnels to establish IPsec tunnels between the Edge and Microsoft Azure Virtual Hub.

At the Edge level, to associate a Non SD-WAN Destination to an SD-WAN Edge, perform the following steps:

  1. In the SD-WAN service of the Enterprise portal, go to Configure > Edges .
  2. Select an Edge you want to associate your Microsoft Azure Non SD-WAN Destination with, and then select the View link in the Device column.
  3. In the Device settings page, under VPN services, expand Non SD-WAN Destinations via Edge, and then select the Override check box.
  4. Select the Enable Non SD-WAN via Edge check box.
    Figure 15. Associate a Microsoft Azure Non SD-WAN Destination to an SD-WAN Edge
  5. From the Name drop-down menu, select your Microsoft Azure Virtual Hub network service to establish VPN connection between the branch and the Microsoft Azure Non SD-WAN Destination.
  6. To configure tunnels for the Edge, under Action, select the + link. The Add Tunnel dialog box appears.
    Figure 16. Add Tunnel
    1. From the Public WAN Link drop-down menu, select a WAN link to establish IPsec tunnel and select Save.

      For the WAN links to appear in the drop-down menu, the customer needs to first configure the WAN links for the Edges from the

      Configure > Edges > Device > WAN Settings page, and wait for the Edge’s WAN links to come up with the valid public IPs. The link’s public IP is used as the Local Identification value of the tunnel. You can select only the WAN link with Public IP address. A tunnel is automatically established between the Edge and the Microsoft Azure Non SD-WAN Destination via Azure APIs. After that the Orchestrator sends the tunnel configuration to the Edge to establish tunnel to the Azure service. Note that the automation for each tunnel takes about 1 to 5 minutes to complete. Once the tunnel automation is complete, you are able to view the details of configured tunnel and Public WAN link.
    2. Once tunnels are created, you can perform the following actions at the Edge level:
      • Update a tunnel- When the Edge Public WAN link IP address of the tunnel changes, the Orchestrator automatically enqueues automation job to update the Azure VPN site link and the VPN tunnel configurations. Under Action, select the + link to view the tunnel settings such as PSK.
      • Delete a network service- Select a network service and select Delete.
      • Deactivate a network service- Under Enable Service column, deselect the check box to deactivate a specific network service.
  7. Select Save Changes.

    You can monitor the automated deployment status of the Microsoft Azure Non SD-WAN Destinations configured for an Enterprise from the Monitor > Network Services > Non SD-WAN Destinations via Edge page in the SD-WAN service of the Enterprise portal. See Monitor Non SD-WAN Destinations.

Monitor Non SD-WAN Destinations

You can view the details of Non SD-WAN Destinations configured for the Enterprise from the Monitor > Network Services page in the SD-WAN service of the Enterprise portal.

In the Network Services page, you can view:
  • Non SD-WAN Destinations via Gateway- Displays the configured Non SD-WAN Destinations along with the other configuration details such as Name of the Non SD-WAN Destination, Public IP Address, Status of the Non SD-WAN Destination, Status of the tunnel, Number of profiles and Edges that use the Non SD-WAN Destination, Last contacted date and time, and Number of related state change Events.
  • Non SD-WAN Destinations via Edge- Displays the configured Non SD-WAN Destinations along with the other configuration details such as Name of the Non SD-WAN Destination, Public IP Address, Status of the tunnel, Number of profiles and Edges that use the Non SD-WAN Destination, Last contacted date and time, and Deployment status.
    Note: Tunnel deployment status monitoring is only supported for Non SD-WAN Destinations via Edge network service.

To monitor the automation deployment status of Microsoft Azure Non SD-WAN Destinations via Edge:

  1. In the SD-WAN service of the Enterprise portal, select Monitor > Network Services .

    The Network Services page appears.

  2. Under Non SD-WAN Destinations via Edge, select the link in the Deployment Status column to view the deployment status of the Non SD-WAN Destinations.
    Figure 17. View Deployment Status of Non SD-WAN Destinations
    The following are the seven different states for an Edge action:
    • Enqueued- The Edge action is enqueued.
    • Pending- The Edge action is in this state as it waits for a backend worker process to pick it up and start working on it.
    • Notified- The Edge action is in this state after a backend worker process picks up the Edge action and starts working on it.
    • Completed- The Edge action is in this state if the Edge action task is successfully completed.
    • Errored- The Edge action is in this state if an error has occurred.
    • Timed Out- The Edge action is in this state if it takes more than the expected amount of time to complete the Edge action task.
    • Pending Delete- The Edge action is in this state if it is pending deletion.