Microsoft Azure – Deploying Site to Site VPN Connection with Citrix NetScaler CloudBridge


After mugging around over 2 months on the internal network, it is a great pleasure to work with Steven Garcia from my organization to assist in setting up a GRE tunnel between Wellington and Auckland, and configure Firewall rules to allow UDP 500 and 4500 traffic to establish a Site to Site connectivity between the LAB environment with Microsoft Azure as a Proof of Concept (POC).

Finally, we have Citrix NetScaler 10.5 (Saha) Build 60.7 forming Cloudbridge Site to Site tunnel to Microsoft Azure and there is a TechNet Wiki article on how to accomplish this.
You can either view this article from the Microsoft TechNet Wiki which may have any improvement updates by the TechNet community on the link below;

Or carry on reading this page on the original article which I have noted in my engineering journal with some explanations on the process.

The Original TechNet Wiki Article on Microsoft Azure – Deploying Site to Site VPN Connection with Citrix NetScaler CloudBridge

Introduction

Since the emergence of public cloud, there is constantly a demand for enterprise on-premise private cloud infrastructure connect with public cloud and this article is an introduction of using existing Citrix NetScaler VPX to establish a site to site secure connectivity between private cloud and public cloud.

Basic Requirements

You will need the followings to setup a Site to Site VPN Connection between Microsoft Azure and your On-Premise Infrastructure;

  • Microsoft Azure Account (Create an Azure Account here.)
  • Microsoft Azure Resource Manager Virtual Network environment
  • Your On-Premise Network environment
  • Microsoft Azure PowerShell 1.0 (Download it here.)
  • Citrix NetScaler VPX 10.5 (SaHa) Build 56.22
  • Citrix NetScaler Platinum Edition License*
  • Allow UDP 500 and UDP 4500 traffic on Firewall

*Refer to Citrix NetScaler Data Sheet

Proof of Concept Network Diagram

In this article, we will try to simulate accordingly to this network diagram so that we can have a better understanding on how the configuration achieve the Site to Site connectivity between On-Premise and Microsoft Azure.

Microsoft Azure - Deploying Site to Site VPN using Citrix NetScaler Cloudbridge - 0

Getting Started with Azure Resource Manager Virtual Network

After installing Microsoft Azure PowerShell 1.0, launch the Microsoft Azure PowerShell console with Elevated Privileges to begin.

Connecting to Microsoft Azure using Microsoft Azure PowerShell

Firstly, we need to login to Microsoft Azure using the Microsoft Azure PowerShell with the following commands below.

# Login to Azure using Azure PowerShell Cmdlet 
Login-AzureRmAccount ;  

Microsoft Azure - Deploying Site to Site VPN using Citrix NetScaler Cloudbridge - 1

Login using your Microsoft Azure credential and select Sign in.

Microsoft Azure - Deploying Site to Site VPN using Citrix NetScaler Cloudbridge - 2

Choosing a Microsoft Azure Subscription

If you have multiple Microsoft Azure Subscription such as MSDN, ClientA, Client B and ClientC, it would be best for you to find out which Azure subscription that you will using to create the Virtual Network and select the desired Azure subscription with the commands example below.

# Get a list of Azure Subscriptions 
Get-AzureRmSubscription ;  
# Select a Azure Subscription to use 
Select-AzureRmSubscription ` 
    -Subscriptionid "GUID of subscription" ;  

Microsoft Azure - Deploying Site to Site VPN using Citrix NetScaler Cloudbridge - 3

Creating a Microsoft Azure Resource Manager Group

With the selected Azure subscription, we will create an Azure Resource Manager Group and define the desired Azure datacenter geographical location with the commands example below.

# Create a new Azure Resource Manager Resource Group 
New-AzureRmResourceGroup `
    -Name "ARM-MyLAB-DEV" `
    -Location "Australia Southeast" ; 

Microsoft Azure - Deploying Site to Site VPN using Citrix NetScaler Cloudbridge - 4

Creating a Microsoft Azure Resource Manager Virtual Network

With Azure Resource Manager Group defined, we will create the Virtual Network with multiple environment subnets that belongs to the Resource Manager with the commands example below. Take note that GatewaySubnet name is a reserved name within Microsoft Azure environment representing the gateway.

# Create your Azure Virtual Network 
New-AzureRmVirtualNetwork `
    -Name "AVN-MyLAB-DEV" `
    -ResourceGroupName "ARM-MyLAB-DEV" `
    -Location "Australia Southeast" `
    -AddressPrefix "10.0.2.0/24" `
    -Subnet (New-AzureRmVirtualNetworkSubnetConfig `
            -Name "GatewaySubnet" `
            -AddressPrefix "10.0.2.248/29"),
        (New-AzureRmVirtualNetworkSubnetConfig `
            -Name "Subnet-PRD" `
            -AddressPrefix "10.0.2.0/25"), `
        (New-AzureRmVirtualNetworkSubnetConfig `
            -Name "Subnet-STG" `
            -AddressPrefix "10.0.2.128/27"), `
        (New-AzureRmVirtualNetworkSubnetConfig `
            -Name "Subnet-UAT" `
            -AddressPrefix "10.0.2.160/27"), `
        (New-AzureRmVirtualNetworkSubnetConfig `
            -Name "Subnet-TST" `
            -AddressPrefix "10.0.2.192/27"), `
        (New-AzureRmVirtualNetworkSubnetConfig `
            -Name "Subnet-DEV" `
            -AddressPrefix "10.0.2.224/28"), `
        (New-AzureRmVirtualNetworkSubnetConfig `
            -Name "Subnet-DMZ" `
            -AddressPrefix "10.0.2.240/29") ; 

Microsoft Azure - Deploying Site to Site VPN using Citrix NetScaler Cloudbridge - 5

Add or define your On-Premise Local Network for Azure

With the Virtual Network created in Azure, we will need to define the On-Premise Public IP Address and Local Network Subnets with the commands example below. This will ensure that the Virtual Network in Azure will know the routes to your On-Premise local network.

# Add your On-Premise Local Site for Site-to-Site VPN Connections 
New-AzureRmLocalNetworkGateway `
    -Name "LNG-MyLAB-OnPremise" `
    -ResourceGroupName "ARM-MyLAB-DEV" `
    -Location "Australia Southeast" `
    -GatewayIpAddress "125.236.XXX.XXX" `
    -AddressPrefix @("192.168.100.0/24","192.168.150.0/24","172.16.0.0/16") ;

Microsoft Azure - Deploying Site to Site VPN using Citrix NetScaler Cloudbridge - 6

Create the Azure Virtual Network Gateway for VPN

Once the On-Premise Local Network is defined, we will create the Virtual Network Gateway, Virtual Network Gateway IP Configuration and request for a Public IP Address with Azure to create a PolicyBased VPN Gateway using the commands example below. Let the command execution running and have a 5-15 minutes coffee break while waiting for Azure to do some magic. The wait is caused by the request for a Public IP Address since Microsoft Azure requires to determine which Public IP Address can be allocated to you and setup their infrastructure backend.

# Create a VPN Gateway for Site-to-Site VPN Connection
New-AzureRmVirtualNetworkGateway `
    -Name "AGW-MyLAB-DEV" `
    -ResourceGroupName "ARM-MyLAB-DEV" `
    -Location "Australia Southeast" `
    -IpConfigurations (New-AzureRmVirtualNetworkGatewayIpConfig `
        -Name "AGW-MyLAB-DEV-Conf" `
        -SubnetId (Get-AzureRmVirtualNetworkSubnetConfig `
            -Name "GatewaySubnet" `
            -VirtualNetwork (Get-AzureRmVirtualNetwork `
                -Name "AVN-MyLAB-DEV" `
                -ResourceGroupName "ARM-MyLAB-DEV")).Id `
        -PublicIpAddressId (New-AzureRmPublicIpAddress `
            -Name "PIP-MyLAB-DEV" `
            -ResourceGroupName "ARM-MyLAB-DEV" `
            -Location "Australia Southeast" `
            -AllocationMethod "Dynamic").Id) `
    -GatewayType "Vpn" `
    -VpnType "PolicyBased" ; 

Microsoft Azure - Deploying Site to Site VPN using Citrix NetScaler Cloudbridge - 7

Create the Site to Site VPN Connection with Custom Pre-Shared Key

After Azure Virtual Network Gateway has completed, we will create the Virtual Network Gateway Connection by defining the Virtual Network Gateway, Local Network Gateway and the connection type with a Pre Shared Key for authentication.

# Create the Site-to-Site VPN Connection with Custom PSK
New-AzureRmVirtualNetworkGatewayConnection `
    -Name "AVNGWC-MyLAB-DEV" `
    -ResourceGroupName "ARM-MyLAB-DEV" `
    -Location "Australia Southeast" `
    -VirtualNetworkGateway1 (Get-AzureRMVirtualNetworkGateway `
        -Name "AGW-MyLAB-DEV" `
        -ResourceGroupName "ARM-MyLAB-DEV") `
    -LocalNetworkGateway2 (Get-AzureRmLocalNetworkGateway `
        -Name "LNG-MyLAB-OnPremise" `
        -ResourceGroupName "ARM-MyLAB-DEV") `
    -ConnectionType IPsec `
    -RoutingWeight 10 `
    -SharedKey "MyLABPreSharedK3y" ; 

Microsoft Azure - Deploying Site to Site VPN using Citrix NetScaler Cloudbridge - 8

Obtain your Public IP Address for On-Premise NetScaler configuration

Hooray! We are half way there to establish a Site to Site connectivity. Use the commands example below to obtain your Microsoft Azure allocated Public IP Address for your On-Premise NetScaler configuration.

# Get Gateway Public IP Address for Site-to-Site configuration
# on NetScaler CloudBridge IPSEC IP Tunnel
Get-AzureRmPublicIpAddress `
    -Name "PIP-MyLAB-DEV" `
    -ResourceGroupName "ARM-MyLAB-DEV" | `
    Select IPAddress ;

Microsoft Azure - Deploying Site to Site VPN using Citrix NetScaler Cloudbridge - 9

Getting Started with your On-Premise Citrix NetScaler Cloudbridge

Enable Cloudbridge feature on Citrix NetScaler

Before we begin any configuration, we will need to ensure that Cloudbridge feature is enabled. If you are unable to enable Cloudbridge feature on your NetScaler, please verify you have the appropriate license with Citrix for your appliance.

:: Enable Cloudbridge feature
enable ns feature Cloudbridge 
:: Verify Cloudbridge feature is Enabled / ON
show ns feature 

Create IPSEC Profile with Pre-Shared Key for Microsoft Azure Virtual Network Gateway

In order for the tunnel to be establish, we will need to create an IPSEC Profile with the Pre Shared Key (PSK) to authenticate with Microsoft Azure and ensure that the specified encryption parameters comply with Microsoft Azure requirements.

:: Add an IPSEC profile with the PSK for authentication with Microsoft Azure
add ipsec profile IPSec-Profile-Azure-MyLab  -psk MyLABPreSharedK3y -ikeVersion v1 -encAlgo AES -hashAlgo HMAC_SHA1 -ikeRetryInterval 60 -lifetime 3600 -perfectForwardSecrecy DISABLE

Microsoft Azure - Deploying Site to Site VPN using Citrix NetScaler Cloudbridge - 10

Create a tunnel to Microsoft Azure Virtual Network Gateway

Let’s create a tunnel to Microsoft Azure, we will have to specify the Public IP Address and the next hop within your on-premise network environment with the defined IPSEC profile for authentication with Microsoft Azure. The next hop could be the default gateway to your firewall before exiting out of your network.

# Add an IPTunnel that connects to Microsoft Azure Public IP Address with the IPSEC profile for authentication
add iptunnel IPSec_Azure-to-MyLab 40.127.XXX.XXX 255.255.255.255 192.168.150.3 -protocol IPSEC -ipsecProfileName IPSec-Profile-Azure-MyLab

Microsoft Azure - Deploying Site to Site VPN using Citrix NetScaler Cloudbridge - 11

Add Policy Based Route for the Tunnel

Now, we just need to shape the route with a policy based route configuration to specify which subnet on local on-premise should be reachable to the subnet on Microsoft Azure.

:: Add a policy based route (PBR) for On-Premise subnet range to Microsoft Azure subnet range
add pbr PBR_Azure-to-MyLab allow -srcIP 192.168.100.0-192.168.100.255 -destIP 10.0.2.0-10.0.2.255 -iptunnel IPSec_Azure-To-MyLab
apply pbrs

Microsoft Azure - Deploying Site to Site VPN using Citrix NetScaler Cloudbridge - 12

Conclusion

In this example after synchronisation of the NetScaler configuration between primary NetScaler VPX and secondary NetScaler VPX below, we will view if the Tunnel Status is UP and demonstrate NetScaler High Availability failover on Cloudbridge Site to Site IPSEC VPN IPTunnel from primary to secondary. During the failover, you will see that the tunnel will terminate on the primary setting the Tunnel Status to be DOWN and re-establish on the secondary based on the retry interval. There you go. You now have a Site to Site connectivity between On-Premise and Microsoft Azure.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s