copyright 2015 1
Azure Setup for VNS3
2015
copyright 2015 2
Table of Contents
Introduction
3
Create Azure Private VLAN
10
copyright 2015
Requirements
copyright 2015 4
Requirements
• You have an Azure account.
(For Free Azure trials visit http://azure.microsoft.com/en-us/pricing/free-trial/)
• You agree to the VNS3 Terms and Conditions
• Ability to configure a client (whether desktop based or cloud based) to use
OpenVPN client software.
• You have a compliant IPsec firewall/router networking device that can use
NAT-Traversal Encapsulation (Azure does not allow Protocol 50 ESP Endpoint
Configuration)
Preferred Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet,
Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link,
WatchGuard, Palo Alto Networks, OpenSwan, pfSense, and Vyatta.
Best Effort Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5.
copyright 2015 5
Getting Help with VNS3
This guide covers a very generic VNS3 setup in the Azure cloud. If you are interested
in more custom use cases and would like Cohesive to advise and help set up the
topology, contact [email protected] for services pricing.
copyright 2015 6
Firewall Considerations
VNS3 Controller instance use the following TCP and UDP ports.
• UDP port 1194
For client VPN connections; network cal or hypervisor access rule for the VNS3 Controller must allow UDP port 1194 from all servers that will join VNS3 topology as clients.
• UDP 1195-1197
For peering between VNS3 Controller peers; must be accessible from all peers in a given topology. Free Edition and Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering (Single Controller Topologies).
• TCP port 8000
HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure your VNS3 topology, also needs to be open to and from the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients.
• UDP port 500, and UDP port 4500
IPsec connections to Azure support only NAT-Traversal encapsulation (UDP 500 and UDP 4500). Azure does not support native IPsec connections into their cloud.
copyright 2015 7
Address Considerations
Restrictions
The Azure CIDR and Subnets cannot overlap with the VNS3 Overlay Network Subnet.
The Azure public cloud does not currently allow virtual machine instances to act as networks gateways for
unencrypted VLAN traffic. As a result when using Azure, you must use the Overlay Network when configuring your
cloud servers.
copyright 2015 8
Sizing Considerations
Image Size and Architecture
VNS3 Controller Images are available as 64bit images to allow the greatest flexibility for your use-case. We
recommend Controller instances be launched with at least 512MB of RAM. Smaller sizes are supported but
the performance will depend on the use-case.
Clientpack Key Size
VNS3 Controllers currently generate 1024 bit keys for connecting the clients to the overlay network via the
“clientpacks”. Smaller or larger encryption keys can be provided upon request (from 64 bit to 2048 bit).
copyright 2015 9
Remote Support
Note that TCP 22 (ssh) is not required for normal operations.
Each VNS3 Controller is running a restricted SSH daemon, with access
limited only to Cohesive for debugging purposes controlled by the user via the Remote Support toggle and key exchange generation.
In the event Cohesive needs to observe runtime state of a VNS3 Controller in response to a tech support request, we will ask you to open Security
Group access to SSH from our support IP range and Enable Remote Support via the Web UI.
Cohesive will send you an encrypted passphrase to generate a private key used by Cohesive Support staff to access your Controller. Access to the restricted SSH daemon is completely controlled by the user. Once the
copyright 2015
Create Azure Private VLAN
copyright 2015 11
Create VLAN
Cohesive Networks recommends using a custom Azure Virtual Network or VLAN for all Azure cloud deployments. VLANs provide isolation and additional network configuration settings that may be needed for your use-case.
The following VLAN setup is the recommended best practice that uses separate subnets for VNS3 Controller instances and cloud server
instances.
copyright 2015 12
Create VLAN - Virtual Network Details
On the Azure Portal left menu, choose “NEW” at the bottom, then
select NETWORK SERVICES —> VIRTUAL NETWORK —> CUSTOM CREATE.
This will pop up a window allowing you to name your private VLAN. Give the VLAN a name and pick the Azure compute center for it to be created in.
NOTE: While Azure VLANs cannot span compute centers, that is one of the key capabilities of VNS3. Create an encrypted VNS3 Overlay
Network that spans regions as well as clouds. It can also safely peer Azure VLANs between regions, as well as VLANs between clouds.
copyright 2015 13
Unless you are setting up specific DNS servers, there are no needed configuration changes on this page.
Click the arrow to proceed.
copyright 2015 14
On the next page you can specify any Address Space in the private IP Address ranges set by RFC 1918 -10.0.0.0/8, 172.16.0.0/12 or
192.168.0.0/16.
NOTE: You cannot create VLANs with Public IPv4 addresses. VNS3 allows this with its encrypted virtual VLANs.
You then create one or more subnets within that address space. In this example two were created. VLAN organization is outside the scope of this document, but there are often advantages to putting the VNS3
instance in a separate subnet from the rest of your deployment. Click the checkbox to finish creating your VLAN.
copyright 2015
Launch VNS3 Image from Azure Marketplace
copyright 2015 16
Launch VNS3 - Select VNS3 Image
VNS3 Free and Lite Edition virtual machine images are available in the Azure Marketplace:
VNS3:vpn Free Edition - https://azure.microsoft.com/en-us/marketplace/ partners/cohesive/cohesiveft-vns3-for-azure-cohesive-vns3-free/
VNS3:net Lite Edition - https://azure.microsoft.com/en-us/marketplace/ partners/cohesive/cohesiveft-vns3-for-azure-cohesive-vns3-lite/
To launch an instance of either, on the Azure Portal left menu, choose “NEW” at the bottom, then select COMPUTE —> VIRTUAL
copyright 2015 17
Launch VNS3 - Select VNS3 Image
The “FROM GALLERY” option pops up a window offering “Choose an Image”offering default Microsoft and Operating System vendor images. Scroll to the bottom of the Featured Image list and select the VNS3:vpn Free Edition or VNS3:net Lite Edition image.
copyright 2015 18
Launch VNS3 - Virtual Machine Configuration
Give the instance a name, “spaces” are not allowed, so use hyphens to separate the words of an instance name.
Choose your tier of service and instance size. VNS3 should have at least one core and 1.5 gigs of memory, so the “A1” instance type is a good place to start. Depending on need, VNS3 can be run as a very large
instance to provide more throughput for the virtual network, site-to-site connections, firewall rules, or other network functions.
The Azure portal requires a username and a SSH key or password. Regardless of their entry - they will not provide shell access to VNS3 instances which run as appliances.
The most straightforward approach would be to leave the default “azureuser” and enter a meaningless password.
copyright 2015 19
Launch VNS3 - Virtual Machine Configuration
The next page of configuration for the VNS3 instance sets up the
network port access rules, as well as allows you to choose a VLAN for the instance to be launched in. Azure calls this element that holds this information a “Cloud Service”, allowing you to launch other
(subsequent) instances with the same configuration parameters.
You can create a new cloud service, naming it, or choose an existing one created previously. The cloud service name must be globally unique as it serves as a DNS name.
The next drop town box lets you choose from a number of groups;
either one of the Azure Cloud Computing Centers, or an element called an “Affinity Group” or a pre-defined VLAN. Most customers will want to have defined a virtual network VLAN for placing their instances in.
The topic of Availability Sets is beyond the scope of this document. Endpoints are how Azure describes a set of TCP and UDP port rules. Only TCP and UDP are allowed, other protocols cannot be controlled, and as a rule are blocked by Azure.
At minimum VNS3 needs port 8000 open for the API and the Administrative UI.
copyright 2015 20
Launch VNS3 - Virtual Machine Configuration
The final page before instance launch should not need modification. Ensure that the “VM Agent” box is checked.
Do NOT check the “Chef ” button.
copyright 2015 21
VNS3 Virtual Machine Details
After clicking on the “check box” you will be returned to the “virtual machines” page, which shows the instance running in your account. In this example there is only one instance “vns3-free”.
Click in the “Name” column on the “vns3-free” row to be taken to its detail page.
If it is the first instance you have launched you will be taken to the
summary “Quick Start” page with useful links to Azure APIs, SDKs and Documentation.
copyright 2015
VNS3 Configuration Document Links
copyright 2015 23
