Part 1 – Site-to-Site IPSec – NSX-t & Azure

Many organizations have already realized that the public cloud only, or private cloud only, strategy is not always a good strategy. To benefit from the two worlds, a hybrid cloud strategy is the better option for many organizations.

Many organizations are using VMware for their private cloud, and in the MSP world, vCloud Director and NSX-t are the best options on the market.

In part one of this two part blog post, I will take you through the steps to connect your NSX-t segment with an Azure infrastructure using NSX-t VPN capabilities. Sadly, when I wanted to implemented the scenario I have described below, I could not find a detailed all-in-one document that could assist me to set up an NSX-t and Azure site to site VPN solution. So, after much reading and trial and error, I think I have the solution. I have written it up in two blog posts to help you to build a hybrid cloud infrastructure based on NSX-t and Azure.

Scenario

A customer is hosting his workload locally on a private cloud based on VMware and NSX-t; he wants to connect one of the segments of his workload to an Azure tenancy where his team can securely connect to the Azure VMs using private IPs. The diagram below shows the end result of the deployments with all the components the customer has on his infrastructure. Throughout this two-part blog, we are going to discuss each component to break down the necessary configuration to implement the solution.

To implement the solution illustrated above, let’s start from the on-premises side; there will be fewer steps to be performed on the NSX-t than on the Azure. Let’s get started on this first part of the blog post with the NSX-t configuration:

On-Premises Side – NSX-t v3.1.3:

Tier0: Loopback Interface:

  • Our work will start on Tier0. We will add an additional “Loopback” interface to ensure that our two routers can reach this IP. For example, I added the IP address <192.168.55.1/24> as a Loopback interface and made it routable on my local network:

Tier1: Route Advertisement:

  • Next, we ensure that IPSec is enabled under Route Advertisement on the Tier1 router:
  • After those steps above has been implemented, we are now ready to browse to the NSX-t, Networking, VPN, and then create three profiles:

IKE Profiles:

  • Name: Azure_IKE
  • IKE Version: IKE_v2
  • Encryption Algorithm: AES256
  • Digest Algorithm: SHA1
  • Diffie-Hellman: Group2
  • SA Lifetime (seconds): 28800

IPSec Profile:

  • Name: Azure_IPSec
  • Encryption Algorithm: AES128
  • Digest Algorithm: SHA2 256

DPD Profile:

  • Name: Azure_DPD
  • DPD Probe Mode: Periodic
  • DPD Profile Interval: 60
  • Retry Count: 10

Our VPN profiles are now created and we are ready to start the creation of the Site-to-Site VPN connection.

Note: These steps are setting up the NSX-t side. We still have work to do on the Azure side, the connection will fail until we finalize the configuration there.

VPN Services:

Browse to “VPN Services” and create a new service with the following details:

  • Name: AzureServices
  • Service Type: IPSec
  • Tier-0/Tier-1 Gateway: “Choose the T1”

Create Local Endpoints:

Let’s browse to “Local Endpoints” and create a new “Endpoint” with the following details:

  • Name: AzureEP
  • VPN Service: AzureServices
  • IP Address: 192.168.55.2 (same subnet as the loopback address interface)
  • Local ID: 192.168.55.2

IPSec Sessions:

Browse to “IPSec Sessions” and create a new “Policy Based” session with the following details:

  • Name: AzureSecSession
  • Type: Policy Based
  • VPN Service: AzureServices
  • Localend Point: AzureEP
  • Remote IP: Azure Gateway IP Address
  • Local Networks: Subnet of the segment IP address
  • Remote Network: Subnet of the Azure vNet
  • IKE Profiles: Azure_IKE
  • IPSec Profiles: Azure_IPSec
  • DPD Profiles: Azure_DPD

Summary

After completing the steps I have described above, your on premises site-to-site Azure VPN connection is ready to connect. In the next blog post, I will take you through the steps on the Azure side to finish the site-to-site VPN configuration. Please remember, at this stage, your VPN connection status is at “fail”. This is expected, we have more to do to finish the configuration. Until the next blog is posted, please let me know if you have any questions.

Leave a Reply