Azure Redundant Tunnels - Virtual WAN

Introduction

This guide will assist you in setting up redundant tunnels between your Harmony SASE network and Azure Virtual WAN. By leveraging redundant tunnels, you ensure network continuity even if one of the tunnels experiences disruptions.

Breakdown of topics

1. Pre-requisites
2. Configuration Steps
3. Verifying the Setup
4. Troubleshooting
5. Support Contacts

Pre-requisites

To successfully follow this guide, you should have:

1. An active Harmony SASE account and network.
2. The Harmony SASE app is installed on your devices.
3. An active Azure account with admin permissions.

Configuration Steps

Create Harmony SASE  Gateways

1. Your Harmony SASE Network will need to have at least two different gateways in the same network, as listed below.
   
2. Write down the Public IPs for both GWs. Those IPs will be used for the local network gateways on Azure.

Create a Virtual WAN on Azure

1. In your Azure Portal under Virtual WANs, click on +Create
   
   • Provide the Virtual WAN with a meaningful name.
   • Select the relevant Subscription, Resource group, and Region.
     
   • Type - Standard
   • Click on Review+create
   • Click on Create

Create virtual hub

Next, you will need to create a virtual hub:

1. In your Azure Portal under the created Virtual WAN, select Hubs from the left pane and click on +New Hub.

   
   

   
   
2. Fill in the following information on the Basics tab.
   • Select the relevant Region.
   • Provide the Hub with a meaningful name.
   • Endpoint - IP Address.
   • Hub private address space - select a CIDR range that isn't overlapping with any existing CIDR (/24 range is the minimal one).
   • Address Space - Fill in your Permieter81 Address space.
   • Virtual hub capacity - select the relevant option according to the maximum number of VMs to be connected through this hub.
     
     
3. Fill in the following information in the Site to site tab:
   • Create a Site to site - Yes
   • Gateway scale units - select the appropriate option from the list
     
   • Routing preference - Microsoft network
     
4. Click on Review+create.
5. Click on Create.

Create a site

1. In your Azure Portal under the created Virtual WAN, select VPN sites from the left pane and click on +Create site.
   
2. Fill in the following information:
   • Name: Enter a meaningful name
   • Region: Select the appropriate region
   • Device vendor: Enter "Harmony SASE" to mark this site as providing connectivity to Harmony SASE
   • Private address space: Leave empty
     
3. Click on Next:Links to proceed to the link page and add the following information:
   • Link name: Enter a meaningful name, pointing to the first Harmony SASE gateway to be connected
   • Link speed: 1024
   • Link provider name: Enter "Harmony SASE" to mark this site as providing connectivity to Harmony SASE
   • Link IP address: The IP address of the first Harmony SASE gateway to be connected
   • Link BGP address: Type any address from the permitted range
   • Link ASN: Type the ASN for your Harmony SASE network
4. Repeat the above step to add the details for the second connection (the second gateway):
   
5. Click on Review+create and on the next screen click on Create.
   

Connect the site to your virtual hub

1. In your Azure Portal under the created Virtual WAN, select Hubs from the left pane and select your hub.
2. On the hub page click on VPN (Site to site) from the left pane under Connectivity.
   
3. On the VPN (Site to site) page clear the filter to view your site in the list.
   
4. Select the checkbox next to the created site and click on Connect VPN Sites.
   
5. On the Connect sites screen add the following information:
   • Pre-shared key: Enter a PSK to be used for this connection
   • Protocol: IKEv2
   • IPsec: Custom
   • SA Lifetime in seconds: 28800
   • IKE Phase 1:
     Encryption - AES256
     Integrity/PRF - SHA256
     DH Group - DHGroup14
   • IKE Phase 2(ipsec):
     IPsecEncryption - AES256
     IPsec Integrity - SHA256
     PFS Group - PFS14
   • Propogate Default Route: Disable
   • Use policy based traffic selector: Disable
   • Configure traffic selector: No
   • Connection Mode: Default
     
6. Click on Connect.
7. On the VPN (Site to site) screen Configure the gateway by clicking on View/Configure
   
8. On theEdit VPN Gateway screen add the following information:
   • Under VPN Gateway Instance 0, set the Custom BGP IP Address to be from the same network range as the BGP address for the first link
   • Under VPN Gateway Instance 1, set the Custom BGP IP Address to be from the same network range as the BGP address for the second link
     
9. Click on Edit and then on Confirm.
10. From the VPN (site to site) screen download the configuration by clicking on Download VPN Config
    

Creating the High Availability Harmony SASE Tunnel

1. On Your Harmony SASE Admin console, Navigate to your network.
2. Click "..." next to one of the gateways and select Add Tunnel.
3. Select Redundant Tunnels.
   
4. Select a logical name for your tunnel, 
   • For example, if your V-Net is located in the EU-West region of Azure, you could name the tunnel "EUWest". 
5. Copy the values for the first tunnel from the downloaded configuration file:
   • Shared Secret: PSK
     Harmony SASE gateway Internal IP: Inside IP Addresses of Customer Gateway
   • Remote Public IP & Remote ID: Public IP Addresses of Instance0
     Remote Gateway internal IP: BGPPeeringAddress of Instance0
   • Remote Gateway ASN: Azure ASN
     In Harmony SASE, your Tunnel page should look like this:
     
6. Repeat step 5 for the second Tunnel.
7. Under Shared Settings, you'll want to make sure to select Any(0.0.0.0/0) for both sides. ASN number should remain the same for the Harmony SASE side.
   
8. Under Advanced Settings match the following (unless you have configured customer settings on the Azure side):
   
9.  Click Add Tunnel.

Creating Static Routes

1. Navigate to your Harmony SASE network and add the route to the corresponding subnet in Azure.
2. You'll want to select "..." next to your network and then Routes Table.
   
3. Once that has been completed be sure to select "Apply Configuration" and let the route changes propagate on the Harmony SASE side.
   

Verifying the Setup

Once set up, your redundant tunnels should be active. To confirm, go to your Harmony SASE dashboard, find the tunnels you started, and ensure their status shows "Up". Connect to your network with the Harmony SASE agent and try accessing resources in your Azure environment.

Troubleshooting

If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

Support Contacts

If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success.