Azure Virtual network gateway

Introduction

This guide will walk you through the process of establishing a Site-to-Site VPN tunnel between your Harmony SASE network and your Azure environment.

Breakdown of topics

1. Pre-requisites
2. Configuration Steps
3. Verifying the Setup
4. Troubleshooting
5. Support Contacts

Pre-requisites

To successfully follow this guide, you should have:

1. An active Harmony SASE account and network.
2. The Harmony SASE app installed on your devices.
3. An active Azure account with admin permissions.

Creating a Gateway Subnet

1. In your Azure Management Portal, navigate to the Virtual networks.
   
   
2. Select the Virtual Network to which you'd like to create a gateway, and click Subnets.
   
3. Select + Gateway subnet (the name of the subnet is filled in with the value "Gateway subnet" by default).
4. If needed, adjust the auto-filled Address range values. This subnet is going to be used for the Virtual Gateway only.
5. In case this range is not automatically filled in:
   • Go to address space-> +Add
   • Select a random /27 bit mask subnet space (for example 10.1.255.0/27)

Creating a Virtual Network Gateway

1. Click Home to go back to the Azure Portal.
   
2. On the left side of the portal page, select +Create a resource.
   
3. Type Virtual Network Gateway in the Search line.
   

3. Select Create.
   Fill in the fields with the following information:
   • Name: Your gateway name.
   • Region/Location: Select the Virtual Network location\region where your resources are.
   • Gateway type: Select VPN.
   • VPN type: Select Route-based.
   • SKU: Select the gateway SKU from the dropdown. The SKUs listed in the dropdown depend on the VPN you select.
     
   • Virtual network: Select the Virtual network that contains the resources you want to reach via the tunnel.
     • Select a Virtual network to open the Choose a virtual network page.
       If you don't see your VNet, make sure the Location/Region field is pointing to the region in which your virtual network is located.
     • Gateway subnet address range: You will only see this setting if you did not previously create a gateway subnet for your virtual network. If you previously created a valid gateway subnet, this field will not appear.
     • Public IP address: Click Create New, or choose an existing IP used by your organization.
     • Enable active-active mode: Disabled.
     • Configure BGP ASN: Disabled.
     • Select Review+create to begin creating the VPN gateway.
       

Creating a Local Network Gateway

1. Click Home to go back to the Azure Portal.
   
2. On the left side of the portal page, select +Create a resource.
   
3. In the search box, type "Local network gateway," Select Local network gateway, then select Create to open the Create local network gateway page.
   Fill in the fields with the following information:
   • Name Your gateway name.
   • IP address: Specify your Harmony SASE gateway IP.
     
   • Address Space: Insert your Harmony SASE subnet (make sure that the ranges you specify here do not overlap with ranges of other networks that you want to connect to).
   • Subscription: Verify that the correct subscription is showing.
   • Resource Group: Select the resource group that you want to use. You can either create a new resource group or select one that you have already created.
   • Location: Select a location that this object will be created in.You may want to select the location in which your Virtual Network resides, however it is not a requirement.
   • SKU: Select the gateway SKU from the dropdown. The SKUs listed in the dropdown depend on the VPN you select.

4. Select Create at the bottom of the page to create the local network gateway.
   

Creating the IPSEC tunnel connection

1. Open your Virtual Network Gateway page.
2. Once it opens, go to Settings, and select Connections.
3. Click +Add.
   
4. Fill in the fields with the following information:
   • Name Your connection name.
   • Connection type: Select Site-to-site (IPSec).
5. Click the "Next: Settings >" button.
   
   • Virtual network gateway: Since you are connecting from this gateway this value (the IP you received from Azure) is fixed.
   • Local network gateway: The local network gateway (your Harmony SASE network address) which you have just created is the fixed value.
   • Shared Key (PSK): Create a unique value that will later match the value that you are using for your Harmony SASE tunnel.
   • IKE Protocol: Select IKev2.
   • DPD timeout in seconds: 30
   • Select Review + Create to create your connection.
     
6. Select the connection you just created and select configuration.
   
   Under IPsec / IKE policy, choose Custom and use the following values to align with the values set in Harmony SASE's tunnel settings

   Encryption: AES256
   Integrity/PRF: SHA1
   DH Group: DHGroup2
   
   

   IPsec Encryption: AES256
   IPsec Integrity: SHA1
   PFS Group: PFS2

   IPsec SA lifetime in KiloBytes: 102400000
   IPsec SA lifetime in seconds: 27000
   

7. After you are done, a configuration file can be downloaded by navigating to Overview -> Download configuration
8. Select "Generic Samples", then "Device Parameters". For the Firmware version, select 1.0.
9. Click "Download Configuration"
   

Harmony SASE Settings

1. Open your Harmony SASE Management Platform and go to the Network tab.
   
2. Go to the gateway in your network from which you want to create the tunnel to Azure, select the three-dotted menu (...) beside it, and select Add Tunnel.
   
3. Select IPSec Site-2-Site Tunnel and select Continue.
4. Fill in the fields with the following information:
   • Name: Enter a name of your choice.
   • Shared Secret: Enter the same Shared secret you set in the Azure Portal.
   • Public IP: Enter the Azure Virtual network gateway public IP.
   • Remote ID: Enter the Azure Virtual network gateway remote ID.
   • Harmony SASE Gateway Proposal Subnets: Any (0.0.0.0/0).
   • Remote Gateway Proposal Subnets: Any (0.0.0.0/).
     
   • Advanced Settings
     • Open the configuration file that you downloaded earlier, and scroll to [2] IPsec/IKE parameters. 
     • Fill in your Harmony SASE tunnel configuration per the values in the file.
     • For example, if your file looks like this:
       
     • You would want to configure matching values in your Harmony SASE tunnel, like so:
       
5. When the tunnel values match, select Add Tunnel.
6. Once the tunnel is done, to add the routes - Click the "..." button at the top right corner of the network -> then select Routes Table.
   
7. Click on Add Route.
8. Input all of the Subnets on the Azure Side, then click "Add Route"
   
9. After you are done, click Apply Configuration.
   

Verifying the VPN connection

1. Open your Virtual Network Gateway page.
2. Once it opens, go to Settings, and select Connections.
3. Select the connection you created. Under the Overview tab, make sure that the Status is Connected and that there is data going out and coming in.
   
   

Verifying the Setup

Once set up, your redundant tunnels should be active. To confirm, go to your Harmony SASE dashboard, find the tunnels you started, and ensure their status shows "Up". Connect to your network with the Harmony SASE agent and try accessing resources in your Azure environment.

Troubleshooting

If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

Support Contacts

If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at support@perimeter81.com. We're here to assist you and ensure your VPN tunnel setup is a success.