Since the emergence of public cloud, there is constantly a demand for enterprise on-premise private cloud infrastructure connect with public cloud and this article is an introduction of using existing Citrix NetScaler VPX to establish a site to site secure connectivity between private cloud and public cloud.
↑ Return to Top
You will need the followings to setup a Site to Site VPN Connection between Microsoft Azure and your On-Premise Infrastructure;
*Refer to Citrix NetScaler Data Sheet
In this article, we will try to simulate accordingly to this network diagram so that we can have a better understanding on how the configuration achieve the Site to Site connectivity between On-Premise and Microsoft Azure.
After installing Microsoft Azure PowerShell 1.0, launch the Microsoft Azure PowerShell console with Elevated Privileges to begin.
Firstly, we need to login to Microsoft Azure using the Microsoft Azure PowerShell with the following commands below.
# Login to Azure using Azure PowerShell Cmdlet
Login-AzureRmAccount ;
Login using your Microsoft Azure credential and select Sign in.
If you have multiple Microsoft Azure Subscription such as MSDN, ClientA, Client B and ClientC, it would be best for you to find out which Azure subscription that you will using to create the Virtual Network and select the desired Azure subscription with the commands example below.
# Get a list of Azure Subscriptions
Get-AzureRmSubscription ;
# Select a Azure Subscription to use
Select-AzureRmSubscription `
-Subscriptionid "GUID of subscription" ;
With the selected Azure subscription, we will create an Azure Resource Manager Group and define the desired Azure datacenter geographical location with the commands example below.
# Create a new Azure Resource Manager Resource Group
New-AzureRmResourceGroup `
-Name "ARM-MyLAB-DEV" `
-Location "Australia Southeast" ;
With Azure Resource Manager Group defined, we will create the Virtual Network with multiple environment subnets that belongs to the Resource Manager with the commands example below. Take note that GatewaySubnet name is a reserved name within Microsoft Azure environment representing the gateway.
# Create your Azure Virtual Network
New-AzureRmVirtualNetwork `
-Name "AVN-MyLAB-DEV" `
-ResourceGroupName "ARM-MyLAB-DEV" `
-Location "Australia Southeast" `
-AddressPrefix "10.0.2.0/24" `
-Subnet (New-AzureRmVirtualNetworkSubnetConfig `
-Name "GatewaySubnet" `
-AddressPrefix "10.0.2.248/29"),
(New-AzureRmVirtualNetworkSubnetConfig `
-Name "Subnet-PRD" `
-AddressPrefix "10.0.2.0/25"), `
-Name "Subnet-STG" `
-AddressPrefix "10.0.2.128/27"), `
-Name "Subnet-UAT" `
-AddressPrefix "10.0.2.160/27"), `
-Name "Subnet-TST" `
-AddressPrefix "10.0.2.192/27"), `
-Name "Subnet-DEV" `
-AddressPrefix "10.0.2.224/28"), `
-Name "Subnet-DMZ" `
-AddressPrefix "10.0.2.240/29") ;
With the Virtual Network created in Azure, we will need to define the On-Premise Public IP Address and Local Network Subnets with the commands example below. This will ensure that the Virtual Network in Azure will know the routes to your On-Premise local network.
# Add your On-Premise Local Site for Site-to-Site VPN Connections
New-AzureRmLocalNetworkGateway `
-Name "LNG-MyLAB-OnPremise" `
-GatewayIpAddress "125.236.XXX.XXX" `
-AddressPrefix @("192.168.100.0/24","192.168.150.0/24","172.16.0.0/16") ;
Once the On-Premise Local Network is defined, we will create the Virtual Network Gateway, Virtual Network Gateway IP Configuration and request for a Public IP Address with Azure to create a PolicyBased VPN Gateway using the commands example below. Let the command execution running and have a 5-15 minutes coffee break while waiting for Azure to do some magic. The wait is caused by the request for a Public IP Address since Microsoft Azure requires to determine which Public IP Address can be allocated to you and setup their infrastructure backend.
# Create a VPN Gateway for Site-to-Site VPN Connection
New-AzureRmVirtualNetworkGateway `
-Name "AGW-MyLAB-DEV" `
-IpConfigurations (New-AzureRmVirtualNetworkGatewayIpConfig `
-Name "AGW-MyLAB-DEV-Conf" `
-SubnetId (Get-AzureRmVirtualNetworkSubnetConfig `
-VirtualNetwork (Get-AzureRmVirtualNetwork `
-ResourceGroupName "ARM-MyLAB-DEV")).Id `
-PublicIpAddressId (New-AzureRmPublicIpAddress `
-Name "PIP-MyLAB-DEV" `
-AllocationMethod "Dynamic").Id) `
-GatewayType "Vpn" `
-VpnType "PolicyBased" ;
After Azure Virtual Network Gateway has completed, we will create the Virtual Network Gateway Connection by defining the Virtual Network Gateway, Local Network Gateway and the connection type with a Pre Shared Key for authentication.
# Create the Site-to-Site VPN Connection with Custom PSK
New-AzureRmVirtualNetworkGatewayConnection `
-Name "AVNGWC-MyLAB-DEV" `
-VirtualNetworkGateway1 (Get-AzureRMVirtualNetworkGateway `
-ResourceGroupName "ARM-MyLAB-DEV") `
-LocalNetworkGateway2 (Get-AzureRmLocalNetworkGateway `
-ConnectionType IPsec `
-RoutingWeight 10 `
-SharedKey "MyLABPreSharedK3y" ;
Hooray! We are half way there to establish a Site to Site connectivity. Use the commands example below to obtain your Microsoft Azure allocated Public IP Address for your On-Premise NetScaler configuration.
# Get Gateway Public IP Address for Site-to-Site configuration
# on NetScaler CloudBridge IPSEC IP Tunnel
Get-AzureRmPublicIpAddress `
-ResourceGroupName "ARM-MyLAB-DEV" | `
Select IPAddress ;
Before we begin any configuration, we will need to ensure that Cloudbridge feature is enabled. If you are unable to enable Cloudbridge feature on your NetScaler, please verify you have the appropriate license with Citrix for your appliance.
# Enable Cloudbridge feature
enable ns feature Cloudbridge
# Verify Cloudbridge feature is Enabled / ON
show ns feature
In order for the tunnel to be establish, we will need to create an IPSEC Profile with the Pre Shared Key (PSK) to authenticate with Microsoft Azure and ensure that the specified encryption parameters comply with Microsoft Azure requirements.
# Add an IPSEC profile with the PSK for authentication with Microsoft Azure
add ipsec profile IPSec-Profile-Azure-MyLab -psk MyLABPreSharedK3y -ikeVersion v1 -encAlgo AES -hashAlgo HMAC_SHA1 -ikeRetryInterval 60 -lifetime 3600 -perfectForwardSecrecy DISABLE
Let's create a tunnel to Microsoft Azure, we will have to specify the Public IP Address and the next hop within your on-premise network environment with the defined IPSEC profile for authentication with Microsoft Azure. The next hop could be the default gateway to your firewall before exiting out of your network.
# Add an IPTunnel that connects to Microsoft Azure Public IP Address with the IPSEC profile for authentication
add iptunnel IPSec_Azure-to-MyLab 40.127.XXX.XXX 255.255.255.255 192.168.150.3 -protocol IPSEC -ipsecProfileName IPSec-Profile-Azure-MyLab
Now, we just need to shape the route with a policy based route configuration to specify which subnet on local on-premise should be reachable to the subnet on Microsoft Azure.
# Add a policy based route (PBR) for On-Premise subnet range to Microsoft Azure subnet range
add pbr PBR_Azure-to-MyLab allow -srcIP 192.168.100.0-192.168.100.255 -destIP 10.0.2.0-10.0.2.255 -iptunnel IPSec_Azure-To-MyLab
apply pbrs
In this example after synchronisation of the NetScaler configuration between primary NetScaler VPX and secondary NetScaler VPX below, we will view if the Tunnel Status is UP and demonstrate NetScaler High Availability failover on Cloudbridge Site to Site IPSEC VPN IPTunnel from primary to secondary. During the failover, you will see that the tunnel will terminate on the primary setting the Tunnel Status to be DOWN and re-establish on the secondary based on the retry interval. There you go. You now have a Site to Site connectivity between On-Premise and Microsoft Azure.