Deploying Aruba Virtual Gateway in Microsoft Azure (Managed Mode)
Aruba Central supports deploying Virtual Gateways in Microsoft Azure using the orchestrated mode. For orchestrated -mode deployments, Aruba Central supports the orchestration service for automating Virtual Gateway deployments. The orchestrator application in Aruba Central enables IT administrators bring up, configure, and monitor Virtual Gateways from the Aruba Central management interface.
Setting up a Virtual Gateway Instance using the Orchestration Service
To instantiate Virtual Gateways using the orchestrator application, complete the following steps:
Before deploying Aruba Virtual Gateway deployment in Azure VNET, ensure that you have the following resources and account privileges:
A valid subscription and administrator credentials to access your Azure account.
A valid subscription and Aruba Central account credentials to deploy Virtual Gateways.
Aruba Virtual Gateway VHD image.
You can configure an Aruba Virtual Gateway in Microsoft Azure using either the Azure Cloud Shell or the Azure graphical user interface (UI). The configuration steps described in this document are based on the UI workflows.
Currently, only the SKUStock Keeping Unit. SKU refers to the product and service identification code for the products in the inventory.# VGW-500MB is supported by Microsoft Azure.
Enterprise software-as-a-service (SaaS) providers develop commercial cloud services applications that can be integrated with the Microsoft identity platform to provide secure sign-in and authorization for their services. Follow these steps to register a new application Azure:
1. Sign in to the Azure portal. On the Home screen, select from the Azure services listed.
2. In the App registrations page, click to initiate the registration process.
3. In the page, enter these details:
—Enter an account name for easy identification. This is a mandatory field.
—Select the profile or entity that can access this application. By default is selected.
URIUniform Resource Identifier. URI identifies the name and the location of a resource in a uniform format.. This is an optional filed and can be updated later.—After successfully authenticating the user, a response is sent to this
Figure 1 Registering an app
4. Click to complete the registration. The new application page loads in a few seconds.
Creating a Client Secret
Ensure that the application communication is secure, follow these steps to create a client secret to secure the application:
When the Client secret key expires, the orchestration page displays an access denied message. Follow these steps to create a new client secret key.
1. To set the client secret, on the left side navigation pane click .
2. Click the , to open the Add a client secret pane.
3. In the Add a client secret pane, enter a description of the secret and the duration of the secret validity and click .
4. In the Certificate & secrets page, the new secret will be displayed along with the .
Copy theas this will be value will be hashed out after approximately ten minutes.
Figure 2 Setting up a Client secret
Adding the Application Permissions
Follow the steps listed here to set the permissions for access and control of the application:
1. To set the application permissions, on the left side navigation pane click .
2. In the pane, click to open the pane.
4. is selected by default, place a check mark in the box next to and click .
5. The APIApplication Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. with permission is now added to the list of permitted APIsApplication Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software..
Figure 3 Adding the Application permissions
Setting up Access control and Role Assignments
Once the application is set up, a role needs to be assigned to the application. Follow these steps to assign a role to the application:
1. In the search box on the home screen search for , and select subscriptions from the displayed service options.
2. In the page, select the subscription that you are working with.
3. Select from the left side navigation to open the access control pane.
4. In the access control pane, select the tab, and click the and choose .
5. In the Add role assignment set the following details:
—Select the Role to be assigned to the app, In this configuration, set the role as a . The role changes and assignments can only be made by an administrator.
—Assign the access level for the role.
—Set the application, user, or device that inherits the above properties. Search using the name or email address that are registered.
Choose the user or application from the displayed options.
6. Click to save and exit.
Figure 4 Role assignments
Viewing the Application IDs
The application IDs are needed to start the onboarding process in Aruba Central. Follow these steps to view the application ids:
1. In the search box on the home screen search for App registrations, and select from the displayed service options.
2. In the page, select the application that, and the application details pane opens up. Note down the following ids to be used during the onboarding in Aruba Central:
Figure 5 Viewing the application ids
A resource group in Azure is a logical container that consists of resources required for deploying a virtual machine (VMVirtual Machine. A VM is an emulation of a computer system. VMs are based on computer architectures and provide functionality of a physical computer.). Resource groups allow you to logically group related resources such as storage accounts, virtual networks, and VMs. Resource groups also allow you to deploy and manage all these resources as a single entity.
Note the following important points about resource groups in Azure:
A resource group can contain resources from different regions or locations.
Access control for administrative actions can be scoped with a resource group.
Resources can be added or removed from a group at any time.
Resources can be moved from one group to another group.
Each resource can only exist in one resource group.
Resources can interact with other resources group containers.
To verify if your subscription has a resource group, click> .
If you do not have a resource group created in your Azure subscription, complete the following steps to create a resource group:
1. Log in to Azure portal using your Azure account credentials.
2. Click to access Dashboard and then search for Resource Groups in the search box to access the configuration page.
3. Click .
4. In the tab, enter the following information:
—Select your Microsoft Azure subscription.
—Enter a name for the resource group.
—Select the geographic location for the resource group.
5. Click and then click .
The Azure VNETs enable you to securely connect your Azure resources with each other. You can use VNETs to provision and manage VPNs in Azure and, optionally, link the VNets with other VNETs in Azure, or with your on-premises IT infrastructure to create hybrid or cross-premises solutions.
Deploying an Aruba Virtual Gateway in a customer VNET brings the SD-WANSoftware-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. fabric into the VNET and thus enables connectivity to physical sites, such as branches and data centers.
Azure deletes your VNETs when a subscription is disabled. If the subscription is re-enabled, you must recreate the resources.
The orchestration app creates 8/27 subnetsSubnet is the logical division of an IP network., ensure that the VNET has a /24 block reserved for the interconnect subnetsSubnet is the logical division of an IP network..
If you do not have a VNET created in your Azure subscription, complete the following steps to bring up the VNET in Azure:
1. On the Azure portal, go to > > . You can also search for virtual network on the Home page to access the configuration page.
2. On the page, ensure that the selected deployment model is set as , and click . The page opens.
3. Configure the following parameters:
—Enter a name for the virtual network.
—Enter the allocated address space details.
—Select a subscription.
— Select the resource group to which you want to attach the VNET.
—Select a valid location.
—Enter the following information:
(Optional)—Select either or based on your subscription plan.
(Optional)—Select either or based on your requirement. This is set to by default.
(Optional)—Select either or based on your requirement. This is set to by default.
4. Click to complete the creation of the virtual network.
Storage account in Azure provides a unique namespace to store and access your Azure storage objects. Every storage account must belong to an Azure resource group.
For Aruba Virtual Gateway deployments, you will need a storage account to store the software image and also a separate storage account for Boot Diagnostics. The Boot Diagnostics option allows you to view logs pertaining to VMVirtual Machine. A VM is an emulation of a computer system. VMs are based on computer architectures and provide functionality of a physical computer. boot issues. You can enable the Boot Diagnostics option when configuring a VM.
If you do not have a storage account created and mapped to the resource group that you want to use for Aruba Virtual Gateway deployment, complete the following steps:
1. Log in to your Azure account.
2. Select > .
3. In the window, click .
4. Enter a unique name for your storage account.
The name must be between 3 and 24 characters in length, and can include numbers and lowercase letters.
5. Choose a and that this account is linked to.
6. Enter the , and
7. Click , ensure that the account validation is passed to proceed, and
8. Click to complete the storage account creation procedure.
Figure 6 Configuring a Storage account
Virtual machines create a partition for each operating system deployment. Each partition simulates a machine using software. Containers offer near-instant deployment and are a great way of moving code, the deployment time is shorter and they are easier to maintain.
1. In the window, select the account that was created, and click .
2. Click on to add a container.
3. In the new container window, enter a for the container, and the , click Ok to proceed.
4. Click on the new container, in the container window, select the required .vhd file and click .
Figure 7 Selecting the container
Figure 8 Creating a new container
Figure 9 Creating a new container
To use the Aruba Gateway software image as the source for an Azure managed virtual disk, you must ensure that the Aruba Virtual Gateway software image is uploaded to a blob container in your storage account.
Aruba supports Azure VNET deployments on Virtual Gateway appliances running ArubaOS SD-WANSoftware-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. 18.104.22.168-22.214.171.124 or later software versions. To obtain access to a valid VHD image for Virtual Gateways, contact your Aruba Sales Specialist.
To upload the .vhd file:
1. Download and install the app. For more information, see Azure Storage Explorer.
1. From the Azure portal, go to the Azure BASH Shell.
2. Create SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. key pair with the command ssh-keygen -t rsa -b 2048
3. Save private keyThe part of a public-private key pair that is always kept private. The private key encrypts the signature of a message to authenticate the sender. The private key also decrypts a message that was encrypted with the public key of the sender. to your local machine to SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. into VGW.
4. Save the public keyThe part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient. and use it during the setup of r the Virtual Gateway.
For more information see, Create and use an SSH public-private key pair for Linux VMs in Azure.
Figure 10 Creating SSh Keys
Creating a Security group
A network security group (NSG) in Azure is the way to activate a rule or access control list (ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.), which will allow or deny network traffic to your virtual machine instances in a virtual network. NSGs can be associated with subnetsSubnet is the logical division of an IP network. or individual virtual machine instances within that subnetSubnet is the logical division of an IP network..
1. On the Azure portal, go to > , click to start the creating the NSG.
2. In the tab, enter the and that this NSG is linked to, also provide a unique and the for the NSG. Click to proceed.
Figure 11 Creating Security group
3. On the Azure portal, go to > , click the NSG that was created.
4. Select and click . In the tab, add UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 4500 in the to allow incoming IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. connection from Branch Gateways.
5. Select and click . In the tab, add SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. port 110 as a to allow incoming SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. connections.
Figure 12 Security group summary
To deploy Virtual Gateway instances in a customer's VNET, you must create a cloud provider account in Aruba Central and map it to the customer's Azure account where the VNET is deployed.
1. Log in to Aruba Central.
2. In the app, use the filter to select .
3. Under , click > to display the Summary page.
4. To add an account, click the iconto open the page in the tab.
5. To add an account, select from the drop downoptions and click .
6. In the window, enter these details:
—Enter an account name for easy identification.
—Enter the Tenant ID for your Azure account.
—Enter the subscription ID for your Azure account.
—Enter the Azure Application ID. In the future, to edit this Azure account the Application ID will be needed. The Application ID can remain the same.
—Enter the secret key for the Azure application. In the future, to edit this Azure account the Secret Key will be needed. This Secret Key will be different from the one that is used currently.
The, , and are information that were saved during the App creation process.
Figure 13 Adding an Azure account
7. Click . The account is added to list of accounts on the page.
8. Verify the status of the account. If the status column for the account is shown , proceed to deploy the Virtual Gateway instance.
To edit or delete an account, select the account, and click the setting icon in thecolumn, to open the window.
Figure 14 Reviewing the cloud provider accounts
If the Azure account in Aruba Central displays an error message, check the following details:
Ensure that the VNET is configured and available present in your Azure account.
Ensure that the subnetSubnet is the logical division of an IP network. configured for the VNET is larger than /24.
Ensure that the, , , and are correct.
Deploying the Virtual Gateway
1. On the page, select the tab and choose from the drop down menu and click on to ensure that the information is refreshed and up to date.
2. Select the region to host the virtual gateway, and click .
3. In the page update the fields listed here:
SKUStock Keeping Unit. SKU refers to the product and service identification code for the products in the inventory. (currently limited to VGW-500MB)—Enter the virtual gateway
The Virtual Gateway Size also displays the total number of licenses and the number of available licenses.
—Enter the Azure instance type (currently limited to Standard_DS3_v2)
—Choose the ArubaOS image to be installed
SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. key. For more information on creating the SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. key, see Create and use SSH keys in Azure.—Enter the
—Enter the Security Group details
—Choose if this virtual gateway supports
—Select if the virtual gateway will be available across multiple regions
4. Click to initiate the virtual gateway deployment.
Figure 15 Creating a virtual gateway
The Virtual Gateway deployment takes approximately 15 minutes to complete.
Figure 16 Deploying the virtual gateway
After the deployment is completed,message is displayed. A summary of the deployment is also displayed on the tab of the page.
In thetab, hovering the cursor over the columns displays additional information about the field.
The Deployment can take up to 15 minutes to complete.
Ensure that the license is valid, for more information, see Assigning Subscriptions to Aruba Gateways.
Verifying the Deployment Status
Perform the following checks to verify the Virtual Gateway deployment status:
Check if the Virtual Gateway is on-boarded to the device inventory in Aruba Central .
Ensure that the Virtual Gateway is assigned to a device configuration group in Aruba Central.
Verify if the Virtual Gateway is connected to Aruba Central.
Configure a VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel between a Branch Gateway and the Virtual Gateway.
Go to VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel status. For more information, see the Gateway monitoring help topic in Aruba Central Help Center.and check the Virtual Gateway operational status and the
Thepage displays the devices that are in the inventory. Click the to access the > .
After a successful deployment, the Virtual Gateway instances launch and connects to Aruba Central with the latest image.
Was this information helpful?
Great! Thanks for the feedback
Sorry about that! How can we improve it?