You are here: Home > Device Configuration and Network Management > Deploying Aruba Virtual Gateways > Deploying Aruba Virtual Gateway in Microsoft Azure (Managed Mode)

Deploying Aruba Virtual Gateway in Microsoft Azure (Managed Mode)

Aruba Central supports deploying Virtual Gateways in Microsoft Azure using the orchestrated mode. For orchestrated -mode deployments, Aruba Central supports the orchestration service for automating Virtual Gateway deployments. The orchestrator application in Aruba Central enables IT administrators bring up, configure, and monitor Virtual Gateways from the Aruba Central management interface.

Setting up a Virtual Gateway Instance using the Orchestration Service

To instantiate Virtual Gateways using the orchestrator application, complete the following steps:

1. Registering a New Application in Azure

2. Creating a Resource Group

3. Creating a VNET

4. Creating a Storage Account

5. Uploading the Aruba Virtual Gateway Software Image

6. Creating SSH keys

7. Adding a Cloud Provider Account in Aruba Central

8. Licensing Confirmation

Deployment Procedure

Before deploying Aruba Virtual Gateway deployment in Azure VNET, ensure that you have the following resources and account privileges:

A valid subscription and administrator credentials to access your Azure account.

A valid subscription and Aruba Central account credentials to deploy Virtual Gateways.

Aruba Virtual Gateway VHD image.

 

You can configure an Aruba Virtual Gateway in Microsoft Azure using either the Azure Cloud Shell or the Azure graphical user interface (UI). The configuration steps described in this document are based on the UI workflows.

 

Currently, only the SKUStock Keeping Unit. SKU refers to the product and service identification code for the products in the inventory.# VGW-500MB is supported by Microsoft Azure.

Registering a New Application in Azure

Enterprise software-as-a-service (SaaS) providers develop commercial cloud services applications that can be integrated with the Microsoft identity platform to provide secure sign-in and authorization for their services. Follow these steps to register a new application Azure:

1. Sign in to the Azure portal. On the Home screen, select App registration from the Azure services listed.

2. In the App registrations page, click +New registration to initiate the registration process.

3. In the Register an application page, enter these details:

Name—Enter an account name for easy identification. This is a mandatory field.

Supported account types—Select the profile or entity that can access this application. By default Accounts in this organizational directory only (Hewlett Packard Enterprise only - Single tenant) is selected.

Redirect URI (optional)—After successfully authenticating the user, a response is sent to this URIUniform Resource Identifier. URI identifies the name and the location of a resource in a uniform format.. This is an optional filed and can be updated later.

Figure 1  Registering an app

4. Click Register to complete the registration. The new application page loads in a few seconds.

Creating a Client Secret

Ensure that the application communication is secure, follow these steps to create a client secret to secure the application:

 

When the Client secret key expires, the orchestration page displays an access denied message. Follow these steps to create a new client secret key.

1. To set the client secret, on the left side navigation pane click Certificates & secrets.

2. Click the + New client secret, to open the Add a client secret pane.

3. In the Add a client secret pane, enter a description of the secret and the duration of the secret validity and click Add.

4. In the Certificate & secrets page, the new secret will be displayed along with the Value.

 

Copy the Client secrets Value as this will be value will be hashed out after approximately ten minutes.

 

Figure 2  Setting up a Client secret

Adding the Application Permissions

Follow the steps listed here to set the permissions for access and control of the application:

1. To set the application permissions, on the left side navigation pane click API permissions.

2. In the API permissions pane, click +Add a permission to open the Request API permission pane.

3. In the Request API permission pane, select Azure Service Management APIApplication Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. from the Microsoft APIs tab.

4. Delegated permission is selected by default, place a check mark in the box next to user_impersonation and click Add permissions.

5. The Azure Service Management APIApplication Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. with user_impersonation permission is now added to the list of permitted APIsApplication Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software..

Figure 3  Adding the Application permissions

Setting up Access control and Role Assignments

Once the application is set up, a role needs to be assigned to the application. Follow these steps to assign a role to the application:

1. In the search box on the home screen search for Subscriptions, and select subscriptions from the displayed service options.

2. In the Subscriptions page, select the subscription that you are working with.

3. Select Access control (IAM) from the left side navigation to open the access control pane.

4. In the access control pane, select the Role assignments tab, and click the +Add and choose Add role assignment.

5. In the Add role assignment set the following details:

Role—Select the Role to be assigned to the app, In this configuration, set the role as a Contributor. The role changes and assignments can only be made by an administrator.

Assign access to—Assign the access level for the role.

Select—Set the application, user, or device that inherits the above properties. Search using the name or email address that are registered.

Choose the user or application from the displayed options.

6. Click Save to save and exit.

Figure 4  Role assignments

Viewing the Application IDs

The application IDs are needed to start the onboarding process in Aruba Central. Follow these steps to view the application ids:

1. In the search box on the home screen search for App registrations, and select App registrations from the displayed service options.

2. In the App registrations page, select the application that, and the application details pane opens up. Note down the following ids to be used during the onboarding in Aruba Central:

Application (client) ID

Directory (tenant) ID

Figure 5  Viewing the application ids

Creating a Resource Group

A resource group in Azure is a logical container that consists of resources required for deploying a virtual machine (VMVirtual Machine. A VM is an emulation of a computer system. VMs are based on computer architectures and provide functionality of a physical computer.). Resource groups allow you to logically group related resources such as storage accounts, virtual networks, and VMs. Resource groups also allow you to deploy and manage all these resources as a single entity.

Note the following important points about resource groups in Azure:

A resource group can contain resources from different regions or locations.

Access control for administrative actions can be scoped with a resource group.

Resources can be added or removed from a group at any time.

Resources can be moved from one group to another group.

Each resource can only exist in one resource group.

Resources can interact with other resources group containers.

To verify if your subscription has a resource group, click Home > Resource Groups.

If you do not have a resource group created in your Azure subscription, complete the following steps to create a resource group:

1. Log in to Azure portal using your Azure account credentials.

2. Click + Create a Resource to access Dashboard and then search for Resource Groups in the search box to access the Resource Groups configuration page.

3. Click Create.

4. In the Basics tab, enter the following information:

Subscription—Select your Microsoft Azure subscription.

Resource group name—Enter a name for the resource group.

Region—Select the geographic location for the resource group.

5. Click Review+Create and then click Create.

Creating a VNET

The Azure VNETs enable you to securely connect your Azure resources with each other. You can use VNETs to provision and manage VPNs in Azure and, optionally, link the VNets with other VNETs in Azure, or with your on-premises IT infrastructure to create hybrid or cross-premises solutions.

Deploying an Aruba Virtual Gateway in a customer VNET brings the SD-WANSoftware-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. fabric into the VNET and thus enables connectivity to physical sites, such as branches and data centers.

 

Azure deletes your VNETs when a subscription is disabled. If the subscription is re-enabled, you must recreate the resources.

 

The orchestration app creates 8/27 subnetsSubnet is the logical division of an IP network., ensure that the VNET has a /24 block reserved for the interconnect subnetsSubnet is the logical division of an IP network..

If you do not have a VNET created in your Azure subscription, complete the following steps to bring up the VNET in Azure:

1. On the Azure portal, go to Home > Networking > Virtual Networks. You can also search for virtual network on the Home page to access the Virtual Network configuration page.

2. On the Virtual Network page, ensure that the selected deployment model is set as Resource Manager, and click Create. The Create virtual network page opens.

3. Configure the following parameters:

Name—Enter a name for the virtual network.

Address space—Enter the allocated address space details.

Subscription—Select a subscription.

Resource group— Select the resource group to which you want to attach the VNET.

Location—Select a valid location.

Subnet—Enter the following information:

Name—Name of the subnetSubnet is the logical division of an IP network..

Address range—Enter the address range for the subnetSubnet is the logical division of an IP network..

DDoS Protection(Optional)—Select either Basic or Standard based on your subscription plan.

Service endpoints(Optional)—Select either Disabled or Enabled based on your requirement. This is set to Disabled by default.

Firewall(Optional)—Select either Disabled or Enabled based on your requirement. This is set to Disabled by default.

4. Click Create to complete the creation of the virtual network.

Creating a Storage Account

Storage account in Azure provides a unique namespace to store and access your Azure storage objects. Every storage account must belong to an Azure resource group.

For Aruba Virtual Gateway deployments, you will need a storage account to store the software image and also a separate storage account for Boot Diagnostics. The Boot Diagnostics option allows you to view logs pertaining to VMVirtual Machine. A VM is an emulation of a computer system. VMs are based on computer architectures and provide functionality of a physical computer. boot issues. You can enable the Boot Diagnostics option when configuring a VM.

If you do not have a storage account created and mapped to the resource group that you want to use for Aruba Virtual Gateway deployment, complete the following steps:

1. Log in to your Azure account.

2. Select Home > Storage Accounts.

3. In the Storage Accounts window, click + Add.

4. Enter a unique name for your storage account.

 

The name must be between 3 and 24 characters in length, and can include numbers and lowercase letters.

5. Choose a Subscription and Resource group that this account is linked to.

6. Enter the Storage Account Name, Location, Account kind, and Replication

7. Click Review + create, ensure that the account validation is passed to proceed, and

8. Click Create to complete the storage account creation procedure.

Figure 6  Configuring a Storage account

Configuring containers

Virtual machines create a partition for each operating system deployment. Each partition simulates a machine using software. Containers offer near-instant deployment and are a great way of moving code, the deployment time is shorter and they are easier to maintain.

1. In the Storage accounts window, select the account that was created, and click Containers.

2. Click on Containers to add a container.

3. In the new container window, enter a Name for the container, and the Public Access level, click Ok to proceed.

4. Click on the new container, in the container window, select the required .vhd file and click upload.

Figure 7  Selecting the container

Figure 8  Creating a new container

Figure 9  Creating a new container

Uploading the Aruba Virtual Gateway Software Image

To use the Aruba Gateway software image as the source for an Azure managed virtual disk, you must ensure that the Aruba Virtual Gateway software image is uploaded to a blob container in your storage account.

Aruba supports Azure VNET deployments on Virtual Gateway appliances running ArubaOS SD-WANSoftware-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. 8.5.0.0-2.0.0.0 or later software versions. To obtain access to a valid VHD image for Virtual Gateways, contact your Aruba Sales Specialist.

To upload the .vhd file:

1. Download and install the Azure Storage Explorer app. For more information, see Azure Storage Explorer.

Creating SSH keys

1. From the Azure portal, go to the Azure BASH Shell.

2. Create SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. key pair with the command ssh-keygen -t rsa -b 2048

3. Save private keyThe part of a public-private key pair that is always kept private. The private key encrypts the signature of a message to authenticate the sender. The private key also decrypts a message that was encrypted with the public key of the sender. to your local machine to SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. into VGW.

4. Save the public keyThe part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient. and use it during the setup of r the Virtual Gateway.

For more information see, Create and use an SSH public-private key pair for Linux VMs in Azure.

Figure 10  Creating SSh Keys

Creating a Security group

A network security group (NSG) in Azure is the way to activate a rule or access control list (ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.), which will allow or deny network traffic to your virtual machine instances in a virtual network. NSGs can be associated with subnetsSubnet is the logical division of an IP network. or individual virtual machine instances within that subnetSubnet is the logical division of an IP network..

1. On the Azure portal, go to Home > Networking security groups, click + to start the creating the NSG.

2. In the Basics tab, enter the Subscription and Resource group that this NSG is linked to, also provide a unique Name and the Region for the NSG. Click Review + Create to proceed.

Figure 11  Creating Security group

3. On the Azure portal, go to Home > Networking security groups, click the NSG that was created.

4. Select Inbound security rules and click +Add. In the Basic tab, add UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 4500 in the Destination port ranges to allow incoming IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. connection from Branch Gateways.

5. Select Inbound security rules and click +Add. In the Advanced tab, add SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. port 110 as a Priority to allow incoming SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. connections.

Figure 12  Security group summary

Adding a Cloud Provider Account in Aruba Central

To deploy Virtual Gateway instances in a customer's VNET, you must create a cloud provider account in Aruba Central and map it to the customer's Azure account where the VNET is deployed.

1. Log in to Aruba Central.

2. In the Network Operations app, use the filter to select All Devices.

3. Under Manage, click Network Services > Virtual Gateways to display the Summary page.

4. To add an account, click the Setting iconto open the Add Cloud Provider Accounts page in the Accounts tab.

5. To add an account, select Microsoft Azure from the drop downoptions and click Add Account.

6. In the Add Azure Account window, enter these details:

Account Name—Enter an account name for easy identification.

Tenant ID—Enter the Tenant ID for your Azure account.

Subscription ID—Enter the subscription ID for your Azure account.

Application ID—Enter the Azure Application ID. In the future, to edit this Azure account the Application ID will be needed. The Application ID can remain the same.

Secret Key—Enter the secret key for the Azure application. In the future, to edit this Azure account the Secret Key will be needed. This Secret Key will be different from the one that is used currently.

 

The Tenant ID, Subscription ID, Application ID, and Secret Key are information that were saved during the App creation process.

Figure 13  Adding an Azure account

7. Click Submit. The account is added to list of accounts on the Accounts page.

8. Verify the status of the account. If the status column for the account is shown Access Verified, proceed to deploy the Virtual Gateway instance.

 

To edit or delete an account, select the account, and click the setting icon in the Status column, to open the Account Options window.

Figure 14  Reviewing the cloud provider accounts

 

If the Azure account in Aruba Central displays an Access Denied error message, check the following details:

Ensure that the VNET is configured and available present in your Azure account.

Ensure that the subnetSubnet is the logical division of an IP network. configured for the VNET is larger than /24.

Ensure that the Subscription ID, Tenant ID, App ID, and Client Secret are correct.

Deploying the Virtual Gateway

1. On the Virtual Gateways page, select the Deployment tab and choose Microsoft Azure from the drop down menu and click on Import VNETs to ensure that the information is refreshed and up to date.

2. Select the region to host the virtual gateway, and click Deploy Virtual Gateway.

3. In the Create Virtual Gateway page update the fields listed here:

Virtual Gateway Subnet—Enter the gateway subnetSubnet is the logical division of an IP network.

Virtual Gateway Size—Enter the virtual gateway SKUStock Keeping Unit. SKU refers to the product and service identification code for the products in the inventory. (currently limited to VGW-500MB)

 

The Virtual Gateway Size also displays the total number of licenses and the number of available licenses.

Azure Instance Type—Enter the Azure instance type (currently limited to Standard_DS3_v2)

Select Image—Choose the ArubaOS image to be installed

SSH Public Key—Enter the SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. key. For more information on creating the SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. key, see Create and use SSH keys in Azure.

Security Group—Enter the Security Group details

Virtual Gateway High Availability—Choose if this virtual gateway supports High Availability

Deploy Multi-Availability Zone—Select Yes if the virtual gateway will be available across multiple regions

4. Click Deploy Virtual Gateway to initiate the virtual gateway deployment.

Figure 15  Creating a virtual gateway

 

The Virtual Gateway deployment takes approximately 15 minutes to complete.

Figure 16  Deploying the virtual gateway

After the deployment is completed, Virtual Gateway Deployed message is displayed. A summary of the deployment is also displayed on the Summary tab of the Orchestrated Cloud Provider page.

 

In the Summary tab, hovering the cursor over the columns displays additional information about the field.

The Deployment can take up to 15 minutes to complete.

Licensing Confirmation

Ensure that the license is valid, for more information, see Assigning Subscriptions to Aruba Gateways.

Verifying the Deployment Status

Perform the following checks to verify the Virtual Gateway deployment status:

Check if the Virtual Gateway is on-boarded to the device inventory in Aruba Central .

Ensure that the Virtual Gateway is assigned to a device configuration group in Aruba Central.

Verify if the Virtual Gateway is connected to Aruba Central.

Configure a VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel between a Branch Gateway and the Virtual Gateway.

Go to Monitoring & Reports > Network Overview > Gateways and check the Virtual Gateway operational status and the VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel status. For more information, see the Gateway monitoring help topic in Aruba Central Help Center.

The Device Inventory page displays the devices that are in the inventory. Click the to access the Account Home > Device Inventory.

After a successful deployment, the Virtual Gateway instances launch and connects to Aruba Central with the latest image.

/*]]>*/