Non-Meraki VPN peer with Azure

Background:

Allen is working on a demo environment of NetApp’s Cloud Volumes ONTAP (CVO) in Azure and a Site-to-site VPN is required for features he wants to show off to customers.

Allen wanted to know how easy it would be to establish a VPN between his lab, using a Meraki security appliance, and Azure.

We documented the walkthrough for everyone to see how easy it is!

Azure items in this post:

Resource group: Containers where you deploy Azure resources; virtual machines, storage, databases, etc. You could deploy a three-tier instance in a single resource group to manage all those resources in a single container, or, you could deploy each tier in its own resource group.

  • Use case for this post; Allen is deploying all CVO related resources into a single resource group, RG-WUS-TEST-AJ-01. No resource from any other group needs to access the CVO resources, and, no other resources need to be managed along with the CVO resources. Also, once Allen is done with his demo, he can delete the resource group, which deletes all resources it manages without impacting any of his other resources.

On-prem gateway: This is the security appliance on-premises that will be used for the Site-to-site VPN.

On-prem subnets: These are the private IP address ranges on-premises you want to communicate with Azure VNets.

Virtual Network Gateway: This will establish the Site-to-site VPN with your on-prem gateway.

Local Network Gateway: This represents your on-prem networks to Azure for routing purposes only.

Connection: This is the IPsec configuration your Virtual Network Gateway will use to establish a tunnel with your on-prem gateway.

Topology:
Variables we used throughout this post:
On-prem:Virtual Network Gateway, cont’d:
     Public IP address<on-prem public IP address>     VPN typeRoute-based
     Subnet 110.11.12.0/24     SKUBasic
Azure:     GenerationGeneration1
Resource group:     Public IP addressCreate new
     SubscriptionMicrosoft Partner Network     Public IP address nameRG-WUS-TEST-AJ-01-PubIP
     NameRG-WUS-TEST-AJ-01Local Network Gateway:
     RegionWest US     NameRG-WUS-TEST-AJ-01-LGW
Virtual Network:     EndpointIP address
     NameRG-WUS-TEST-AJ-01-VNet     IP address<on-prem public IP address>
     IPv4 Address space172.16.3.0/24     Address Space10.11.12.0/24
     Subnet 1 – NameGatewaySubnetConnection:
     Subnet 1- Range172.16.3.0/27     NameRG-WUS-TEST-AJ-01-VGW-Con
Virtual Network Gateway:     Connection typeSite-to-site (IPsec)
     NameRG-WUS-TEST-AJ-01-VGW     Shared key (PSK)<pre-shared key>
     Gateway typeVPN     IKE ProtocolIKEv2
Configuration:
Create a Resource Group:
From a browser, navigate to the Azure portal and sign in with your Azure account.
– Click “Resource groups”
Click “+ Create”.
Enter the options for your Resource Group:
– Subscription hosting your resources = Microsoft Partner Network.
– Name of your resource group = RG-WUS-TEST-AJ-01.
– Region where your resources will be hosted = West US.
Click “Review + create”.
Click “Create”, upon passing validation.
Create a Virtual Network:
Click on your newly created Resource Group.
Click “+ Create”.
Search for, and then click on, “Virtual network” search result.
Click “Virtual network”.
Click “Create”.
Enter the options for your Virtual Network:
– Subscription hosting your resources = Microsoft Partner Network.
– Name of your resource group = RG-WUS-TEST-AJ-01.
– Name of your Virtual Network = RG-WUS-TEST-AJ-01-vNET.
– Region where your resources are hosted = West US.
Click “Next: IP Addresses >”.
Click “…”.
Click “Delete address space”.
Click “Add an IP address space”.
Enter the options for your “IP address space”.
– Starting address = 172.16.3.0.
– Address space size = /24 (256 addresses).
Click “Add”.
Click “Review + create”.
Click “Create”.
Click the resource group “RG-WUS-TEST-AJ-01”.
Create a Virtual Network Gateway:
Click “Create”.
Search for, and click on, “Virtual network gateway” search result.
Click “Virtual network gateway”.
Click “Create”.
Enter the options for your Virtual Network Gateway:
– Subscription hosting your resources = Microsoft Partner Network.
– Name of your resource group = RG-WUS-TEST-AJ-01.
– Name of your Virtual Network Gateway = RG-WUS-TEST-AJ-01-VGW.
– Region where your resources are hosted = West US.
– Gateway type = VPN.
– VPN type = Route-based.
– SKU = Basic.
– Generation = Generation1.
– Name of your Virtual Network = RG-WUS-TEST-AJ-01-VNet.
– Subnet for your Virtual Network Gateway = Required GatewaySubnet.
– Public IP address = Create new.
– Public IP address name = RG-WUS-TEST-AJ-01-PubIP.
Click “Review + create”.
Click “Create”.
Click the resource group “RG-WUS-TEST-AJ-01”.
Create a Local Network Gateway:
Click “+ Create”.
Search for, and click on, “Local network gateway” search result.
Click “Virtual network gateway”.
Click “Create”.
Enter the options for your Virtual Network Gateway:
– Subscription hosting your resources = Microsoft Partner Network.
– Name of your resource group = RG-WUS-TEST-AJ-01.
– Name of your Virtual Network Gateway = RG-WUS-TEST-AJ-01-VGW.
– Region where your resources are hosted = West US.
– Gateway type = VPN.
– VPN type = Route-based.
– SKU = Basic.
– Generation = Generation1.
– Name of your Virtual Network = RG-WUS-TEST-AJ-01-VNet.
– Subnet for your Virtual Network Gateway = Required GatewaySubnet.
– Public IP address = Create new.
– Public IP address name = RG-WUS-TEST-AJ-01-PubIP.
Click “Review + create”.
Click “Create”.
Click the resource group “RG-WUS-TEST-AJ-01”.
Create a Connection:
Click the link for your Virtual Network Gateway.
Click “Connections”, on the left sidebar.
Click “+ Add”.
Enter the options for your Connections:
– Name of your Connection = RG-WUS-TEST-AJ-01-Con.
– Connection type = Site-to-site (IPsec).
– Virtual Network Gateway = RG-WUS-TEST-AJ-01-VGW.
– Local Network Gateway = RG-WUS-TEST-AJ-01-LGW.
– Shared key (PSK) = <pre-shared key>.
Click “OK”.
Configure Non-Meraki VPN Peer:
Click on your newly created Connection.
Make a note of the public IP address of your Virtual Network Gateway.
Open a new browser tab, navigate to the Meraki Dashboard and sign in with your Meraki account.
– Navigate to the Site-to-site VPN page, for the network you want to connect to Azure.
Click “Add a peer”.
Click “Add a peer”.
Enter your Azure information.
– Name = RG-WUS-TEST-AJ-01.
– IKE Version = IKEv2.
– IPsec policies = Azure.
– Public IP = <public IP address of the Virtual Network Gateway>.
– Private subnets = 172.16.3.0/24.
– Preshared secret = <pre-shared key>.
– Availability = All networks.
Navigate to the VPN status page, for the network you want to connect to Azure.
Click on the “Non-Meraki peer” tab, to check status.
Return to your Azure portal tab, on the Connection page, to check status.
– This may take longer than the Meraki status page to show connected.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top