VT AIR Azure ======================== VT AIR Azure brings you all VT AIR feature to Microsoft Azure Cloud. VT AIR Azure can be run in any region where Azure offers service on various sizes of instance. VT AIR for Azure is available in the `Azure Marketplace `_. All features are available in the Azure Version and you can use VT AIR as a firewall to protect your Virtual Machines or as a VPN server to connect via IPSec, OpenVPN or WireGuard. .. image:: img/vtair-azure.png :width: 100% :align: center :alt: VT AIR Azure |br| In order to configure your Azure environment to utilize VT AIR as a firewall in front of other VMs, a couple of configuration steps have to be done. #. Virtual Network Configuration #. New Virtual Network #. Public Subnet #. Private Subnet #. Private Routing Table #. Public Network Security Group #. Private Network Security Group #. Private Network Interface * Enable Traffic Forwarding * Associate Private Network Security Group #. Azure VT AIR Appliance #. Public Network Interface (WAN) * In the Public Subnet * Public Network Security Group #. Private Network Interface (LAN) * Default route pointing to VT AIR LAN interface #. VT AIR configuration #. Enable and set LAN Interface #. Create DNAT Rules and VPN Configuration #. Azure VMs #. Add to the Private Network Subnet #. Set Private Network Security Group Default Login ******************** Default login data for the WebGUI are user **admin** and the password is **vtair**. Virtual Network Configuration **************************************** Login to your Azure Account and change to the Virtual Networks configuration page. .. image:: img/vtair-azure-virtualnetworks.png :width: 100% :align: center :alt: VT AIR Azure Virtual Network |br| We have created videos to show the entire configurations. .. raw:: html

New Virtual Network ################################ We will create a new Virtual Network for the VT AIR setup. If you already have a Virtual Network with two subnets configured, you can skip these steps. Click on *Create*. Choose your *Subscription*, *Resource group* and *Region* and give the Virtual Network a name, in our case we choose *VTAIRVirtualNetwork*. .. image:: img/vtair-azure-virtualnetwork-create.png :width: 100% :align: center :alt: VT AIR Azure Create Virtual Network |br| Public Subnet ################ A default subnet is created alongside your Virtual Network. We will use it as the public subnet, it has the ip range *10.0.0.0/24*. Private Subnet ################ Navigate to the Virtual Network and open *Subnets* in the Settings and click on *Subnet*. .. image:: img/vtair-azure-private-subnet.png :width: 100% :align: center :alt: VT AIR Azure Private Subnet Give the subnet a name. We will use *VTAIRPrivateSubnet* and crate the ip network *10.0.1.0/24*. .. image:: img/vtair-azure-private-subnet-create.png :width: 100% :align: center :alt: VT AIR Azure Private Subnet Create |br| Private Routing Table ###################### We will create a Private Routing Table that is used with the Private Subnet. It will contain the *VT AIR LAN Interface* that we connect to the default route of the Routing Table. This step needs to be done after the VT AIR Azure VM is up and running. Navigate to *Route tables* and click on *Create*. Choose your *Subscription*, *Resource group* and *Region* and give the routing table a name. We will use *VTAIRPrivateRoutingTable*. .. image:: img/vtair-azure-private-routetable.png :width: 100% :align: center :alt: VT AIR Azure Private Routing Table We need to connect the routing table to the *Private Subnet*. Open the newly created routing table and navigate to *Subnets* and click on *Associate*. .. image:: img/vtair-azure-private-subnet-route-assoc.png :width: 100% :align: center :alt: VT AIR Azure Private Routing Table Association Select the virtual network *VTAIRVirtualNetwork* and choose the *VTAIRPrivateSubnet*. .. image:: img/vtair-azure-private-subnet-route-assoc2.png :width: 100% :align: center :alt: VT AIR Azure Private Routing Table Association We need to add the network route to the routing table. Navigate to *Routes* and click on *Add*. .. image:: img/vtair-azure-private-subnet-route.png :width: 100% :align: center :alt: VT AIR Azure Private Routing Table Subnet Give the route a name *PrivateNetwork*, the destination type is *IP Addresses*, the Destination is the network ip range *10.0.1.0/24* and the next hop type *Virtual network*. .. image:: img/vtair-azure-private-subnet-route-create-subnet.png :width: 100% :align: center :alt: VT AIR Azure Private Routing Table Create |br| Public Network Security Group ############################################ We need to create a Public Network Security Group that will be associated with the VT AIR Public Network Interface. You can customize the group to your needs, we do recommend to add at least the following entries: - Port 22 (TCP) - Port 443 (TCP) and depending on which VPN is used: - 1194 (UDP) for OpenVPN - 51280 (UDP) for Wireguard - 500 and 4500 (UDP) for IPSec - ESP/AH for IPSec Navigate to *Network security groups* and click on *Create*. .. image:: img/vtair-azure-security-group.png :width: 100% :align: center :alt: VT AIR Azure Private Security Group Choose your *Subscription*, *Resource group* and *Region* and give the network security group a name. We will use *VTAIRPublicSecurityGroup*. .. image:: img/vtair-azure-security-group-public.png :width: 100% :align: center :alt: VT AIR Azure Private Security Group For the inbound traffic we created all rules above. .. image:: img/vtair-azure-security-group-public-inbound.png :width: 100% :align: center :alt: VT AIR Azure Private Security Group Inbound Rules |br| Private Network Security Group ############################################ We need to create a Private Network Security Group that will be associated with the VT AIR Private Network Interface. We will allow all traffic on the private side as it is protected by the VT AIR Firewall. Navigate to *Network security groups* and click on *Create*. Choose your *Subscription*, *Resource group* and *Region* and give the network security group a name. We will use *VTAIRPrivateSecurityGroup*. .. image:: img/vtair-azure-security-group-private.png :width: 100% :align: center :alt: VT AIR Azure Private Security Group For the inbound traffic we created the allow all rule. .. image:: img/vtair-azure-security-group-private-inbound.png :width: 100% :align: center :alt: VT AIR Azure Private Security Group Inbound Rules |br| Private Network Interface ############################################ We need to create a Private Network Interface that will be associated with the VT AIR Private Network Interface. We will allow all traffic on the private side as it is protected by the VT AIR Firewall. Navigate to *Network interfaces* and click on *Create*. .. image:: img/vtair-azure-private-network-interfaces.png :width: 100% :align: center :alt: VT AIR Azure Private Network Interface Choose your *Subscription*, *Resource group* and *Region* and give the network security group a name. We will use *VTAIRPrivateNetworkinterface*. Choose the Virtual Network *VTAIRVirtualNetwork* and the Subnet *VTAIRPrivate Subnet* .. image:: img/vtair-azure-private-network-interface-create.png :width: 100% :align: center :alt: VT AIR Azure Private Network Interface |br| Enable Traffic Forwarding ------------------------------- We need to allow the traffic forwarding for the newly created interface. Click on the newly created interface *VTAIRPrivateNetworkinterface*. Navigate to *IP configurations* and click on *Enable IP forwarding*. .. image:: img/vtair-azure-private-network-interface-forwarding.png :width: 100% :align: center :alt: VT AIR Azure Private Network Interface Forwarding |br| Associate Private Network Security Group --------------------------------------------- We need to associate the Private Network Security Group to the newly created interface. Click on the newly created interface *VTAIRPrivateNetworkinterface*. Navigate to *Network security group* and choose *VTAIRPrivateSecurityGroup*. .. image:: img/vtair-azure-private-network-interface-security-group.png :width: 100% :align: center :alt: VT AIR Azure Private Network Interface Security Group |br| Azure VT AIR Appliance *********************** It is time to create and start the VT AIR Appliance. We have created videos to show the entire configurations. .. raw:: html

Navigate to Virtual machines and select *Create* and pick *Azure virtual machine*. .. image:: img/vtair-azure-vm.png :width: 100% :align: center :alt: VT AIR Azure VM Choose your *Subscription*, *Resource group* and *Region* and give the virtual machine a name. We will name the instance *VTAIR*. Search for *VT AIR* in the Azure Machine Image. Choose your preferred *Size*. Select your size and a key pair for the default SSH connection. The instance will also be available via the webgui. .. image:: img/vtair-azure-instance.png :width: 100% :align: center :alt: VT AIR Azure Instance |br| Storage ################################ Make sure to select a large enough storage space. We recommend 30GB or more. Public Network Interface (WAN) ################################ In the network settings choose the create Virtual Network *VTAIRVirtualNetwork*. Also choose the default subnet. .. image:: img/vtair-azure-instance-network.png :width: 100% :align: center :alt: VT AIR Azure Instance Network Select *advanced* in the NIC network security group settings. For the security group select *VTAIRPublicSecurityGroup* Click on *Advanced network configuration* Make sure the setting *Enable accelerated networking* is enabled. You can finish the creation of the Virtual Machine at this point. Private Network Interface (LAN) ################################ The Private Network Interface must be associated with the Virtual Machine after it is created. Wait until the virtual machine is fully created and running. .. image:: img/vtair-azure-instance-running.png :width: 100% :align: center :alt: VT AIR Azure Instance Running Stop the virtual machine at this point and go to the settings of the VM. Switch to *Settings* and *Networking*. In the top menu click on *Attach network interface* and look for the *VTAIRPrivateNetworkinterface*. Once the interface is associated with the VM, you can start it again. Also write down the IP Address of the new interface, we nede it in the next step to create the default route for the LAN Routing Table. In our case it is *10.0.1.4*. .. image:: img/vtair-azure-instance-network2.png :width: 100% :align: center :alt: VT AIR Azure Instance Network LAN .. image:: img/vtair-azure-instance-network3.png :width: 100% :align: center :alt: VT AIR Azure Instance Network LAN .. image:: img/vtair-azure-instance-network4.png :width: 100% :align: center :alt: VT AIR Azure Instance Network LAN |br| Default route pointing to VT AIR LAN interface -------------------------------------------------- The next step needs to be completed in the *Route tables* settings. The Private Network Interface (LAN) needs to be the default gateway for the *VTAIRPrivateRoutingTable* Navigate to *Routes* and click on *Add*. Give the route a name *VTAIRPublicRoutingTableGateway*, the destination type is *IP Addresses*, the Destination is the network ip range *0.0.0.0/0* and the next hop type *Virtual appliance*. The next hop address is the IP Address of the LAN Interface of the virtual machine. In our case *10.0.1.4*. .. image:: img/vtair-azure-private-gateway.png :width: 100% :align: center :alt: VT AIR Azure Public Routing Table Private Gateway Association |br| VT AIR configuration *********************** We will now need to login to the VT AIR instance webgui to configure the LAN interface and additional settings. Enable and set LAN Interface ################################ In the webgui navigate to *Interfaces* -> *Assign*. Select the edit button next to the *LAN* interface and assign the new interface to it. .. image:: img/vtair-azure-instance-lan-assign.png :width: 100% :align: center :alt: VT AIR Azure Instance LAN Assign Switch to the *LAN* interface settings by going to *Interfaces* -> *LAN*. Enable the interface and set the IPv4 type to DHCP. Save the settings. .. image:: img/vtair-azure-instance-lan-interface.png :width: 100% :align: center :alt: VT AIR Azure Instance LAN Interface This will enable the LAN interface and the IP *192.168.1.10* will be assigned. .. image:: img/vtair-azure-instance-dashboard.png :width: 100% :align: center :alt: VT AIR Azure Instance Dashboard |br| Create DNAT Rules and VPN Configuration ######################################## You can now create all the different setting you need for your setup. To make instances behind VT AIR available to the elastic IP, configure a DNAT rule. You can also configure the different VPN options. Azure VMs *********************** Connect Azure VMs to the private subnet so they are in the *LAN* network of the VT AIR. We have created videos to show the entire configurations. .. raw:: html

Add to the Private Network Subnet ##################################### If you have already running instances, you need to create a new Network Interface and change the existing network interface on the VM. When you create a new VM, you can select the Virtual Network and private subnet in the network settings when you create it. .. image:: img/vtair-azure-server.png :width: 100% :align: center :alt: VT AIR Azure Server |br| Set Private Network Security Group ################################### Make sure to select an appropriate Network Security Group so the VM can be accessed by the VT AIR.