Link Search Menu Expand Document

Microsoft Azure Virtual WAN

Configuration > Cloud Services > Microsoft Azure Virtual WAN

Microsoft Azure optimizes routing, automates large scale connectivity from various branches to Azure workloads, and provides unified network and policy management within Orchestrator. Use Azure to deploy to a single WAN circuit or for branch to branch connectivity by configuring virtual WANs to associated hubs.

Before you begin Microsoft Azure Virtual WAN configuration in Orchestrator, you need to use the Azure Virtual WAN portal to authenticate and authorize Orchestrator in Azure. You need to create the service principal, which focuses on single-tenant application to run within only one organization. Click here to get started.

Microsoft Azure Prerequisites

  1. Create an application in Azure and note the following Subscription details from the Azure Active Directory:

    • Subscription ID

    • Tenant (Directory) ID

    • Application (Client) ID

    • Client Secret Key

  2. Create a storage account in Azure and get the following:

    • Storage Account Name

    • Storage Access Key

  3. Create a resource group.

  4. Create Azure Virtual WANs with hubs from your resource groups.

Orchestrator Prerequisites

Complete the following tasks in Orchestrator:

  1. Configure a VTI IP Pool.

    • Enter a valid IPv4 Subnet.

      NOTE: This is a unique address across the network. VTI interfaces created for Azure integration will be selected from this pool.

      *INFO* Azure VTI interface zone is set to WAN interface zone. Any change in deployment for the WAN interface zone is applied to Azure VTI as well.

      WARNING: Any change in the VTI pool after it is configured is networking affecting. This operation should be performed during a maintenance window as it can take several hours for some Cloud services to complete.

  2. Configure BGP ASN Global Pool.

    • Enter the start and end ranges for ASNs.

    • Add any reserved ASNs to exclude from being applied to appliances.

      NOTE: If not previously enabled, Orchestrator enables BGP.

Orchestrator Configuration

When are you finished with the Azure and Orchestrator prerequisites, navigate to the Microsoft Azure Virtual WAN tab in Orchestrator. There are five buttons at the top of the table that are used to complete the Azure and Orchestrator integration: Subscription, Interface Labels, Virtual Wan Association, Tunnel Settings, and Zone.

To begin, click the Subscription icon.

Subscription

  1. Enter the information in the Subscription fields that reflect your Azure portal account.

  2. Click Save after you have finished entering the information in the table below. The Azure field should reflect Connected.

The following table represents the values in the Subscription window from the Azure portal.

FieldDescription
Azure ReachabilityConnection status of your account with Azure.
Subscription IDID of your subscription.
Tenant IDName of your Azure AD tenant.
Client IDClient ID of your Azure portal.
Client Secret KeySecret key of your Azure application.
Storage Account NameName of your storage account.
Storage Account KeyStorage account key.
Storage URLStorage account URL.*
Configuration Polling IntervalIndicates hows often Orchestrator should check for configuration changes in Azure. The default polling interval is ten minutes.

*Storage URL

The Storage URL is present on the Storage Accounts tab in your Azure portal. Complete the following steps to obtain your storage account URL.

  1. After your storage account is created in Azure, create a blob container.

  2. Get the blob container URL.

  3. Suffix the URL with a slash and add a file name in the Storage URL field.

    NOTE: Append the URL with a slash for the file name. Do not end the URL with a slash.

Interface Labels

Select the order in which you want your interface labels to be used.

  1. Click the Interface Labels button. The Build Tunnels Using These Interfaces displays.

  2. Drag the Interface labels you want to use into the Preferred Interface Label Order column.

  3. Click Save.

Virtual WAN Association

Each appliance is associated with one virtual WAN. Use the Virtual Wan Association button to add or remove specific sites to your virtual WANs.

  1. Click the Virtual Wan Association button.

  2. Select an appliance from the tree in the left menu.

  3. Select the check box to Add or Remove the appliance to your virtual WAN in Azure.

Tunnel Settings

The Tunnel Settings button opens the Tunnel Setting dialog box, which enables you to define the tunnels associated with Azure and Orchestrator. It is recommended that you use the default tunnel settings for General, IKE, and IPSec; however, you can modify any field. The tunnel settings are set using the default VPN configuration parameters received from virtual WAN APIs located in your Azure portal account.

In your Azure Portal Account, navigate to the Azure Configuration table. This table displays the VPN site created for Orchestrator appliances associated to Azure virtual WANs. Additionally, manually associate sites to your hubs in Azure.

  1. Navigate to Azure Virtual WAN.

  2. Select Azure VPN site.

  3. Select New Hub Association.

Zone

You can apply configured segments to your VTI interfaces associated for Azure. Click the Zone button and select the zone from the drop-down you want to apply.

Verification

The Tunnel page displays that Azure and Orchestrator have an established connection with Azure by displaying a tunnel status of up - active.

For more information about Azure configuration, visit the following link: https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal.


Back to top

© Copyright 2022 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.