Configuration > Cloud Services > Microsoft Azure Virtual WAN
Microsoft Azure optimizes routing, automates large scale connectivity from various branches to Azure workloads, and provides unified network and policy management within Orchestrator. Use Azure to deploy to a single WAN circuit or for branch to branch connectivity by configuring virtual WANs to associated hubs.
Before you begin Microsoft Azure Virtual WAN configuration in Orchestrator, you need to use the Azure Virtual WAN portal to authenticate and authorize Orchestrator in Azure. You need to create the service principal, which focuses on single-tenant application to run within only one organization. Click here to get started.
Create an application in Azure and note the following Subscription details from the Azure Active Directory:
Tenant (Directory) ID
Application (Client) ID
Client Secret Key
Create a storage account in Azure and get the following:
Storage Account Name
Storage Access Key
Create a resource group.
Create Azure Virtual WANs with hubs from your resource groups.
Complete the following tasks in Orchestrator:
Configure a VTI IP Pool.
Enter a valid IPv4 Subnet.
NOTE: This is a unique address across the network. VTI interfaces created for Azure integration will be selected from this pool.
*INFO* Azure VTI interface zone is set to WAN interface zone. Any change in deployment for the WAN interface zone is applied to Azure VTI as well.
WARNING: Any change in the VTI pool after it is configured is networking affecting. This operation should be performed during a maintenance window as it can take several hours for some Cloud services to complete.
Configure BGP ASN Global Pool.
Enter the start and end ranges for ASNs.
Add any reserved ASNs to exclude from being applied to appliances.
NOTE: If not previously enabled, Orchestrator enables BGP.
When are you finished with the Azure and Orchestrator prerequisites, navigate to the Microsoft Azure Virtual WAN tab in Orchestrator. There are five buttons at the top of the table that are used to complete the Azure and Orchestrator integration: Subscription, Interface Labels, Virtual Wan Association, Tunnel Settings, and Zone.
To begin, click the Subscription icon.
Enter the information in the Subscription fields that reflect your Azure portal account.
Click Save after you have finished entering the information in the table below. The Azure field should reflect Connected.
The following table represents the values in the Subscription window from the Azure portal.
|Connection status of your account with Azure.
|ID of your subscription.
|Name of your Azure AD tenant.
|Client ID of your Azure portal.
|Client Secret Key
|Secret key of your Azure application.
|Storage Account Name
|Name of your storage account.
|Storage Account Key
|Storage account key.
|Storage account URL.*
|Configuration Polling Interval
|Indicates hows often Orchestrator should check for configuration changes in Azure. The default polling interval is ten minutes.
The Storage URL is present on the Storage Accounts tab in your Azure portal. Complete the following steps to obtain your storage account URL.
After your storage account is created in Azure, create a blob container.
Get the blob container URL.
Suffix the URL with a slash and add a file name in the Storage URL field.
NOTE: Append the URL with a slash for the file name. Do not end the URL with a slash.
Select the order in which you want your interface labels to be used.
Click the Interface Labels button. The Build Tunnels Using These Interfaces displays.
Drag the Interface labels you want to use into the Preferred Interface Label Order column.
Virtual WAN Association
Each appliance is associated with one virtual WAN. Use the Virtual Wan Association button to add or remove specific sites to your virtual WANs.
Click the Virtual Wan Association button.
Select an appliance from the tree in the left menu.
Select the check box to Add or Remove the appliance to your virtual WAN in Azure.
The Tunnel Settings button opens the Tunnel Settings dialog box, which enables you to define the tunnels associated with Azure and Orchestrator. It is recommended that you use the default tunnel settings for General, IKE, and IPSec; however, you can modify any field. The tunnel settings are set using the default VPN configuration parameters received from virtual WAN APIs located in your Azure portal account.
In your Azure Portal Account, navigate to the Azure Configuration table. This table displays the VPN site created for Orchestrator appliances associated to Azure virtual WANs. Additionally, manually associate sites to your hubs in Azure.
Navigate to Azure Virtual WAN.
Select Azure VPN site.
Select New Hub Association.
You can apply configured segments to your VTI interfaces associated for Azure. Click the Zone button and select the zone from the drop-down you want to apply.
The Tunnel page displays that Azure and Orchestrator have an established connection with Azure by displaying a tunnel status of up - active.
For more information about Azure configuration, visit the following link: https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal.