Bridging the Gap between Azure Classic and ARM

p>Or should I say “Tunneling the gap between….” Ha Ha ha, hmm….never mind.

So you just finished deploying your first BIG-IP from the Azure Marketplace. You can barely contain your excitement!!! That web app that’s been floating up in the cloud with its backside twisting in the proverbial wind will now be snug and safe behind a BIG-IP with ASM. You’ll finally get a good night’s sleep tonight! A single tear drop falls from your eye.

I know…..sigh….yeah, I know.

This is where our little story takes a turn. You start to configure the BIG-IP when all of a sudden it hits you like a ton of server racks; the web app was deployed in Azure Classic. But your BIG-IP is deployed in ARM! Classic and ARM environments don’t play well together! This time it’s not a single tear drop.

Drama aside, the above scenario is becoming quite common. As enterprises as they start to migrate their workloads from Azure’s legacy model, (Classic aka v1) to the new mode, (ARM aka v2), providing inter-connectivity between legacy resources located on Classic VNets and newer resource deployed in ARM VNets will be critical. Fortunately, while not very “elegant” there is a solution and that solution is VPN. Connecting resources located on Classic VNet to resources on an ARM VNet can be achieved by creating an IPsec VPN tunnel between the two infrastructures; essentially the same process as connecting an Azure infrastructure to an on-premises data center. For more detail, check out the guidance provided by Telmo Sampaio.

Warning: while conceptually accurate, the guidance provided in the aforementioned article is out-of-date. Specifically, the PowerShell cmdlets used have been deprecated. But hey, that’s ok. I’m here to help .

Integrating an ARM BIG-IP with a Classic Application

In this post we’ll walk though the process of creating a dynamic IPsec tunnel between a legacy Classic VNet, hosting a multi-tiered web application, and an ARM-based BIG-IP virtual ADC. The end result is illustrated below. This process will enable the BIG-IP to provide services, (revers proxy, WAF, etc.) to the legacy application. The procedure includes the following high-level tasks:

Create Classic dynamic VPN gateway using the legacy management portal, (https://manage.windowsazure.com);
Create ARM dynamic VPN gateway using Azure PowerShell; and
Establishing a VPN tunnel between the two gateway endpoints.

Note: To level set, the following example assumes that both the Classic and ARM infrastructures, (VNets, VMs, etc.) have already been deployed and properly configured. Additionally, the user, (that’s you), is assumed to have a basic knowledge of networking and VPN technologies. Refer to Azure guidance for detailed information related Azure technologies, (VPNs, virtual machines, networking, etc.).

* Graphic borrowed, and modified, from article authored by Telmo Sampaio.

Update the Classic Environment’s VNET

As shown at right, the f5demo Azure Classic environment we have provisioned several virtual machines all of which are connected to the virtual network, ‘F5DEMO_WEST_VN’.

To enable connectivity to the ARM VNET, we will need to:

Create a local network configuration representing the virtual network on the other side of the IPsec tunnel;
Enable Site-to-site connectivity; and
Create a Dynamic VPN Gateway.

The following steps will be completed using the legacy portal, https://manage.windowsazure.com.

1. Create a ‘Local Network’ in the Classic Environment

From the portal, select ‘NEW’ –> ‘NETWORK SERVICES’ –> ‘VIRTUAL NETWORK’ '—> ‘ADD LOCAL NETWORK’;
Enter a name for the local network. This corresponds to the virtual network that will be located on the other side of the VPN tunnel;
Enter an IP address for the ARM VPN gateway endpoint. since we have yet to create the ARM gateway endpoint, any properly formed address will be sufficient, (1.2.3.4 in the example). In a later step we will return to this screen and update;
Click on the arrow to continue;

Enter the address space that corresponds to the ARM VNet address space. Note: The VNets must utilize unique address spaces. In our example, we are using an address space of 192.168.0.0/16 for the ARM VNet;

Click on the check mark to complete.

2. Enable Site-to-site Connectivity

Select ‘NETWORKS’ –> ‘VIRTUAL NETWORKS’ –> ‘’ –> ‘CONFIGURE’;
As illustrated below, ensure ‘Connect to the local network’ checkbox is checked and the newly created local network is selected from the drop-down;

3. Create VPN Gateway

Select ‘DASHBOARD –> ‘CREATE GATEWAY’, (see below).

Be patient. The creation process may take several minutes;

4. Capture Gateway Address and Shared Key

Once the gateway has been created, make note of the gateway IP address. this will be referenced in a future step;

Additionally, make note of the shared key. Select ‘MANAGE KEYS’ from the bottom of the screen and select the ‘copy’ icon;

Create ARM VNet VPN Gateway

As illustrated at right, we have already deployed our BIG-IP into a new ARM environment all nicely consolidated into a single Azure resource group.

To create and configure the ARM VNet gateway, we must use Azure PowerShell. As illustrated in the aforementioned Azure guidance, we could make use of PowerShell and ARM templates to configure the ARM gateway. However, for one-time configurations such as this, I prefer to stick with straight PowerShell cmdlets when available. Mind you, this is just my preference.

Regardless of which method you choose, all the necessary objects can be created relatively easily with a single script. Speaking of scripts, I have one for you.

1. Run PowerShell Script

Modify and execute the following PowerShell script creates and configures the various ARM objects including:

- Gateway public IP address;
- Gateway subnet;
- Local Network – (corresponding to Classic VNet);
- VPN Gateway; and
- Gateway Connection.

Note: You will need to modify the ‘Parameters’ section with the appropriate values. This includes the gateway IP address and shared key previously captured.

## Connect to Azure Subscription
Login-AzureRmAccount
clear

#Parameters
########################################
$RGName = 'BIGIP-ASM'
$Location = 'West US'
$ARMVNET = 'BIGIP-ASM'
$ARMGWPrefix = '192.168.2.0/24'

$ClassicVNET = 'f5demo_west_vn'
$ClassicPrefix = '172.16.101.0/24'
$ClassicGWIP = '40.118.168.206'
$SharedKey = 'BwiNaTNleW5CGMJbXTbCOnoN2uwFINTT'
#########################################

#Create ARM gateway public IP
$ARMGWIP = New-AzureRmPublicIpAddress -Name ($ARMVNET + "-gw-IP") -ResourceGroupName $RGName -Location $Location -AllocationMethod Dynamic

#Create ARM gateway subnet and update virtual network configuration
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName $RGName -Name $ARMVNET
Add-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix $ARMGWPrefix -VirtualNetwork $vnet
$SubnetConfig = (Get-AzurermVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name GatewaySubnet).Id
Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

#Create Classic local network gateway
$ClassicGW = New-AzureRmLocalNetworkGateway -Name ($ClassicVNET + "-ln") -ResourceGroupName $RGName -Location $Location -AddressPrefix $ClassicPrefix -GatewayIpAddress $ClassicGWIP
$ARMGWConfig = New-AzurermVirtualNetworkGatewayIpConfig -Name ($ARMVNET + "-2-" + $ClassicVNET + “-gwconfig”) -SubnetId $SubnetConfig -PublicIpAddressId $ARMGWIP.Id

#Create ARM network gateway
$ARMGW = New-AzurermVirtualNetworkGateway -Name ($ARMVNET + "-2-" + $ClassicVNET+ “-gw”) -ResourceGroupName $RGName -Location $Location -IpConfigurations $ARMGWConfig -GatewayType VPN -VpnType RouteBased

#Create gateway connection
New-AzurermVirtualNetworkGatewayConnection -Name ($ARMVNET + "-2-" + $ClassicVNET+ “-connection”) -ResourceGroupName $RGName -Location $Location -VirtualNetworkGateway1 $ARMGW -LocalNetworkGateway2 $ClassicGW -ConnectionType IPsec -SharedKey $SharedKey

Once the script has completed, (may take several minutes) the previously noted objects are created and can be viewed in the ARM portal, (https://portal.azure.com).

Guess what? We’re just about done! Not too bad.

2. Capture Gateway Address

As I mentioned previously, after completing the ARM Gateway creation, make note of the ARM gateway IP address, (see below - 40.118.253.238 in our example);

Update the Classic Local Network Gateway Address

1. Update Local Network Address

To complete the configuration, we need to modify the previously create local network object in the Classic portal and enable the VPN. Using the legacy portal, https://manage.windowsazure.com, connect to the Classic environment.

Select ‘NETWORKS’ –> ‘LOCAL NETWORKS’ ---> ‘’;
Select ‘EDIT’ located at the bottom of the page;

Modify the VPN device address using the ARM gateway IP address previously noted;
Click on the arrow to continue;
Click on the check mark to complete the update.

2. Enable VPN Connection

Select ‘VIRTUAL NETWORKS’
Click on the ‘Connect’ icon located at the bottom of the page to establish the VPN tunnel.

Process Compete!

Once successfully completed, the tunnel status can be viewed in both the Classic portal as well as the ARM portal as shown below respectively. With the tunnel established, cross-communication between Classic and ARM infrastructure resources can be established.

Classic Portal View

ARM Portal View

Published Dec 30, 2015

Version 1.0