So you just finished deploying your first BIG-IP from the Azure Marketplace. You can barely contain your excitement!!! That web app that’s been floating up in the cloud with its backside twisting in the proverbial wind will now be snug and safe behind a BIG-IP with ASM. You’ll finally get a good night’s sleep tonight! A single tear drop falls from your eye.
I know…..sigh….yeah, I know.
This is where our little story takes a turn. You start to configure the BIG-IP when all of a sudden it hits you like a ton of server racks; the web app was deployed in Azure Classic. But your BIG-IP is deployed in ARM! Classic and ARM environments don’t play well together! This time it’s not a single tear drop.
Drama aside, the above scenario is becoming quite common. As enterprises as they start to migrate their workloads from Azure’s legacy model, (Classic aka v1) to the new mode, (ARM aka v2), providing inter-connectivity between legacy resources located on Classic VNets and newer resource deployed in ARM VNets will be critical. Fortunately, while not very “elegant” there is a solution and that solution is VPN. Connecting resources located on Classic VNet to resources on an ARM VNet can be achieved by creating an IPsec VPN tunnel between the two infrastructures; essentially the same process as connecting an Azure infrastructure to an on-premises data center. For more detail, check out the guidance provided by Telmo Sampaio.
Warning: while conceptually accurate, the guidance provided in the aforementioned article is out-of-date. Specifically, the PowerShell cmdlets used have been deprecated. But hey, that’s ok. I’m here to help .
In this post we’ll walk though the process of creating a dynamic IPsec tunnel between a legacy Classic VNet, hosting a multi-tiered web application, and an ARM-based BIG-IP virtual ADC. The end result is illustrated below. This process will enable the BIG-IP to provide services, (revers proxy, WAF, etc.) to the legacy application. The procedure includes the following high-level tasks:
Note: To level set, the following example assumes that both the Classic and ARM infrastructures, (VNets, VMs, etc.) have already been deployed and properly configured. Additionally, the user, (that’s you), is assumed to have a basic knowledge of networking and VPN technologies. Refer to Azure guidance for detailed information related Azure technologies, (VPNs, virtual machines, networking, etc.).
Update the Classic Environment’s VNET
As shown at right, the f5demo Azure Classic environment we have provisioned several virtual machines all of which are connected to the virtual network, ‘F5DEMO_WEST_VN’.
To enable connectivity to the ARM VNET, we will need to:
The following steps will be completed using the legacy portal, https://manage.windowsazure.com.
1. Create a ‘Local Network’ in the Classic Environment
2. Enable Site-to-site Connectivity
3. Create VPN Gateway
Be patient. The creation process may take several minutes;
4. Capture Gateway Address and Shared Key
Create ARM VNet VPN Gateway
As illustrated at right, we have already deployed our BIG-IP into a new ARM environment all nicely consolidated into a single Azure resource group.
To create and configure the ARM VNet gateway, we must use Azure PowerShell. As illustrated in the aforementioned Azure guidance, we could make use of PowerShell and ARM templates to configure the ARM gateway. However, for one-time configurations such as this, I prefer to stick with straight PowerShell cmdlets when available. Mind you, this is just my preference.
Regardless of which method you choose, all the necessary objects can be created relatively easily with a single script. Speaking of scripts, I have one for you.
1. Run PowerShell Script
Modify and execute the following PowerShell script creates and configures the various ARM objects including:
Note: You will need to modify the ‘Parameters’ section with the appropriate values. This includes the gateway IP address and shared key previously captured.
Once the script has completed, (may take several minutes) the previously noted objects are created and can be viewed in the ARM portal, (https://portal.azure.com).
Guess what? We’re just about done! Not too bad.
2. Capture Gateway Address
As I mentioned previously, after completing the ARM Gateway creation, make note of the ARM gateway IP address, (see below - 220.127.116.11 in our example);
1. Update Local Network Address
To complete the configuration, we need to modify the previously create local network object in the Classic portal and enable the VPN. Using the legacy portal, https://manage.windowsazure.com, connect to the Classic environment.
2. Enable VPN Connection
Once successfully completed, the tunnel status can be viewed in both the Classic portal as well as the ARM portal as shown below respectively. With the tunnel established, cross-communication between Classic and ARM infrastructure resources can be established.