cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Greg_Coward
F5 Employee
F5 Employee

“Everybody’s going to the cloud! Everybody’s going to the Cloud!”

Well…alright….not exactly. While organizations of varying sizes are utilizing cloud resources with increasing frequency, the majority have definitely not gone “all-in”. Still, with the increasing popularity of cloud-based services like Office 365 and Windows Azure, the pace of adoption appears to be picking up and many adopters are starting to move their services up to the cloud. In a few of my previous posts, we talked about how the F5 BIG-IP can enhance the sign-on experience between an organization’s on-premise Active Directory and Office 365. So, it only seems fitting to take a look at how F5 and the BIG-IP can facilitate the Windows Azure experience.

One of the many features of Windows Azure is its “Virtual Network” functionality which allows organizations to provision and manage cloud-based virtual private networks. These virtual networks can host a variety of resources such as webservers, databases, etc. that have been traditionally hosted in the on-premise data center. What’s more, by utilizing a ‘site-to-site’ VPN between the on-premise network and the virtual network(s), the on-premise data center can now be scaled-out quickly and easily. For example, in the scenario below rather than investing in additional on-premise infrastructure, the organization, (F5Demo) has decided to use Windows Azure to host both its SharePoint and AD FS farms. Along with load balancing and providing pre-authentication for both on-premise and cloud-based applications, the BIG-IP can act as the IPsec gateway device for establishing a secure ‘site-to-site’ VPN with Windows Azure.

0151T000003d5gHQAQ.png

Rather than providing step-by-step guidance on configuring IPsec on the BIG-IP, I’m just going to provide a brief overview of the steps required. However, don’t fret! There’s an iApp for it! Yep just click here and download the iApp template. Please Note: Although I have configured and tested the template, it is offered under the community submitted category and subsequently, not F5 supported. In addition, there’s great guidance for configuring the BIG-IP available on F5’s support site. Additionally, information regarding Windows Azure IPsec requirements can be found here. Configuring the BIG-IP as an IPsec tunnel endpoint is relatively simple and consists of four, (4) steps.

Step1. Create an IKE peer – The Azure IKE peer, (Phase I) utilizes ‘SHA-1’ for authentication, ‘AES128’ for encryption, Diffie-Hellman (MODP1024) Perfect Forward Secrecy, and a ‘preshared key’.

0151T000003d5gIQAQ.png

Step2. Create an IPsec policy – The IPsec policy, (Phase II) utilizes SHA-1’ for authentication, ‘AES128’ for encryption, and Diffie-Hellman (MODP1024) Perfect Forward Secrecy.

0151T000003d5gJQAQ.png

 

Note: The local endpoint, (BIG-IP) must use a publicly routable IP address as its tunnel endpoint.

Step3. Create Traffic Selector(s) - The traffic selectors specify what traffic, (based on source and destination addresses) to pass through the IPsec tunnel.

0151T000003d5gKQAQ.png

Step4. Create a forwarding virtual server – The simple forwarding virtual server listens for and directs traffic over the IPsec tunnel.

0151T000003d5gLQAQ.png

 

There you have it! It’s as easy as 1, 2, 3,…ah....4. Once again, I didn’t want to reinvent the wheel so checkout the F5 support page for detailed guidance on configuring the BIG-IP and IPsec.

 

Additional Links:

Codeshare - IPSec Tunnel Endpoint iApp

Configuring IPsec between a BIG-IP system and a third-party device

Windows Azure Virtual Networks

 

 

 

Latest F5 Information

 
Comments
Tom_Rogers
F5 Employee
F5 Employee
You will need to disable Perfect Forward Secrecy (PFS) on the BIG-IP, per Microsoft's documentation: http://msdn.microsoft.com/en-us/library/windowsazure/jj156075.aspx

 

 

On the BIG-IP, running 11.2.0 and above, this can be done, but only on a global scale. This is only available via tmsh: tmsh list sys db ipsec.disablepfs
Adel_N_114257
Nimbostratus
Nimbostratus
Hi. we are currently looking into deploying this along with GTM for IP geolocation and DC failure scenarios. can this be done? if so are there any resources that can help. I can't find anything to do with integration of GTM with Azure.
Version history
Last update:
‎22-Mar-2013 11:22
Updated by:
Contributors