“Everybody’s going to the cloud! Everybody’s going to the Cloud!”
Well…alright….not exactly. While organizations of varying sizes are utilizing cloud resources with increasing frequency, the majority have definitely not gone “all-in”. Still, with the increasing popularity of cloud-based services like Office 365 and Windows Azure, the pace of adoption appears to be picking up and many adopters are starting to move their services up to the cloud. In a few of my previous posts, we talked about how the F5 BIG-IP can enhance the sign-on experience between an organization’s on-premise Active Directory and Office 365. So, it only seems fitting to take a look at how F5 and the BIG-IP can facilitate the Windows Azure experience.
One of the many features of Windows Azure is its “Virtual Network” functionality which allows organizations to provision and manage cloud-based virtual private networks. These virtual networks can host a variety of resources such as webservers, databases, etc. that have been traditionally hosted in the on-premise data center. What’s more, by utilizing a ‘site-to-site’ VPN between the on-premise network and the virtual network(s), the on-premise data center can now be scaled-out quickly and easily. For example, in the scenario below rather than investing in additional on-premise infrastructure, the organization, (F5Demo) has decided to use Windows Azure to host both its SharePoint and AD FS farms. Along with load balancing and providing pre-authentication for both on-premise and cloud-based applications, the BIG-IP can act as the IPsec gateway device for establishing a secure ‘site-to-site’ VPN with Windows Azure.
Rather than providing step-by-step guidance on configuring IPsec on the BIG-IP, I’m just going to provide a brief overview of the steps required. However, don’t fret! There’s an iApp for it! Yep just click here and download the iApp template. Please Note: Although I have configured and tested the template, it is offered under the community submitted category and subsequently, not F5 supported. In addition, there’s great guidance for configuring the BIG-IP available on F5’s support site. Additionally, information regarding Windows Azure IPsec requirements can be found here. Configuring the BIG-IP as an IPsec tunnel endpoint is relatively simple and consists of four, (4) steps.
Step1. Create an IKE peer – The Azure IKE peer, (Phase I) utilizes ‘SHA-1’ for authentication, ‘AES128’ for encryption, Diffie-Hellman (MODP1024) Perfect Forward Secrecy, and a ‘preshared key’.
Step2. Create an IPsec policy – The IPsec policy, (Phase II) utilizes SHA-1’ for authentication, ‘AES128’ for encryption, and Diffie-Hellman (MODP1024) Perfect Forward Secrecy.
Note: The local endpoint, (BIG-IP) must use a publicly routable IP address as its tunnel endpoint.
Step3. Create Traffic Selector(s) - The traffic selectors specify what traffic, (based on source and destination addresses) to pass through the IPsec tunnel.
Step4. Create a forwarding virtual server – The simple forwarding virtual server listens for and directs traffic over the IPsec tunnel.
There you have it! It’s as easy as 1, 2, 3,…ah....4. Once again, I didn’t want to reinvent the wheel so checkout the F5 support page for detailed guidance on configuring the BIG-IP and IPsec.