From a802fe5406a912f65d0a673a670462d756df5a7a Mon Sep 17 00:00:00 2001 From: mtovino-cloudflare <151655012+mtovino-cloudflare@users.noreply.github.com> Date: Thu, 19 Dec 2024 11:49:31 -0800 Subject: [PATCH] [Magic WAN] update Azure instructions This updates the Azure instructions to: - use the Active/Active configuration on the Azure Virtual Gateway - use bidirectional health checks with a custom target equal to the Customer endpoint These changes are unlocked by the completion of RM-19633. (The work is done, and shipped, even if the RM is not yet closed) --- .../manually/third-party/azure.mdx | 30 +++++++------------ 1 file changed, 11 insertions(+), 19 deletions(-) diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/azure.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/azure.mdx index 6e35f36f0545c6b..d45e0ba1ff4cf3c 100644 --- a/src/content/docs/magic-wan/configuration/manually/third-party/azure.mdx +++ b/src/content/docs/magic-wan/configuration/manually/third-party/azure.mdx @@ -35,7 +35,7 @@ This configuration guide applies to Azure Virtual Network Gateway which includes 1. Create a Virtual Network Gateway. 2. Create a new public IP address or use an existing IP. Take note of the public IP address assigned to the Virtual Network Gateway as this will be the **Customer endpoint** for Magic WAN's IPsec tunnels configuration. 3. Select the resource group and VNET you have already created. -4. In **Configuration**, disable **Active-active mode** and **Gateway Private IPs**. +4. In **Configuration**, enable **Active-active mode** and disable **Gateway Private IPs**. 5. Select **Create**. :::note @@ -85,9 +85,13 @@ To configure the Address Space for the Local Network Gateway to support Tunnel H 1. Edit the Local Network Gateway configured in the previous section. 2. Select **Connections**. -3. Add the`/31` subnet in CIDR notation (for example, `10.252.3.54/31`) under **Address Space(s)**. +3. Add the Interface Address of the Magic IPsec Tunnel from the Cloudflare Dashboard in CIDR notation (for example, `10.252.3.55/32`) under **Address Space(s)**. 4. Select **Save**. +:::note +The Magic IPsec Tunnel Interface Address should be entered as a `/31` in the Cloudflare Dashboard, but as a `/32` when configuring the Local Network Gateway Address Space(s) in the Azure portal. +::: + ### 5. Create an IPsec VPN Connection Choose the following settings when creating your VPN Connection: @@ -165,9 +169,11 @@ ICMP (ping/traceroute) will work to remote Magic WAN sites, but is not forwarded 3. **Cloudflare endpoint**: Use the Cloudflare anycast address you have received from your account team. This will also be the IP address corresponding to the Local Network Gateway in Azure. For example, `162.xxx.xxx.xxx`. 4. **Health check rate**: Leave the default option (Medium) selected. 5. **Health check type**: Leave the default option (Reply) selected. - 6. **Health check direction**: Leave default option. - 7. **Add pre-shared key later**: Select this option to create a PSK that will be used later in Azure. - 8. **Replay protection**: **Enable**. + 6. **Health check direction**: Leave default option (Bidirectional) selected. + 7. **Health check target**: Select **Custom**. + 8. **Target address**: Enter the same address that is used in the **Customer endpoint** field. + 9. **Add pre-shared key later**: Select this option to create a PSK that will be used later in Azure. + 10. **Replay protection**: **Enable**. 3. Create static routes for your Azure Virtual Network subnets, specifying the newly created tunnel as the next hop. ## Validate connectivity and disable Azure Virtual Network Gateway anti-replay protection @@ -355,20 +361,6 @@ curl --location --request PUT \ 6. Leave the replay protection setting checked in the Cloudflare dashboard, and wait several minutes before validating connectivity again. -## Tunnel health checks and Azure - -We have identified cases where the IPsec Tunnels configured on the Azure Virtual Network Gateway need to be restarted one time before the tunnel health checks start passing. - -### Restart Azure tunnels - -1. Open the Virtual Network Gateway. -2. Go to **Settings** > **Connections**. -3. Open the properties of the tunnel. -4. Go to **Help** > **Reset**. -5. Select **Reset**. - -It may take several minutes for the tunnels to reset from the Azure side. Monitor the [tunnel health checks section](/magic-wan/configuration/common-settings/check-tunnel-health-dashboard/) in the Cloudflare dashboard to determine the status. - :::note Tunnel Health Check percentages are calculated over a one hour period. :::