View
5
Download
0
Category
Preview:
Citation preview
BGP over VPN between Azure/Check Point Gateway
Assumptions:
A valid Azure Subscription has been established A Resource Group has been created within said Subscription
Pre-requisites:
Azure VPN Gateway SKU must be Standard or High Performance for BGP to worko VpnGw = Basic (BGP Not Supported)o VpnGw = Standardo VpnGw = High Performance
BGP on the gateway can only be enabled through the resource manager if not done during the initial creation of the VPN gateway
Windows Powershell as you can do some Azure BGP configuration settings through Powershell
Note: The following ASNs are reserved by Azure for both internal and external peerings:
Public ASNs: 8075, 8076, 12076 Private ASNs: 65515, 65517, 65518, 65519, 65520
In Admin PowerShell window:
1. Install-Module AzureRM2. Set-ExecutionPolicy RemoteSigned
In non-Admin Powershell window:
1. Import-Module AzureRM
Networking Layout:
Address Space = 10.0.0.0/16GatewaySubnet = 10.1.0.0/29BackEnd Subnet = 10.2.0.0/24
RESOURCES WE WILL NEED TO CREATE
AzureVnet = Internal Azure virtual networkBackEnd = GatewaySubnet = Subnet where default gateway for virtual network (vnet)AzureVPNGW(1) = Azure VPN Gateway InstanceAzureVPNGW(2) = Public IP Address that will be used for Azure VPN GatewayCP-2-Azure-BGP = VPN Connection settings to include BGP settingsCP-Remote-GW = Representation of Physical Check Point Gateway
Create VNET
In Azure portal in the left pane go to “Virtual Networks”
Click on (+) sign to add vnet
ADD DEFAULT GATEWAY SUBNET
NOTE: This will be the default gateway for all subnets created under this address space
CREATE AZURE VPN GATEWAY
IMAGE 2 – Creating Public IP Address
When completed Click on Create:
NOTE: If you’ve not enabled bgp on the gateway, or had it set to basic, when gateway was first created you can follow instructions in Appendix A to enable BGP on the gateway.
Get the Azure VPN gateway public IP Address from the Azure Portal
In Azure Portal select “All Resources”
CREATE CHECK POINT GATEWAY IN AZURE
Create VPN Connection
In Azure portal go to “All Resources”
Once created you must go back into the configuration of the newly created connection and enable bgp:
CHECK POINT CONFGURATION
SmartConsole Configuration
Create an empty VPN group which will represent the Azure VPN Gateway’s vpn domain:
Next create Azure VPN Gateway object:
Create VPN Community
GAIA WebUI Configuration on Check Point
Create VPN Tunnel Interface (VTI)
NOTE: THE PEER NAME MUST MATCH THE SMARTDASHBOARD OBJECT NAME OTHERWISE THE VTI WILL NOT WORK
Add Static Route for Azure VPN Peer BGP IP:
Setup BGP in GAIA WebUI
WARNING: Without “ALL” of these configurations completed BGP will not be successful
Add Azure Gateway BGP Information:
Fill in information based on Azure Gateway BGP Settings:
NOTE: Without Multihop enabled the BGP session will not be established
Set BGP Inbound route filters
Note: For the purpose of this documentation the inbound filter has been set to accept all routes – this will vary in each environment
Set inbound route filter settings
APPENDIX A
To enable BGP on the Azure Gateway after it’s been created go to resources.azure.com and login:
1. subscriptions <your_subscription> resource groups <your_resource_group> providers Microsoft Networks virtualNetworkGateway
2. Change Mode up top to “Read/Write”
3. Click on “Edit” up top
4. Set "enableBgp": true,
5. Click on “Put”
6. Change back to “Read Only”
7. Give it a few minutes for change to propogate.
8. Go into Azure Vpn Gateway and under “Configuration” verify BGP is now enabled (should see AS and Local BGP IP)
Once enabled you will need to get the BGP settings for the Azure VPN Gateway. This can be done from within Azure portal:
Or through Powershell:
# Set your subscription ID if you have more than 1$SubscriptionId = “Your_Subscription_ID”
$SubscriptionId = “83ad3470-60c3-4fc7-905e-6d9315588b65”
#Identify Resource Group you will be working with$ResourceGroup=”Your_Azure_Resource_Group_Name”
$ResourceGroup=”Chkp-RSC-GRP”
#Log into AzureLogin-AzureRmAccount
# Set Context to your subscription – only relevant if you have more than 1Set-AzureRmContext -SubscriptionID $SubscriptionId
# Set Gateway you will be working with$Gateway = Get-AzureRmVirtualNetworkGateway -ResourceGroupName $ResourceGroup -Name "Gateway_Name"
$Gateway = Get-AzureRmVirtualNetworkGateway -ResourceGroupName $ResourceGroup -Name "AzureVPNGW"
# Get Azure Gateway BGP Settings$Gateway.BgpSettingsText
# To modify the default BGP ASN of 65515 run following commandSet-AzureRmVirtualNetworkGateway -VirtualNetworkGateway $Gateway -Asn <number>You will need, at minimum, the following resources to be defined in Azure space:
Recommended