Multi-Path Room - Connect to an Azure VNet
This article explains how to connect an Azure VNet (Virtual Network) to a Tehama Multi-Path Room.
Overview
What is a Tehama Multi-Path Room?
A Multi-Path Room is a short way of referring to a Tehama Room that has network access type "Multi-Path". This network access type is capable of securely connecting to networks through IPSec. Multi-Path Rooms support many such connections.
See the Multi-Path Room Connectivity User Guide for more details about Multi-Path Rooms.
Currently, only Standard Rooms support the "Multi-Path" network access type. Domain Join Rooms do not, as yet, support it.
Find out what your Room's network access type is from the Room's connection page. See section View a Room's network access setting in the Room/Desktop Connectivity - Types, Status and Settings guide for details.
What is an Azure VNet?
An Azure VNet is the foundation of a cloud-based private network hosted in Microsoft's Azure cloud. See the Microsoft article What is Azure Virtual Network? for more information.
Assumptions
- You have a Tehama organization and are an Admin or Org Manager user in that organization.
- You have an Azure VNet that contains company resources, data, etc., that you want to access, securely, from a Tehama Room.
The process to connect an Azure VNet is divided into three parts:
- Create a Tehama Multi-Path Room
(optional - you can also make a connection to an existing Multi-Path Room.) - Add and Configure a New Connection
- Check the Status of the Connection
Create a Tehama Multi-Path Room
If you want to connect your Azure VNet to one of your existing Tehama Multi-Path Rooms, simply note the Room's name and skip to the next step.
Either:
- Create a new Tehama Multi-Path Room by following the steps found in the Getting Started with Tehama Room Creation guide, under section 'Create and connect a Standard Room', selecting 'Multi-Path' as the Room's Network Access type.
or
- Convert one of your existing Rooms with 'Tehama Gateway' or 'Internet-Only' network access to use 'Multi-Path' network access, by following the steps found in the Room/Desktop Connectivity - Types, Status and Settings guide, under section 'Change a Room's Network Access setting'.
Take note of your Multi-Path Room's name, for use in the creation of your connection.
Information gathered in this step:
- The name of your Multi-Path Room.
Add and Configure a New Connection
Add and configure a connection to your Azure VNet from your Tehama Multi-Path Room as follows:
First, gather some information about your Azure VNet.
Next, create and configure an Azure Site-to-Site VPN connection between your VNet and your Multi-Path Room. The Azure steps come from Tutorial: Create a site-to-site VPN connection in the Azure portal.
- B) Azure - Create a VPN Gateway
- C) Tehama - Begin Creating a Connection in Your Multi-Path Room
- D) Azure - Create a Local Network Gateway
- E) Azure - Create and Configure a Site-to-Site VPN Connection
- F) Azure - Configure Your Site-to-Site VPN Connection's IPSec Ike Policy
- G) Tehama - Complete the Connection in Your Multi-Path Room
Finally, update both any Azure security groups you may have defined in your VNet, and your Multi-Path Room's firewall rules (and optionally its DNS Filtering) to allow access to resources in your VNet from your Room's Tehama Desktops.
Let's get started with step A.
A) Find Your VNet Info
This step looks up your VNet in the Azure portal to find the information needed from it to connect your VNet to your Multi-Path Room. You should already know either your Vnet's name or its subnet. You will need to know at least one before you begin. (Ask your IT dept for assistance if you do not know either.)
See View virtual networks and settings in Azure's online documentation.
Required information for this step:
- Your Azure account login info.
- Identifying data for your VNet, e.g.: name and/or subnet.
- Open a new browser tab, (we will refer to it as the Azure browser tab).
- Log in to your Azure account, in the Azure portal.
- Enter 'virtual networks' in the search box at the top of the portal.
- Select 'Virtual networks' from the search results. This will bring up a page displaying a list of VNets.
- Select the entry for your VNet in the list (identify by name or subnet - ask your IT dept for assistance if you do not know either of these). The overview page for the Vnet will appear.
- Take note of your VNet's name, in the top bar of the page, if you do not already know it.
- Take note of your VNet's subnet (value in the Address space field).
- Take note of your VNet's region/location (value in the Location field).
- Take note of your VNet's resource group (value in the Resource group field).
Information gathered/confirmed in this step:
- Your VNet's name.
- Your VNet's subnet.
- Your VNet's region/location.
- Your VNet's resource group.
B) Create a VPN Gateway
The Site-to-Site VPN connection we are going to create, needs a Virtual Private Network (VPN) Gateway to target in your VNet. This step creates one.
See Create a VPN gateway in the Azure tutorial.
Required information for this step:
- Your VNet's name, from step A.
- Your VNet's subnet, from step A.
- Your VNet's region, from step A.
- Your VNet's resource group, from step A.
- The subscription to use for your new VPN Gateway.
- A meaningful name for your new VPN Gateway.
- Continue in the Azure browser tab, where you left off in step A.
- Enter 'virtual network gateway' in the search box at the top of the portal.
- Select 'Virtual network gateway' from the search results. This will bring up the Create virtual network gateway page.
- Click on the Basics tab.
- Fill in the fields on the tab as follows:
- Subscription - select from the dropdown list.
- Resource group - your VNet's resource group. This will be autofilled when you select your VNet in the Virtual network field.
- Name - enter a meaningful name for the gateway.
- Region - enter the region/location where your VNet resides, from step A.
- Gateway type - select VPN.
- VPN type - select Route-based.
- SKU - select VpnGw2.
- Generation - select Generation 2.
- Virtual network - select the name of your VNet, from step A.
- Gateway subnet address range - enter your VNet's subnet, from step A.
- Public IP Address Type - select Basic.
- Public IP Address - select Create new.
- Public IP address name - enter "VNet1GWpip".
- Public IP address SKU - this autofills to Basic.
- Assignment - this autofills to Dynamic.
- Enable active-active mode - select Disabled.
- Configure BGP - select Disabled.
- Click on Review + create. This triggers validation.
- Once validation passes, click Create. This will deploy your VPN gateway.
- Note: Deployment can take up to 45 minutes.
- Go to the Overview page for your new VPN Gateway, to confirm its status.
- Take note of the name you gave your new VPN Gateway.
Information gathered in this step:
- Your new VPN Gateway's name.
C) Begin Creating a Connection in your Multi-Path Room
In this step, we begin the creation of a new connection in your Multi-Path Room, to generate the Pre-shared key for the connection. This key is needed for the next step, in Azure.
Required information for this step:
- Your Tehama corporate portal login info.
- Your Multi-Path Room's name.
- Open a new browser tab, (we will refer to it as the Tehama browser tab).
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Multi-Path Room that you want to connect to your VNet. You will see the interface page for the Room.
- Click on the Room's CONNECTION tab, if you are not already on this tab.
- Click the ADD CONNECTION button. You will see the form for creating a new connection.
- Copy the Pre-shared key value.
- Copy the Room IP value.
- Copy the Room Subnet value.
Leave this browser tab open. You will return to it in step G to complete the creation of your new connection.
Note: Each time you generate a new connection with the ADD CONNECTION button, you generate a new pre-shared key value. If you accidentally close the new connection form you created here before completing the connection in step G but after creating your site-to-site VPN connection in step F, you will need to re-create your site-to-site VPN connection with the new pre-shared key value you will get on the new connection form, when you click the ADD CONNECTION button again.
Information gathered in this step:
- Your Multi-Path Room's new connection's pre-shared key.
- Your Multi-Path Room's Room IP.
- Your Multi-Path Room's Room subnet.
D) Create a Local Network Gateway
This step creates a Local Network Gateway in Azure to represent your Multi-Path Room.
See Create a local network gateway in the Azure tutorial.
Required information for this step:
- The subscription to use for your new Local Network Gateway.
- Your VNet's resource group, from step A.
- Your VNet's region, from step A.
- A meaningful name for your new Local Network Gateway.
- Your Multi-Path Room's Room IP, from step C.
- Your Multi-Path Room's Room subnet, from step C.
- Return to the Azure browser tab, where you left off in step B.
- Enter 'local network gateway' in the search box at the top of the portal.
- Select 'local network gateway' under 'Marketplace' from the search results. This will bring up the Create local network gateway page.
- Click on the Basics tab.
- Fill in the fields on the tab as follows:
- Subscription - select from the dropdown list.
- Resource group - select the same resource group as your VNet, from step A.
- Region - enter the region where your VNet resides, from step A. You could select a different region, if you have reason to do so.
- Name - enter a meaningful name for the gateway.
- Endpoint - select 'IP address'.
- IP address - enter your Multi-Path Room's Room IP, from step C.
- Address space - enter your Multi-Path Room's Room subnet, from step C.
- Click on Review + create. This triggers validation.
- Once validation passes, click Create. This will deploy your local network gateway.
- Note: Deployment may take a while.
- Once your new Local Network Gateway is deployed, go to its Overview page, to confirm its status.
- Remember the name of your new Local Network Gateway.
Leave this browser tab open. You will return to it in step G.
Information gathered in this step:
- Your new Local Network Gateway's name.
E) Create/Configure a Site-to-Site VPN Connection
This step creates and configures a Site-to-Site VPN Connection between your VNet (targeting the new VPN Gateway you created in step B) and your Multi-Path Room (via the Local Network Gateway you created in step 2.iv).
See Create VPN connections in the Azure tutorial.
Required information for this step:
- Your VNet's name, from step A.
- A meaningful name for your new Site-to-Site VPN Connection.
- Your VPN Gateway's name, from step B.
- Your Local Network Gateway's name, from step D.
- Your Multi-Path Room's new connection's pre-shared key, from step C.
- Continue in the Azure browser tab, where you left off in step D.
- Navigate to your VNet.
- Enter 'virtual networks' in the search box at the top of the portal.
- Select 'Virtual networks' from the search results. This will bring up a page displaying a list of VNets.
- Select the entry for your VNet in the list (identify by name, from step A). The overview page for the Vnet will appear.
- Click on Connected devices.
- Select the entry with the name of your VPN gateway, from step B. You will see the page for your gateway.
- Select Connections. You will see the Connections page.
- Click +Add. The Add connection page will appear.
- Fill in the fields on the Add connection page as follows:
- Name - enter a meaningful name for your connection.
- Connection type - select Site-to-site (IPSec).
- Virtual network gateway - enter the name of your VPN Gateway, from step B. This should be autofilled if you got to the Add connection page through the above method.
- Local network gateway - select Choose a local network gateway and select the name of your Local Network Gateway, from step D.
- Shared Key - enter the pre-shared key from your Multi-Path Room's new connection, from step 2.iii.
- Use Azure Private IP Address - leave this unchecked.
- Enable BGP - leave this unchecked.
- IKE Protocol - select IKEv2.
- Click OK to create the site-to-site connection. Creating Connection will flash on the screen.
- The connection will appear in the list on the Connections page for your VPN Gateway. Wait until the status field for the entry is Succeeded.
- Select the entry for your site-to-site VPN connection (identify by name).
- Select the Overview page.
- Take note of the public IP address for your site-to-site VPN connection, to use as your VNet's public IP address in step F.
- Remember the name you have given your new site-to-site VPN connection.
Information gathered in this step:
- your new Site-to-Site VPN Connection's name.
- your VNet's public IP address (the new site-to-site VPN connection's public IP address).
F) Configure Your Site-to-Site VPN Connection's IPSec Ike Policy
This step configures your site-to-site connection's IPSec Ike policy in Azure, using parameters required by Tehama to form a secure connection.
See S2S VPN with IPsec/IKE policy in Azure's online documentation.
Required information for this step:
- Your VNet's name, from step A.
- Your VPN Gateway's name, from step B
- Your new Site-to-Site VPN Connection's name, from step E.
^^^ These are only needed if you need to navigate back to the page for your new site-to-site VPN Connection.
- Continue in the Azure browser tab, where you left off in step E.
- You should still be viewing your site-to-site VPN connection, that you created in step E. If you are not, you can navigate to it as follows:
- Enter 'virtual networks' in the search box at the top of the portal.
- Select 'Virtual networks' from the search results. This will bring up a page displaying a list of VNets.
- Select the entry for your VNet in the list (identify by name, from step A). The overview page for the Vnet will appear.
- Click on Connected devices.
- Select the entry with the name of your VPN gateway (identify by name, from step B). You will see the page for your gateway.
- Select Connections. You will see the Connections page.
- Select the entry for your site-to-site VPN connection (identify by name, from step E).
- Select the Configuration page.
- Fill in the fields on the Configuration page as follows:
- IPsec/IKE policy - select Custom.
- For IKE Phase 1:
- Encryption - select AES256.
- Integrity/PRF - select SHA256.
- DH Group - select DHGroup2048 (AKA MODP2048).
- For IKE Phase 2 (IPsec):
- Encryption - select AES256.
- Integrity/PRF - select SHA256.
- PFS Group - select PFS2048 (AKA MODP2048).
- IPsec SA lifetime in KiloBytes - enter 102400000.
- IPsec SA lifetime in seconds - enter 27000.
- Use policy based traffic selector - select Disable.
- DPD timeout in seconds - enter 45.
- Connection Mode - select Default
- IDK Protocol - select IKEv2 (this may be autofilled).
- Ingress NAT Rules - no rules selected.
- Egress NAT Rules - no rules selected.
- Click Save to save the new configuration.
Information gathered in this step:
- N/A.
G) Complete the Connection in Your Multi-Path Room
This step completes the creation of the new connection in your Multi-Path Room.
Required information for this step:
- Your VNet's subnet, from step A.
- Your new Site-to-Site VPN Connection's public IP address, from step E.
- A meaningful name for your new connection.
- A description for your new connection.
- Return to the Tehama browser tab, where you left off in step C. You should see the new connection form that you opened in that step.
Note: Each time you generate a new connection with the ADD CONNECTION button, you generate a new pre-shared key value. If you accidentally closed the new connection form you created in step C and need to do it again, you will need to re-create your site-to-site VPN connection with the new pre-shared key value. - Fill in the following fields in the new connection form:
- Name - enter a meaningful name for your new connection.
- Description (optional) - enter a description for your new connection.
- Target Subnet - enter your VNet subnet, from step A.
The form allows you to enter more than one target subnet. Click on + Add more to bring up additional target subnet fields. - Public IP Address - enter the public IP address for your Site-to-Site VPN Connection, from step E.
- Click CONNECT.
Information gathered in this step:
- The name of your new connection in your Multi-Path Room.
H) Update Network Security Group
You may have set up Network security groups to limit network traffic to resources in your VNet. If so, you must adjust its settings to allow traffic from your Multi-Path Room into your VNet.
This second last step is to add your Tehama Room's subnet to these Security Groups to allow your Multi-Path Room's Tehama Desktops to access the resources.
See Network security groups in Azure's documentation for more information on security groups.
See the Create security rules section from the following Azure tutorial for steps to create security rules:
Tutorial: Filter network traffic with a network security group using the Azure portal.
I) Update Firewall Rules/DNS Filtering
Finally, this last step is to update your Multi-Path Room's firewall rules to allow access to resources within your Azure VNet.
If you wish to completely open access to everything in your VNet, add custom firewall rules to your Multi-Path Room allowing access to the entire subnet for the VNet. Otherwise, add more granular rules.
See instructions on how to add firewall rules in section Add Custom Firewall Rule in the Firewall Rules User Guide.
You can optionally add an extra layer of access control on top of firewall rules through the Room's DNS Filtering feature. See the DNS Filtering guide for more details.
Check the Status of the Connection
Check the Status of the Azure VPN Connection you set up between your Azure VNet and your Multi-Path Room.
Check connection status in Tehama
Required information:
- Your Tehama corporate portal login info.
- Your Multi-Path Room's name.
- The name of your new connection in your Multi-Path Room, from step G.
- Your VNet's public IP address (the new site-to-site VPN connection's public IP address), from step E.
- Open a new browser tab.
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Multi-Path Room that you connected to your Azure VNet. You will see the interface page for the Room.
- Click on the Room's CONNECTION tab, if you are not already on this tab.
- Find the connection in the connection table (identify by name, from step G, or by your VNet's public IP address value, which is set to the public IP address for the site-to-site VPN, from step E).
- Verify that the connection status is green.
Check connection status in Azure
Required information for this step:
- Your Azure account login info.
- Your VNet's name, from step A.
- Your VPN Gateway's name, from step B
- Your Site-to-Site VPN Connection's name or public IP address, from step E.
- Open a new browser tab.
- Log in to your Azure account, in the Azure portal.
- Navigate to your site-to-site VPN connection.
- Enter 'virtual networks' in the search box at the top of the portal.
- Select 'Virtual networks' from the search results. This will bring up a page displaying a list of VNets.
- Select the entry for your VNet in the list (identify by name, from step A). The overview page for the Vnet will appear.
- Click on Connected devices.
- Select the entry with the name of your VPN gateway, from step B. You will see the page for your gateway.
- Select Connections. You will see the Connections page.
- Select the entry for your site-to-site VPN connection, (identify by name or by public IP address, from step E - the public IP address is also available from the connection in your Multi-Path Room).
- Select the Overview page for your connection. The page will show the Essentials for the connection.
- Verify that the Status field is showing 'Connected'.