In this article we will setup a Site to Site VPN (Virtual Private Network) between Microsoft Azure and a UniFi Dream Machine SE. I will assume you already have a working UniFi network connected to the Internet and an Azure subscription ready to create resources.
There are many different types of VPN that can be setup on both Azure and UniFi. In this article we will be using Azure native resources listed below:
- Resource Group
- VNET
- Virtual Network Gateway
- Local Network Gateway
- Public IP Address
- Virtual Machine (to test connectivity)
Step 1 – Resource Group
From the Azure portal using the search box at the top search for ‘Resource Groups’ and select Resource Groups from devices. This will show all your existing resource groups (if you have any). Resource Groups are a simple way to group everything together – and useful for tidying up, deleting everything once done.
Click + Create
Select your subscription and enter a name for the Resource Group, I’m using ‘RG-VPN’, then select the region to deploy in, once happy click, next to add any tags you like and then click review/create and finally Create. Resource Group create should only take a couple seconds.
Step 2 – Virtual Network
Within your new Resource Group click the + Create button, the marketplace will open, search for ‘Virtual Network’, find the one from Microsoft and click the create button.
The first page will give you an overview of the Virtual Network resource, just click create.
Select your subscription and Resource Group we created earlier, enter a name for your VNet and Region. You can then click create to accept the defaults or click next to look though all the other options. The main thing to check here would be the IP Addresses, ensure the subnet don’t conflict with your on-prem network.
The default settings create 10.0.0.0/16 vnet which is a large range of 65,536 addresses with one subnet of 10.0.0.0/24 (256 addresses). For help with subnetting I find this website useful. For this example I’m going to use the defaults as this doesn’t conflict with my network (192.168.100.0/24).
Step 3 – Virtual Network Gateway
Now we will create the Virtual Network Gateway. This is basically the VPN gateway on the Azure side that our firewall will connect to.
Within your Resource Group click the + Create button and in the marketplace search for ‘Virtual Network Gateway’. Select the one from Microsoft and click create.
Enter the details as below (or as required)
Name: VNG-VPN (or whatever suits in your environment)
Region: whatever region applicable for you
Gateway Type: VPN
SKU: I’ve used VpnGw1, which is the cheapest available via the GUI (Basic is only now available via PowerShell) Look here for details of the differences
Generation: Generation1 (again check the link above for options on the generation
Virtual Network: Select the VNet we created earlier
Gateway subnet address range: this will be a new subnet within your VNet dedicated for the gateway, has to be within your VNet address space but not already exists (it’ll create a subnet named ‘GatewaySubnet’
Public IP address settings
Public IP address: Create new (unless you’ve already created one separately)
Public IP address name: enter a name for the IP Resource
Public IP address SKU: Standard
Assignment: Static is only option
Enable active-active mode: Disabled – this is out of scope for this article
Configure BGP: Disabled – UniFi Doesn’t support BGP currently
Click Review + create and create. Note this takes around 20mins to complete so be patient. You can move onto next step while your waiting.
Step 4 – Local Network Gateway
Next we create a ‘Local Network Gateway’ this resource represents your on-prem side of the VPN. The settings within the local network gateway let Azure know how to connect to your VPN Gateway (UniFi UDP SE in our example)
As before within your Resource Group click the + Create button and in the marketplace search for ‘Local Network Gateway’. Select the one from Microsoft and click create.
As before ensure your subscription and resource group are selected and the region matches as required.
Give the local gateway a name and then enter the Public IP address of your Firewall or if you use a Dynamic DNS service you can use this as well. If you are not sure you can google ‘what is my ip’ to find out. you’ll also need to ensure that your firewall is connected directly to the internet or you have port forwarding correctly setup if your behind and ISP router. Another option is to use ‘DMZ mode’ this forwards all ports to your firewall.
Under ‘Address Space(s)’ this is the private IP range of your on-prem network. The networks you want to be able to go over this VPN into Azure. In my case this is 192.168.100.0/24
Under the advanced page ensure BGP is disabled, then click create to build the Local Network Gateway resource.
Step 5 – Azure Connection
Next we we create the connection. This joins the Virtual Network Gateway (the Azure side VPN Gateway) and the Local Network Gateway (the logical representation of your on-prem side) together to make the connection.
Now obviously we haven’t setup the UniFi side yet so it won’t connect, but it tells Azure how to connect so that its ready.
Once your Virtual Network Gateway has completed the deployment go into it, and it should look something like below.
On the left menu select ‘Connections’ and Click + Add at the top.
Again select your subscription and resource group, then change Connection type to ‘Site-to-site (IPSec)’.
Enter a name for the connection and choose your region as before.
Click ‘Next: Settings >’ and here is where we enter the VPN settings that need to match both here on your UniFi Firewall. There are many different options that will work but I’ve found the settings below work while keeping the encryption high.
Virtual network gateway: Select the gateway we created in step 3
Local network gateway: Select the gateway we created in step 4
Shared key (PSK): Enter a long string of characters/numbers/punctuation, make a note as we’ll need it later to match on the UniFi settings
IKE Protocol: IKEv2
Use Azure Private IP Address: Un-checked
Enable BGP: Un-checked
FastPath: Un-checked
IPsec/IKE policy: Custom
IKE Phase 1:-
Encryption: AES256
Integrity/PRF: SHA256
DH Group: DHGroup2
IKE Phase 2(IPsec):-
IPsec Encryption: AES256
IPsec Integrity: SHA256
PFS Group: PFS2
IPsec SA lifetime in KiloBytes: 0
IPsec SA lifetime in seconds: 27000
Use policy based traffic selector: Disabled
DPD timeout in seconds: 45
Connection Mode: Default
Click Next: Tags and enter any tags as required and then create. Other than creating some resource to test the connection (a VM for example) that is everything that is required on the Azure side for the VPN.
Once built take a look at the connection, it’ll show as status unknown until it’s actually online. You can change any of the settings and pre-shared key under Authentication Type and Configuration on the left menu.
Step 6 – UniFi Site-to-site Settings
Login to your UniFi Console network application.
Click the Settings cog (bottom left), then VPN and finally ‘Site-to-site VPN’.
Enter a name and the Pre-Shared Key we noted from step 6.
The Local IP should just be your WAN, in my case my UDM SE is behind a BT router, but that is configured to forward all traffic to the UDM (DMZ mode), this is technically double NAT but this doesn’t matter as it all works fine.
Enter the Azure Public IP address for ‘Remote IP/Host’. You can find this by looking for the ‘Public IP Address’ on the Overview page of the Virtual Network Gateway.
Ensure VPN Type is ‘Route Based’.
For ‘Remote Network(s)’, enter your VNet address space (10.0.0.0/16 was the default used above).
Now in the Advanced section select ‘Manual’ so that we can ensure all of the VPN settings match those we used earlier.
Key Exchange Version: IKEv2
IKE:-
Encryption: AES-256
Hash: SHA256
DH Group: 2
Lifetime: 28800
ESP:-
Encryption: AES-256
Hash: SHA256
DH Group: 2
Lifetime: 27000
Perfect Forward Secrecy (PFS): Enabled
Local Authentication ID: Auto
Remote Authentication ID: Auto
Maximum Transmission Unit: Auto
Route Distance: 30
Click Add at the bottom to complete.
Step 7 – Traffic Routing
On the UniFi Network console within Settings, on the left select Routing and then ‘Static Routes’ at the top.
Enter a name for this route ‘Azure VPN’ in my case.
Distance can be ignored
Enter the VNet address space back from step 2 (10.0.0.0/16 in our case).
Select the Type as ‘Interface’
In the Interface drop down you should be able to find the name of the VPN you created in the last step, ‘Azure VPN’ as I used. Click Add Entry at the bottom to save the route.
Assuming you haven’t any firewall rules that block traffic to private address space on your network, the VPN should now be up and running.
From UniFi go back to the VPN > Site-to-site VPN page and see if the status shows as online.
Step 8 – Testing
Lastly to test you will need to create a VM on the Azure VNet to test. Follow this article on creating a VM only accessible from the private network/VPN.
Once a VM is built you should be able to RDP (Windows) or SSH (Linux). Below I’ve tested pinging a Windows VM I built (to allow ping, I had to allow ICMP through the windows firewall on the Azure VM).
