Les comentare mis avances según implementaciones que esté realizando.
Fuente: http://www.stratum-tech.com/2017/06/23/azure-vpn-updates/
We’ve been building a lot of cloud infrastructure in Azure recently. This includes everything from Azure Virtual Networks and Azure VPN Gateways to ExpressRoute and Network Security Groups. There have been some big updates recently that may not have been the top of many tech blogs. Here’s a quick update on one we at Stratum think is critical.
The Problem: Azure / Policy-Based VPN Interconnectivity
If you’ve been working with Azure Networking as much as we have lately, you know the feeling. That feeling when a customer or network security team comes in to a meeting and declares “we’re going with Cisco ASAs for our Firewall and VPN Hardware”? Yep, we know. If you don’t know that feeling you’re lucky. It’s that feeling that says the connectivity between your on-premise network and Microsoft Azure, specifically using an Azure VPN, is going to be limited. Lost? The picture on the right is a good reference for what happens when multiple sites with Policy-Based VPN Devices have to connect to multiple virtual networks using Azure VPN Gateways. In the case of this scenario, we end up routing traffic between the Azure Networks across the customer’s infrastructure. This can result in some higher latency, more moving parts, and routing issues.
The key problem has always been that Policy-Based VPN Devices and Policy-Based Azure VPN Gateway (aka Virtual Network Gateway or VNG) in Azure have always had a 1:1 relationship. One connection can exist on each Azure VPN Gateway. That’s it. One. There are lot of variations to this drawing: multiple connections from the on-premise device to multiple VNGs (resulting in all traffic through the on-premise location), multiple sites needing access to a single site (resulting in all traffic again routing through the on-premise location), et. al.
It’s difficult to promote cloud flexibility when connectivity to your cloud resources is a 1:1 relationship!
Azure VPN Gateway Updates
First of all, Microsoft has enabled (rather silently, I might add) connectivity between Route-based VNGs and Policy-Based VPN Appliances (See List Here). Without getting into the technical details, the limitation restricted customers’ flexibility to address interconnected infrastructure. It seems that Microsoft has heard enough from customers and partners, they’ve released some new capabilities to the Azure Network provider. In other words, those updates allow connectivity from MORE THAN ONE Policy-Based VPN Device. The details on how to configure this (and more background on what it gets you) are available in the Microsoft Azure Documentation. Their documentation is great at the reason behind it and how to configure it. (Full Disclaimer: PowerShell is the only method to configure this today.)
The only remaining issue we see is that there currently is still no ability to transit beyond the single vNet. In other words, the on-premise device cannot transit through Azure to anywhere else. Therefore, (in our drawing) connectivity is between each site and the Azure vNets. This does restrict access to any isolated vNet that may be required.
Cisco Updates
Second, Cisco ASA Devices are by far the most common Firewall Appliance Stratum encounters. This usually results in our network builds using two or three workarounds to ensure connectivity for organizations with more than one site or Azure vNet. The environments we encounter often have Cisco ASA 55xx Series devices and force our hand when designing environments.
Cisco has released IOS 9.8.1 for ASA devices, which now supports dynamic routing and IKEv2. If you are evaluating devices such as ASAs, we *highly* recommend that they be compatible with this firmware. (This includes FirePOWER devices from what we can tell) With this firmware upgrade, your Azure Network can support full mesh capabilities.
The Outcome
As a result of the updates, Cisco and Microsoft further improved the overall Azure experience. Stratum is seeing more and more organizations that require isolation of resources inside of Azure. These environments include Financial, PCI, and even PHI that must only be accessed through “corporate approved methods”.
Overall, with Cisco‘s release of IOS 9.8.1 for ASA devices, Cisco is facilitating a better-connected infrastructure for the numerous Azure customers that also leverage ASA devices. In conjunction with Microsoft’s extension of the Azure Networking provider, connectivity is easier for the small and mid-sized business.
