Ubiquiti UniFi Dream Machine routing to Azure VPN

admin Leave a comment

For a number of years now Ubiquiti Networks has sold networking products for homelabbers, prosumers, and businesses in its UniFi line. In the midst of many businesses moving to the cloud, needing a direct and encrypted connection directly from their on-premise datacenter or back/home-office to the cloud is a very common use-case.

Microsoft Azure has been the go-to for many small and mid-sized businesses for their cloud presence due to the low cost and feature-rich environment Microsoft has created.

In order to access your VM’s on Azure it is mandatory giving your Business or Home network/apps (e.g. https://blog.kguhr.com/sap-bo-4-2-sp8-2-implementation/) permissions for  VPN integrations which will be outlined in the following

Laid out below is a step-by-step guide on setting up a site-to-site VPN between a UniFi-based network and Azure (https://azure.microsoft.com/en-us/).

Prerequisites

First, there are three prerequisites that need to exist before starting this process.

  1. On the on-premise networking side, you will need a UniFi router such as the UniFi Dream Machine (UDM https://store.ui.com/collections/unifi-network-routing-switching/products/unifi-dream-machine). You will also need to setup and connected to your router.
  2. On the Azure side of things, you will need to configure VPN Gateway etc.pp. We show show you later….

Information Gathering

Like the beginning of every great investigation into the unknown, there is some information you will need to gather ahead of time for implementing this. Go ahead and get a text editor open to jot down some values needed for later steps.

The first piece of information is very easy: your static IP address.

  1. The easiest method is to Google “my IP” and it will appear right at the top of the search results from a machine on the same network. If you are not on the same network consult your administrator or ISP to acquire this IP address.
  2. Put this into your text editor and label it Static IP Address for later.

The second piece of information you will need is the subnet IP address range for your on-premise network(s) that you plan to connect to Azure.

  1. To do this you will need to login to your UniFi controller with an admin account.
  2. From there go to the Settings menu (sprocket on the lower-left corner) and into the VPN Connection page.
  3. Find the networks you will be connecting to and take note of the information in the subnet column.
    Note that you can have more than 1 network chosen here.
  4. Put this into your text editor and label it On-Prem Subnet for later.

Here is an example in this screenshot.

 

Azure Virtual Network Gateway & Connection

A virtual network in Azure with the address space e.g. 10.1.0.0/16 is neccessary, and also to deploy the Azure Virtual Network Gateway connected to that VNET. Hereafter you have to add a connection to the gateway.

Next step is to configure the VPN connection in the DreamMachine as e.g. the following

Here you configure the following:

  • Name of your VPN connection
  • VPN Type Manuel IPSec
  • Remote Subnets which is the Azure vNet address space (in my case 10.1.0.0/16)
  • Peer IP which is the public IP address of the Azure virtual network gateway
  • Local WAN IP
  • the pre-shared key (shared secret)
  • IPSec Profile: Customized
  • Key Exchange Version: IKEv2
  • Encryption: AES-256
  • Hash: SHA1
  • DH Group: 2

After that, the VPN will connect and the status of your Azure virtual network gateway connection will change to connected.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.