EMnify provides a secure integration of IoT devices with applications on Azure. Utilizing a fully redundant VPN connection to the Azure Virtual Network Gateway customers can directly peer with their devices and remotely access them within their private network.
The setup of the VPN requires
The following steps illustrate how to setup the VPN interconnection of the Azure VNet with the EMnify infrastructure.
A Summary of these resources is visible in the Resource Groups page
In the Azure console, navigate to the cc_vnet Subnets section. Add one additional subnet for each backend CIDR configured in CloudConnect, which is 10.179.172.0/22 in our case. To prevent errors during establishment of the CloudConnect integration, a list of unavailable IP addresses is provided in the following report.
In the CloudConnect panel in the EMnify portal, extend the VPN Configuration panel. Two VPN terminations on the EMnify side under Tunnel 1 and Tunnel 2 are used as two public IP addresses to configure two Local Network Gateways, cc_vpn_gw_1 and cc_vpn_gw_2.
For the Address space of each of the two Local Network Gateways, configure a larger range of IP addresses that cover all the currently allocated endpoint address spaces as well as future endpoint address space allocations. We will use 100.64.0.0/10 in this example.
Navigate to Connections in the Azure console. The Connections must be of type “Site-to-site (IPsec)”, use the IKEv2 protocol and have BGP disabled. The PSKs can be copied from the CloudConnect UI using the copy icon. If the PSK was generated by CloudConnect, Tunnel 1 and Tunnel 2 will have distinct PSKs that need to be copied accordingly into the Azure Connection configuration.
After it is established, the breakout status in the EMnify CloudConnect panel changes to active and Tunnel 1 and Tunnel 2 change from down to up.
It is then visible in the Azure console that the tunnels have a status of 'Connected':
To activate traffic on the VPN, a ticket should be opened towards EMnify support to request activation of the CloudConnect integration.
On the Azure console, the traffic must be routed towards the endpoints via the VPN and to allow traffic from the endpoints into cc_as_subnet.
Create a Route Table cc_rt in the cloudconnect Resource Group to route the traffic towards the endpoints via the VNet Gateway.
In Azure there cannot be more than one VNet Gateway per VNet and therefore the VNet Gateway does not need to be named explicitly, instead, the route table entry only specifies the type of the next hop as Virtual Network Gateway. We use again the larger 100.64.0.0/10 range in order to avoid having to update the route table each time we allocate a new endpoint address space.
We also need to make sure cc_rt is associated with cc_as_subnet, the subnet where the Application Servers will be configured.
Similar to the Route Table, the Security Group shall be associated with cc_as_subnet.
We can now configure virtual machines in the 10.179.172.0/22 subnet, which will perform Application Server functionality. When EMnify resolves the firewall setup ticket, end-to-end connectivity is then possible.
For troubleshooting tips for Azure CloudConnect attachments, see the EMnify Knowledgebase article on CloudConnect via Azure.