# Microsoft Azure

## Prerequisites

You need a **virtual network gateway** in Azure. If you don't have one, [follow this tutorial by Microsoft](https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-create-gateway-portal).

## Step 1 - Creating a new cloud connection

[Log in to the GoodAccess **Control Panel**, and go to **Network** > **Clouds & Branches**.](https://app.goodaccess.com/branches/)

Click **+ Add new**, enter a **Name** (e.g., Azure Production), select the required **Gateway**, and define the **Subnets** **of your Azure Virtual Network** (using CIDR notation).

Choose **IPSec** **Protocol**, and click **Continue**.

Fill out the configuration form (Public IP, Pre-Shared Key, etc.). These parameters must match the configuration you will set in your Azure environment in the next steps.

Click **Submit** to finish, or **Continue** to define optional **Branch Segments** for finer access control.

{% hint style="info" %}
You may return to the configuration via the **Edit** button of your Cloud at any time.
{% endhint %}

{% hint style="info" %}
**Example of configuration:**

* **Shared Secret** - Create a new strong password
* **Public IP** - IP of your Azure virtual network gateway
* **IKE Lifetime (Phase 1)** - 8 hours (28800 seconds)
* **Tunnel Lifetime (Phase 2)** - 1 hour (3600 seconds)
* **Dead Peer Detection Delay** - 30 seconds
* **Encryption (Phase 1)** - aes256
* **Encryption (Phase 2)** - aes256
* **Integrity (Phase 1)** - sha256
* **Integrity (Phase 2)** - sha256
* **Diffie-Hellman Groups (Phase 1)** - 14 - modp2048
* **Diffie-Hellman Groups (Phase 2)** - 14 - modp2048 (PFS2048)
  {% endhint %}

## Step 2 - Creating a new local network gateway

Log in to the [Azure Portal](https://portal.azure.com/), and go to **Local network gateways** (you can use the searchbar), and click **+ Create**.

Set the configuration as follows:

* **Endpoint** - IP address
* **IP address** - IP of your GoodAccess Gateway
* **Address spaces** - Subnet of your GoodAccess Gateway

The remaining settings are up to you.

Click **Review + create** and then **Create**.

<div><figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FcYyZvVLaDBo48Cl6VeeK%2FCloud_Connector_Azure_01.png?alt=media&#x26;token=83a7dd63-5f6d-42c1-8b0c-069f1de9bf23" alt="Azure Portal with key steps to creating a new local network gateway."><figcaption><p>Creating a new local network gateway</p></figcaption></figure> <figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2Ftk2SH0RSByhws1J8chD3%2FCloud_Connector_Azure_02.png?alt=media&#x26;token=c840efb5-9fb5-40ca-ba67-247ff4a7f3b3" alt="Azure Portal with key steps to configuring a new local network gateway."><figcaption><p>Setting up a new local network gateway</p></figcaption></figure></div>

## Step 3 - Creating a new connection

Go to **Virtual network gateways** (you can use the searchbar), and select your virtual network gateway.

Go to **Connections,** click **+ Add**, and set the configuration as follows:

* **Connection type** - Site-to-site (IPsec)

The remaining settings are up to you.

Click **Next : Settings >**, and set the configuration as follows:

* **Virtual network gateway** - Choose from the dropdown
* **Local network gateway** - Choose from the dropdown
* **Shared key (PSK)** - Shared Secret [(Step 1)](#step-1-creating-a-new-cloud-connection)
* **IKE Protocol** - IKEv2
* **IPsec / IKE policy** - Custom
* **IKE Phase 1 & 2** - Must match configuration from GoodAccess [(Step 1)](#step-1-creating-a-new-cloud-connection)
* **IPsec SA lifetime in seconds** - Tunnel Lifetime (Phase 2)
* **DPD timeout in seconds** - Dead Peer Detection Delay

The remaining settings are up to you.

Click **Review + create**, and then **Create**.

<div><figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FZrodPbCtEPTswhoXaqgK%2FCloud_Connector_Azure_03.png?alt=media&#x26;token=555fedce-946a-4e7f-9620-b4b73b0e56ed" alt="Azure Portal with key steps to creating a new connection."><figcaption><p>Creating a new connection</p></figcaption></figure> <figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FeO9yuW3FAg3OxvcMFONV%2FCloud_Connector_Azure_04.png?alt=media&#x26;token=f11717bf-4ac1-4940-84cc-8700ab63bb55" alt="Azure Portal with key steps to creating a new site-to-site connection."><figcaption><p>Creating a new site-to-site connection</p></figcaption></figure></div>

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FOGLZLhiD1WH2ib9h8GtS%2FCloud_Connector_Azure_05.png?alt=media&#x26;token=daa421f4-e702-43ae-aba9-7e2000e266d7" alt="Azure Portal with key steps to configuring a new site-to-site connection."><figcaption><p>Setting up a new site-to-site connection</p></figcaption></figure>

You have now successfully connected your Azure resources to GoodAccess.

{% hint style="warning" %}
**Firewall rules**

Make sure you allow connections from your **GoodAccess Gateway private subnet** to the resources in your **Virtual Network (VNet)** (e.g., virtual machines, databases, etc.).

Depending on your Azure security setup, you may need to allow this communication in:

* **Network Security Groups (NSGs)**
* **Azure Firewall**
  {% endhint %}

{% hint style="info" %}
**You may check the status of the connection in:**

* **GoodAccess:** Go to **Control Panel > Network > Clouds & Branches** to view the tunnel status. Use the **Test Connection** button to validate the IPsec tunnel itself, or optionally to test a specific system (target must have ICMP enabled).
* **Azure:** Go to **Virtual network gateway > Connections**.
  {% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://support.goodaccess.com/configuration-guides/cloud-connector/microsoft-azure.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.