# Microsoft Azure

## Prerequisites

You need a **virtual network gateway** in Azure. If you don't have one, [follow this tutorial by Microsoft](https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-create-gateway-portal).

## Step 1 - Creating a new cloud connection

[Log in to the GoodAccess **Control Panel**, and go to **Network** > **Clouds & Branches**.](https://app.goodaccess.com/branches/)

Click **+ Add new**, enter a **Name** (e.g., Azure Production), select the required **Gateway**, and define the **Subnets** **of your Azure Virtual Network** (using CIDR notation).

Choose **IPSec** **Protocol**, and click **Continue**.

Fill out the configuration form (Public IP, Pre-Shared Key, etc.). These parameters must match the configuration you will set in your Azure environment in the next steps.

Click **Submit** to finish, or **Continue** to define optional **Branch Segments** for finer access control.

{% hint style="info" %}
You may return to the configuration via the **Edit** button of your Cloud at any time.
{% endhint %}

{% hint style="info" %}
**Example of configuration:**

* **Shared Secret** - Create a new strong password
* **Public IP** - IP of your Azure virtual network gateway
* **IKE Lifetime (Phase 1)** - 8 hours (28800 seconds)
* **Tunnel Lifetime (Phase 2)** - 1 hour (3600 seconds)
* **Dead Peer Detection Delay** - 30 seconds
* **Encryption (Phase 1)** - aes256
* **Encryption (Phase 2)** - aes256
* **Integrity (Phase 1)** - sha256
* **Integrity (Phase 2)** - sha256
* **Diffie-Hellman Groups (Phase 1)** - 14 - modp2048
* **Diffie-Hellman Groups (Phase 2)** - 14 - modp2048 (PFS2048)
  {% endhint %}

## Step 2 - Creating a new local network gateway

Log in to the [Azure Portal](https://portal.azure.com/), and go to **Local network gateways** (you can use the searchbar), and click **+ Create**.

Set the configuration as follows:

* **Endpoint** - IP address
* **IP address** - IP of your GoodAccess Gateway
* **Address spaces** - Subnet of your GoodAccess Gateway

The remaining settings are up to you.

Click **Review + create** and then **Create**.

<div><figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FcYyZvVLaDBo48Cl6VeeK%2FCloud_Connector_Azure_01.png?alt=media&#x26;token=83a7dd63-5f6d-42c1-8b0c-069f1de9bf23" alt="Azure Portal with key steps to creating a new local network gateway."><figcaption><p>Creating a new local network gateway</p></figcaption></figure> <figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2Ftk2SH0RSByhws1J8chD3%2FCloud_Connector_Azure_02.png?alt=media&#x26;token=c840efb5-9fb5-40ca-ba67-247ff4a7f3b3" alt="Azure Portal with key steps to configuring a new local network gateway."><figcaption><p>Setting up a new local network gateway</p></figcaption></figure></div>

## Step 3 - Creating a new connection

Go to **Virtual network gateways** (you can use the searchbar), and select your virtual network gateway.

Go to **Connections,** click **+ Add**, and set the configuration as follows:

* **Connection type** - Site-to-site (IPsec)

The remaining settings are up to you.

Click **Next : Settings >**, and set the configuration as follows:

* **Virtual network gateway** - Choose from the dropdown
* **Local network gateway** - Choose from the dropdown
* **Shared key (PSK)** - Shared Secret [(Step 1)](#step-1-creating-a-new-cloud-connection)
* **IKE Protocol** - IKEv2
* **IPsec / IKE policy** - Custom
* **IKE Phase 1 & 2** - Must match configuration from GoodAccess [(Step 1)](#step-1-creating-a-new-cloud-connection)
* **IPsec SA lifetime in seconds** - Tunnel Lifetime (Phase 2)
* **DPD timeout in seconds** - Dead Peer Detection Delay

The remaining settings are up to you.

Click **Review + create**, and then **Create**.

<div><figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FZrodPbCtEPTswhoXaqgK%2FCloud_Connector_Azure_03.png?alt=media&#x26;token=555fedce-946a-4e7f-9620-b4b73b0e56ed" alt="Azure Portal with key steps to creating a new connection."><figcaption><p>Creating a new connection</p></figcaption></figure> <figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FeO9yuW3FAg3OxvcMFONV%2FCloud_Connector_Azure_04.png?alt=media&#x26;token=f11717bf-4ac1-4940-84cc-8700ab63bb55" alt="Azure Portal with key steps to creating a new site-to-site connection."><figcaption><p>Creating a new site-to-site connection</p></figcaption></figure></div>

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FOGLZLhiD1WH2ib9h8GtS%2FCloud_Connector_Azure_05.png?alt=media&#x26;token=daa421f4-e702-43ae-aba9-7e2000e266d7" alt="Azure Portal with key steps to configuring a new site-to-site connection."><figcaption><p>Setting up a new site-to-site connection</p></figcaption></figure>

You have now successfully connected your Azure resources to GoodAccess.

{% hint style="warning" %}
**Firewall rules**

Make sure you allow connections from your **GoodAccess Gateway private subnet** to the resources in your **Virtual Network (VNet)** (e.g., virtual machines, databases, etc.).

Depending on your Azure security setup, you may need to allow this communication in:

* **Network Security Groups (NSGs)**
* **Azure Firewall**
  {% endhint %}

{% hint style="info" %}
**You may check the status of the connection in:**

* **GoodAccess:** Go to **Control Panel > Network > Clouds & Branches** to view the tunnel status. Use the **Test Connection** button to validate the IPsec tunnel itself, or optionally to test a specific system (target must have ICMP enabled).
* **Azure:** Go to **Virtual network gateway > Connections**.
  {% endhint %}