Use this VNS3 set up guide to get started in Microsoft Azure public cloud environments. About VNS3: VNS3 delivers cloud networking and NFV functionality for virtual and cloud environments. The VNS3 virtual network security appliance includes a router, switch, stateful firewall, VPN support (IPsec and SSL), and protocol redistributor, and extensible NFV optimized for all major cloud providers. VNS3 cloud networks are configured and managed through the VNS3 Manager web-based UI or resetful API. VNS3 is available in: Amazon Web Services EC2, Amazon Web Services VPC, Microsoft Azure, CenturyLink Cloud, Google Compute Engine (GCE), Rackspace, IBM SoftLayer, ElasticHosts, Verizon Terremark vCloud Express, InterRoute, Abiquo, Openstack, Flexiant, Eucalyptus, Abiquo, HPE Helion, VMware (all formats), Citrix, Xen, KVM, and more. VNS3 supports most IPsec data center solutions, including: Preferred Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfSense, Vyatta, and any IPsec device that supports IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5, and most importantly NAT-Traversal standards.

1. © 2016
Microsoft Azure
Configuration
Azure Setup for VNS3
2016

2. © 2016
Table of Contents
2
Requirements 3
Create Azure Private VLAN 10
Launch VNS3 Image from Azure Marketplace 15
Deliver and launch VNS3 from Azure 22
VNS3 Configuration Document Links 36

3. © 2016
Requirements
3

4. © 2016
Requirements
4
•You have an Azure (for a Free Azure trial, visit http://azure.microsoft.com/en-us/pricing/free-
trial).
•You have the ability to configure a client (whether desktop based or cloud based) to use
OpenVPN client software.
•You have a compliant IPsec firewall/router networking device:
Preferred Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear,
Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett
Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfSense, and Vyatta.
Best Effort Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or
MD5.
*Known Exclusions Checkpoint R65+ requires native IPSec connections as Checkpoint does
not conform to NAT-Traversal Standards and Cisco ASA 8.4(2)-8.4(4) bugs prevent a stable
connection from being maintained.

5. © 2016
Getting Help with VNS3
5
This guide covers a very generic VNS3 setup in the Azure cloud. If you need specific help
with project planning, POCs, or audits, contact our professional services team via
sales@cohesive.net for details.
Please review the VNS3 Support Plans and Contacts before sending support inquiries.

6. © 2016
Firewall Considerations
6
VNS3 Controller instances use the following TCP and UDP ports.
• UDP port 1194
For client VPN connections; must be accessible from all servers that will join VNS3 topology as clients.
• UDP 1195-1203*
For tunnels between Controller peers; must be accessible from all peers in a given topology.
• TCP port 8000
HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and from
the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients.
• UDP port 500
UDP port 500 is used the phase 1 or IKE (Internet Key Exchange) component of an IPsec VPN connection.
• ESP Protocol 50 and possibly UDP port 4500
Protocol 50 is used for phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection only when negotiating with native IPsec. UDP
port 4500** is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection when using NAT-Traversal Encapsulation.
*VNS3:vpn and VNS3:net Lite Edition will not require UDP ports 1195-1197 access as it is not licensed for Controller Peering.
** Some public cloud providers require IPsec connections to use NAT-Traversal encapsulation on UDP port 4500

7. © 2016
Sizing Considerations
7
Image Size and Architecture
VNS3 Controller Images are available as 64bit images to allow the greatest flexibility for your use-case. We
recommend Controller instances be launched with at least 512MB of RAM. Smaller sizes are supported but the
performance will depend on the use-case.
Clientpack Key Size
VNS3 Controllers currently generate 1024 bit keys for connecting the clients to the overlay network via the
“clientpacks”. Smaller or larger encryption keys can be provided upon request (from 64 bit to 2048 bit). Future
releases of VNS3 will provide the user control over key size and cipher during initialization and configuration.

8. © 2016
Address Considerations
8
Restrictions
Your VLAN CIDR and Subnets cannot not overlap with the VNS3 Overlay Network Subnet.
The Azure public cloud does not currently allow virtual machine instances to act as networks
gateways for unencrypted VLAN traffic. As a result when using Azure, you must use the Overlay
Network when configuring your cloud servers.

9. © 2016
Remote Support
9
Note that TCP 22 (ssh) is not required for normal operations.
Each VNS3 Controller is running a restricted SSH daemon, with
access limited only to Cohesive for debugging purposes controlled
by the user via the Remote Support toggle and key exchange
generation.
In the event Cohesive needs to observe runtime state of a VNS3
Controller in response to a tech support request, we will ask you to
open Security Group access to SSH from our support IP range and
Enable Remote Support via the Web UI.
Cohesive will send you an encrypted passphrase to generate a
private key used by Cohesive Support staff to access your
Controller. Access to the restricted SSH daemon is completely
controlled by the user. Once the support ticket has been closed
you can disable remote support access and invalidate the access
key.

10. © 2016
Create Azure Private VLAN
10

11. © 2016
Create VLAN
11
Cohesive Networks recommends using a custom
Azure Virtual Network or VLAN for all Azure cloud
deployments. VLANs provide isolation and
additional network configuration settings that may
be needed for your use-case.
The following VLAN setup is the recommended
best practice that uses separate subnets for VNS3
Controller instances and cloud server instances.
NOTE: The Azure VLAN CIDR you configure
CANNOT overlap with the VNS3 Overlay Network
you create during configuration of your VNS3
Controller instance.

12. © 2016
Create VLAN - Virtual Network Details
12
On the Azure Portal left menu, choose “NEW” at
the bottom, then select NETWORK SERVICES —>
VIRTUAL NETWORK —> CUSTOM CREATE.
This will pop up a window allowing you to name
your private VLAN.
Give the VLAN a name and pick the Azure compute
center for it to be created in.
NOTE: While Azure VLANs cannot span compute
centers, that is one of the key capabilities of VNS3.
Create an encrypted VNS3 Overlay Network that
spans regions as well as clouds. It can also safely
peer Azure VLANs between regions, as well as
VLANs between clouds.
Click the arrow on the lower right to proceed.

13. © 2016
Create VLAN - DNS Servers
13
Unless you are setting up specific DNS
servers, there are no needed configuration
changes on this page.
Click the arrow to proceed.

14. © 2016
Create VLAN - Virtual Network Address Spaces
14
On the next page you can specify any Address Space in
the private IP Address ranges set by RFC 1918
-10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16.
NOTE: You cannot create VLANs with Public IPv4
addresses. VNS3 allows this with its encrypted virtual
VLANs.
You then create one or more subnets within that
address space. In this example two were created.
VLAN organization is outside the scope of this
document, but there are often advantages to putting
the VNS3 instance in a separate subnet from the rest of
your deployment.
Click the checkbox to finish creating your VLAN.

15. © 2016
Launch VNS3 Image from Azure Marketplace
15

16. © 2016
Launch VNS3 - Select VNS3 Image
16
VNS3 Free and Lite Edition virtual machine images are
available in the Azure Marketplace:
VNS3:vpn Free Edition - https://azure.microsoft.com/
en-us/marketplace/partners/cohesive/cohesiveft-vns3-
for-azure/#cohesive-vns3-free
VNS3:net Lite Edition - https://azure.microsoft.com/en-
us/marketplace/partners/cohesive/cohesiveft-vns3-for-
azure/#cohesive-vns3-lite
To launch an instance of either, on the Azure Portal left
menu, choose “NEW” at the bottom, then select
COMPUTE —> VIRTUAL MACHINE —> FROM GALLERY.

17. © 2016
Launch VNS3 - Select VNS3 Image
17
The “FROM GALLERY” option pops up a
window offering “Choose an Image”offering
default Microsoft and Operating System
vendor images.
Scroll to the bottom of the Featured Image
list and select the VNS3:vpn Free Edition or
VNS3:net Lite Edition image.
Click the arrow to proceed.

18. © 2016
Launch VNS3 - Virtual Machine Configuration
18
Give the instance a name, “spaces” are not allowed, so use
hyphens to separate the words of an instance name.
Choose your tier of service and instance size. VNS3 should
have at least one core and 1.5 gigs of memory, so the “A1”
instance type is a good place to start. Depending on need,
VNS3 can be run as a very large instance to provide more
throughput for the virtual network, site-to-site
connections, firewall rules, or other network functions.
The Azure portal requires a username and a SSH key or
password. Regardless of their entry - they will not provide
shell access to VNS3 instances which run as appliances.
The most straightforward approach would be to leave the
default “azureuser” and enter a meaningless password.
After these configuration elements are made use the
“proceed” arrow inthe lower right of the web browser
page.

19. © 2016
Launch VNS3 - Virtual Machine Configuration
19
The next page of configuration for the VNS3 instance sets up the network
port access rules, as well as allows you to choose a VLAN for the instance to
be launched in. Azure calls this element that holds this information a “Cloud
Service”, allowing you to launch other (subsequent) instances with the same
configuration parameters.
You can create a new cloud service, naming it, or choose an existing one
created previously. The cloud service name must be globally unique as it
serves as a DNS name.
The next drop town box lets you choose from a number of groups; either
one of the Azure Cloud Computing Centers, or an element called an “Affinity
Group” or a pre-defined VLAN. Most customers will want to have defined a
virtual network VLAN for placing their instances in.
The topic of Availability Sets is beyond the scope of this document.
Endpoints are how Azure describes a set of TCP and UDP port rules. Only
TCP and UDP are allowed, other protocols cannot be controlled, and as a
rule are blocked by Azure.
At minimum VNS3 needs port 8000 open for the API and the Administrative
UI.
When complete select the proceed arrow near the bottom of the web
browser page.

20. © 2016
Launch VNS3 - Virtual Machine Configuration
20
The final page before instance launch should not
need modification.
Ensure that the “VM Agent” box is checked.
Do NOT check the “Chef ” button.
Review the legal terms and summary information,
and finalize the launch of the instance by clicking on
the “check box” at the bottom right of the web
browser page.

21. © 2016
VNS3 Virtual Machine Details
21
After clicking on the “check box” you will be
returned to the “virtual machines” page, which
shows the instance running in your account.
In this example there is only one instance “vns3-
free”.
Click in the “Name” column on the “vns3-free” row
to be taken to its detail page.
If it is the first instance you have launched you will
be taken to the summary “Quick Start” page with
useful links to Azure APIs, SDKs and
Documentation.
Click on the “Skip Quick Start the next time I visit”
to go straight to the instance detail page in future.

22. © 2016
Deliver and launch VNS3 from
your Azure Account
22

23. © 2016
Azure Configuration: Create Storage for Template Delivery
23
Step 1 Create a Microsoft Azure storage account in order to have a
destination used by Cohesive Networks to deliver the VNS3 template
disk.
One can have many storage accounts in Azure. This is the where
containers (folders sort of) and disks for images and instances are
stored. You will be creating a dedicated storage account for
Cohesive Networks to use to deliver the VNS3 template.
To create a storage account:
- Login to the Azure portal.
- At the bottom of the “All Items” left side menu, click “New”.
- Select DataServices > Storage> Quick Create.
URL – Type a unique storage name. This name must be globally
unique across all Azure customers, so do not be surprised if some
simple names like “mystorage” are not accepted.
Location/Affinity Group – Select an Azure location.
Replication – Select the level of redundancy for the storage account;
locally redundant (copy kept in that cloud center), geo-redundant (a
copy moved to another cloud center).
3. Click “Create Storage Account”.

24. © 2016
Azure Configuration: Get Storage Access Keys
24
Once you see the onscreen notification that the
storage account was successfully created, you then
need to retrieve the storage access keys.
At the bottom of the screen you will see a menu item
for “Manage Access Keys”. When you click on it a pop
up window is created as shown here to the right.
Copy the “Secondary Access Key” and keep it available
for sharing with Cohesive Networks so the appropriate
VNS3 template can be delivered to your account.
(Ideally you paste it into a plain text editor to avoid any
changes to characters which might occur in Word,
Pages, or OpenOffice.)

25. © 2016
Azure Configuration: Create Container for Template
25
The next step is to create a Container in the Storage account for
storing the VNS3 Image Template.
Return to the left menu “All Items” and choose “Storage”.
You will see at list the storage account created in the previous
steps. Click on “Containers” to see existing containers, and to
create a new container for storing the template.
The next screen shows a list of existing containers and the option
to “Add a Container”, or if there are no existing containers the
choice says “Create A Container”.

26. © 2016
Azure Configuration: Create Container for Template
26
After clicking “Add A Container” or “Create A Container” a window
pops up prompting you to create the new container.
Provide a descriptive name for the container. This name does
not have to globally unique and the dash “-“ character is allowed.
Choose an Access setting of “Private” (versus Public or Public
Blob).
Your contractual relationship with Cohesive Networks does
not allow sharing the VNS3 template image outside of your
company, so the setting should be “Private”.
In this example the container is named “vns3-templates”.

27. © 2016
Azure Configuration: Provide Storage Credentials to Cohesive Networks
27
Now provide the name of the Storage Account, the Container name, and
the Storage Account Secondary Key to Cohesive Networks to enable
delivery of a VNS3 template to your account.
In our example this would be:
Storage Account Name: myuniquename23487
Container Name: vns3-templates
Secondary Access Key:
CoR7Keonnzt1s+MqSm6wkXw2KMDs5fkdtwt7QTE/
YZVGuCeObnWqYx1rL1wkVZFD7xrxGiyZ9O2PE2JoN7XdBQ==
Cohesive Networks will use these credentials along with the Azure Cross
Platform command line tool to transfer the template from the CFT
account to your shared storage account.
This will be done with the “azure vm upload” command which allows the
asynchronous transfer of objects in Azure storage between accounts.
When the transfer is complete Cohesive Networks will prompt you to
review the delivered VHD in the shared storage container. When the
delivery operation is complete you can “regenerate” the storage account
secondary key to remove Cohesive Networks’s access to that storage
account.

28. © 2016
Azure Configuration: Create VNS3 Image from Storage
28
In the Azure Portal left menu bar select “Virtual Machines”
This display defaults to “Instances” and shows any running
instances in your account.
To make the needed Image, so you can create VNS3
Instances, you will need to click on the word “Images”, next
to “Instances”.
This screen shows images that have already been created.
Below that display, click on the option “CREATE AN IMAGE”.

29. © 2016
Azure Configuration: Create VNS3 Image from Storage
29
Click on “CREATE AN IMAGE” pops up the window shown to
the right.
Fill in an Image name identical to the template delivered to
the storage container.
Select “Linux” as the Operating System Family”, and select the
checkbox for “I have run waagent -deprovision on the virtual
machine”.
Then click on VHD URL to browse to the template disk in the
storage container (in our example “vns3-templates"
Select the VNS3 template from the storage container, then
click on the “Check Mark” on the “Create an image from a
VHD” pop up window.
When that process completes you will be able to create
instances of VNS3 from the image created.

30. © 2016
Launch VNS3 - Select VNS3 Image
30
To launch an VM of of the image shared by
Cohesive Networks, on the Azure Portal left
menu, choose “NEW” at the bottom, then select
COMPUTE —> VIRTUAL MACHINE —> FROM
GALLERY.

31. © 2016
Launch VNS3 - Select VNS3 Image
31
The “FROM GALLERY” option pops up a
window offering “Choose an Image”offering
default Microsoft and Operating System
vendor images.
Select My Images then select the VNS3
image created on page 22.
Click the arrow to proceed.

32. © 2016
Launch VNS3 - Virtual Machine Configuration
32
Give the instance a name, “spaces” are not allowed, so use
hyphens to separate the words of an instance name.
Choose your tier of service and instance size. VNS3 should
have at least one core and 1.5 gigs of memory, so the “A1”
instance type is a good place to start. Depending on need,
VNS3 can be run as a very large instance to provide more
throughput for the virtual network, site-to-site
connections, firewall rules, or other network functions.
The Azure portal requires a username and a SSH key or
password. Regardless of their entry - they will not provide
shell access to VNS3 instances which run as appliances.
The most straightforward approach would be to leave the
default “azureuser” and enter a meaningless password.
After these configuration elements are made use the
“proceed” arrow inthe lower right of the web browser
page.

33. © 2016
Launch VNS3 - Virtual Machine Configuration
33
The next page of configuration for the VNS3 instance sets up the network
port access rules, as well as allows you to choose a VLAN for the instance to
be launched in. Azure calls this element that holds this information a “Cloud
Service”, allowing you to launch other (subsequent) instances with the same
configuration parameters.
You can create a new cloud service, naming it, or choose an existing one
created previously. The cloud service name must be globally unique as it
serves as a DNS name.
The next drop town box lets you choose from a number of groups; either
one of the Azure Cloud Computing Centers, or an element called an “Affinity
Group” or a pre-defined VLAN. Most customers will want to have defined a
virtual network VLAN for placing their instances in.
The topic of Availability Sets is beyond the scope of this document.
Endpoints are how Azure describes a set of TCP and UDP port rules. Only
TCP and UDP are allowed, other protocols cannot be controlled, and as a
rule are blocked by Azure.
At minimum VNS3 needs port 8000 open for the API and the Administrative
UI.
When complete select the proceed arrow near the bottom of the web
browser page.

34. © 2016
Launch VNS3 - Virtual Machine Configuration
34
The final page before instance launch should not
need modification.
Ensure that the “VM Agent” box is checked.
Do NOT check the “Chef ” button.
Review the legal terms and summary information,
and finalize the launch of the instance by clicking on
the “check box” at the bottom right of the web
browser page.

35. © 2016
VNS3 Virtual Machine Details
35
After clicking on the “check box” you will be
returned to the “virtual machines” page, which
shows the instance running in your account.
In this example there is only one instance “vns3-
free”.
Click in the “Name” column on the “vns3-free” row
to be taken to its detail page.
If it is the first instance you have launched you will
be taken to the summary “Quick Start” page with
useful links to Azure APIs, SDKs and
Documentation.
Click on the “Skip Quick Start the next time I visit”
to go straight to the instance detail page in future.

36. © 2016
VNS3 Configuration Document Links
36

37. © 2016
VNS3 Configuration Document Links
37
VNS3 Product Resources - Documentation | Add-ons
VNS3 Configuration Instructions
Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include,
initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to
the Overlay Network.
VNS3 Administration Document
Covers the administration and operation of a configured VNS3 Controller. Additional detail is provided around the VNS3 Firewall,
all administration menu items, upgrade licenses, other routes and SNMP traps.
VNS3 Docker Instructions
Explains the value of the VNS3 3.5 Docker integration and covers uploading, allocating and exporting application containers.
VNS3 Troubleshooting
Troubleshooting document that provides explanation issues that are more commonly experienced with VNS3.