Configure a Microsoft Azure Non SD-WAN Destination via Edge

Describes how to configure a Non SD-WAN Destination of type Microsoft Azure Virtual Hub via Edge in SD-WAN Orchestrator.

To configure a Non SD-WAN Destination of type Microsoft Azure Virtual Hub via Edge in SD-WAN Orchestrator:

Prerequisites

Ensure you have configured a Cloud subscription. For steps, see Configure a Cloud Subscription Network Service.
Ensure you have created Virtual WAN and Hubs in Azure. For steps, see Configure Azure Virtual WAN for Branch-to-Azure VPN Connectivity.

Procedure

From the navigation panel in the SD-WAN Orchestrator, go to Configure > Network Services.
The Services screen appears.
In the Non SD-WAN Destinations via Edge area, click the New button.
The New Non SD-WAN Destinations via Edge dialog box appears.
In the Service Name text box, enter the name for the Non SD-WAN Destination.
From the Service Type drop-down menu, select Microsoft Azure Virtual Hub.
From the Subscription drop-down menu, select a cloud subscription.
The application fetches all the available Virtual WANs dynamically from Azure.
From the Virtual WAN drop-down menu, select a virtual WAN.
The application auto-populates the resource group to which the virtual WAN is associated.
From the Virtual Hub drop-down menu, select a Virtual Hub.
The application auto-populates the Azure region corresponding to the Hub
Click Next.
The Microsoft Azure Non SD-WAN Destination is created and a dialog box for your Non SD-WAN Destination appears.
To configure tunnel settings for the Non SD-WAN Destination’s Primary VPN Gateway, click the Advanced button.

In the Primary VPN Gateway area, you can configure the following tunnel settings:

Field	Description
Encryption	Select either AES 128 or AES 256 as the AES algorithms key size to encrypt data. If you do not want to encrypt data, select NONE. The default value is AES 128.
DH Group	The Diffie-Hellman (DH) Group algorithm to be used when exchanging a pre-shared key. The DH Group sets the strength of the algorithm in bits. The supported DH Group is 2.
PFS	Select the Perfect Forward Secrecy (PFS) level for additional security. The supported PFS levels are 2, 5, 14, 15, and 16. The default value is Deactivated.
Hash	The authentication algorithm for the VPN header. Select one of the following supported Secure Hash Algorithm (SHA) function from the list: SHA 1 SHA 256 The default value is SHA 256.
IKE SA Lifetime(min)	Time when Internet Key Exchange (IKE) rekeying is initiated for Edges. The minimum IKE lifetime is 10 minutes and maximum IKE lifetime is 1440 minutes. The default value is 1440 minutes.
IPsec SA Lifetime(min)	Time when Internet Security Protocol (IPsec) rekeying is initiated for Edges. The minimum IPsec lifetime is 3 minutes and maximum IPsec lifetime is 480 minutes. The default value is 480 minutes.
DPD Timeout Timer(sec)	Enter the DPD timeout value. The DPD timeout value will be added to the internal DPD timer, as described below. Wait for a response from the DPD message before considering the peer to be dead (Dead Peer Detection). Prior to the 5.1.0 release, the default value is 20 seconds. For the 5.1.0 release and later, see the list below for the default value. Library Name: Quicksec Probe Interval: Exponential (0.5 sec, 1 sec, 2 sec, 4 sec, 8 sec, 16 sec) Default Minimum DPD Interval: 47.5sec (Quicksec waits for 16 seconds after the last retry. Therefore, 0.5+1+2+4+8+16+16 = 47.5). Default Minimum DPD interval + DPD Timeout(sec): 67.5 sec Note: Prior to the 5.1.0 release, you can deactivate DPD by configuring the DPD timeout timer to 0 seconds. However, for the 5.1.0 release and later, you cannot deactivate DPD by configuring the DPD timeout timer to 0 seconds. The DPD timeout value in seconds will get added onto the default minimum value of 47.5 seconds).

Note:

Non SD-WAN Destination via Edge of type Microsoft Azure Virtual WAN automation supports only IKEv2 protocol with Azure Default IPsec policies (except GCM mode), when SD-WAN Edge act as an Initiator and Azure act as a Responder during an IPsec tunnel setup.

Click Save Changes.

What to do next

Enable Cloud VPN at the Profile Level
Associate the Microsoft Azure Non SD-WAN Destination to an Edge and configure tunnels to establish a tunnel between a branch and Azure Virtual Hub. For more information, see Associate a Microsoft Azure Non SD-WAN Destination to a SD-WAN Edge and Add Tunnels.

For information about Azure Virtual WAN Edge Automation, see Configure SD-WAN Orchestrator for Azure Virtual WAN IPsec Automation from SD-WAN Edge.