Traffic Forwarding Azure VNG


(Vincent) #1

Hello,

Has anyone tired using Azure VNG to form a IPsec VPN Tunnel towards Zscaler. Considering using the native Azure VPN towards Zscaler [PAC over IPSec]. Has anyone had any experience of this? Is it recommended or discouraged? Anything I should know? Any gotchas?

Thanks,


(Scott Bullock) #2

We’ve have a prototype, technically it works. There’s some extra validation taking place to ensure HA is fully functional and automated.

@mjasyal, any further thoughts on this one?


(Vincent) #3

Thanks for the reply skottieb - Are you able to advise on the extra validation? From the Zscaler side there is limited/no viability. From the Azure side, again, there is limited visibility. If you have the VNG running Active/Active with two PIPs, I guess the only thing you can do to check HA is check the ZS logs to see if you’re seeing the “External Client IP” coming from both PIPs assigned in Azure. Unless there is something else.

Thanks,
Vincent


(fivaldi) #4

@mjasyal, Micron is working on setting up an IPsec tunnel from Azure too, so any guidance will be appreciated.

FYI, they tried to setup a GRE tunnel first but then found out that Azure by default blocks all GRE traffic.
More info: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq