Introduction to Azure Virtual WAN sites


NetFoundry integrates with Microsoft Azure Virtual WAN to provide instant-on Azure Connectivity without private circuits, VPNs, or networking hardware.

Following this guide will take you through the steps required to setup NetFoundry on a single offsite location enabling Azure Virtual WAN Connectivity to the Azure Cloud. Sample topology:



Before you begin

  1. Must have an Azure Account and the appropriate  permissions to administer resources.
  2. Determine Cloud Resource Geography for HUB, connected Virtual Networks and on-premise connections.
  3. Is this for testing? If so, is the testing environment known?
  4. Determine the location to place Branch Gateway Software. 
  5. What type of Virtualization Hypervisor will be used? Do you have access to the Hypervisor with admin permissions for hardware/software installation?
  6. External facing IP to register with Azure Virtual WAN. Likely a primary NAT address servicing your LAN users. 
  7. LAN IP & subnet for virtual machine instance created on Hypervisor. 

Create an Azure Virtual WAN Site 

Step 1: Configure your AVW subscription in the NetFoundry Console

In the upper left corner of the NetFoundry Console, click on the GREEN  Network Icon...



Select the "Manage Subscription" you will set your Azure subscription information. This information will be gathered from the Azure portal in the next few steps and requires your Microsoft Azure credentials.




Name -- Choose a name that complies to your organizational naming conventions.  





Step 2. Create & document Azure subscription parameters

The remaining fields on the Subscription For Azure page can be found in the Azure portal per the diagrams below. Once you have created the resources in Azure, return to the NetFoundry Console to complete the Subscription for Azure in Step 1.  


Subscription ID - This can be found in the billing account management section.



Application ID - (App Registration or Service Principal) This will need to be created for NetFoundry Virtual WAN integration. First select Active Directory > App Registration. Select + New application registration and provide name, WebApp/API and URL



Tenant ID - Can be found by going to the, selecting 'Azure Active Directory(AAD) in the left panel, then selecting Properties in the middle pane, and copying and pasting the Directory ID. (*note there is a useful copy/paste functionality included with the Paper icon at the  end of the line.

Get the Tenant ID, which is the ID of the AAD directory in which you created the application.



Secret key - Create the Secret Key. The Secret Key is associated to the App Registration account created in the steps above.

First Selection 'Azure Active Directory' > 'App registration' > Name of your App Registration.


Select Setting > New Pane will open...
Select Keys > New Pane will open...

Create a key by inputting Description | Duration and Value then select save. The key will show up ONCE, or until you leave the page. If you forget your Key, you will have to create a new one.

Copy the Authentication Key string to the text editor, and label the string as Client Secret Key. Save in a file if needed for future reference. 








Step 3. Azure Virtual WAN Configuration

Grant Service Principal(App Registration) permissions to desired Azure Resource group containing the Virtual WAN. Select the desired Resource Group and add the Service Principal IAM account to the Contributor role. 

From within desired Resource Group pane > Hit Access Control (IAM) to open the permissions page.



Hit Add to add and select role-contributor to add the Service Principal account to the Resource Group 



Select the Contributor role from the drop down list and select your Service Principal account by name or the Application ID then hit Save.



Virtual WAN Creation - Create a Virtual WAN in a desired Resource Group in the location nearest to your Data Centers and Azure resources. From Home Dashboard in Azure portal use the + Create a Resource plus sign in the upper left outside corner.



From the Azure Marketplace area, type in virtual wan and hit search.



Select the Azure product Virtual WAN from the product description and click Create.



Configure basic Virtual WAN parameters and Hit Review + Create.

  1. Select the desired subscription this resource will be sourced within.
  2. Select the desired Resource Group for the Virtual WAN.
  3. Select the desired Resource Group location.
  4. Select a name corresponding to the desired naming scheme.
  5. Select Standard or Basic.




From within the Virtual WAN context menu. Click on Hubs.



Create the HUB for the desired region and associated resources by clicking New Hub. For Basic configuration for use in Site to Site VPN select the desired region, name and supply a private network for the HUB to use. it is recommended to use a unique 24 bit address or /24 network. Hit Next



Hit Next: Site to Site. Select yes for Site to Site VPN gateway. Note the default AS Number for BGP and select the appropriate Gateway Scale-unit(s). Hit Review + Create.


NOTE: This process can take as much as 30 minutes to complete before moving on to next steps.

NOTE: This documentation is only intended for Basic configuration and does not include steps for Standard options like Express Route and Point to Site configuration.


Add Virtual Network Connections to HUB. From the Virtual WAN context, select Virtual Network Connections.



Hit Add + Connection and select desired name, desired hub, subscription and resource group your network resides and Hit Ok. This process will take a few minutes to complete.

NOTE: connecting Azure Virtual Networks to ExpressRoute AND VirtualWAN is not supported.




Step 4. NetFoundry Branch Gateway Instance Creation

This step requires the physical or virtual assets be implemented to host the the NetFoundry Gateway. You will likely choose to implement vCPE at a Branch Location to connect to Azure HUB. For testing, you may also connect from other Cloud regions in Azure or even AWS to simulate branch connections. Once the assets have been created, we will create the NetFoundry Site and register it with Azure and NetFoundry.

  • From Branch vCPE implementations, various images can be downloaded from the following site: under the NetFoundry Gateways section.
  • Azure and AWS both have NetFoundry Application Gateway images available in their respective Marketplaces.

Note: This Quick start guide only includes specific steps to test the solution from within the Azure Cloud. Follow the other methods below to create a Gateway for your corresponding Branch scenario.

Netfoundry vCPE Cloud Gateway

NeFoundry AWS Cloud Gateway


NetFoundry Azure Cloud Gateway

Follow this guide to install the NetFoundry Cloud Gateway into the Azure Cloud with the purpose of connecting to Azure Virtual WAN. Azure has networking solutions in place for routing within virtual networks so the gateway is best utilized in a network not connected to a Virtual WAN hub.

Note: Unlike other pre-built images with set credentials. During the launch of the NetFoundry Cloud Gateway in Azure you will be prompted for using SSH Public Key or provide password. IMPORTANT: Select SSH Keys. Generate a SSH-2 RSA public key and save the Public & Private Keys to your host. The Public Key can be used for Virtual Machines in the future. The Private Key will be used to authenticate with Azure Instance(s) upon login. You may use any SSH-2 RSA key generator.

Here is an example with Puttygen. Copy the key into the Azure SSH public key field.



Step 5. NetFoundry Console Endpoint Configuration

The Endpoint Software will be installed at the desired location on the server implemented in the previous step...e.g. Public Cloud, Branch, Data Center etc. The next step requires us to create the Virtual WAN site in the NetFoundry Console. Console quick-start guide can be found here for additional reference.


Verify the existence of the Azure Virtual WAN API connection to Azure.





Create Virtual WAN site





Create Azure site endpoint in the NetFoundry Console:





The site name should adhere to Azure naming standards found here. Valid characters are Alphanumeric, hyphen, underscore, and period.

NOTE:  No spaces " " in a name.

Pick a region that is closest to your Branch offices or Azure regions you wish to attach to the Primary Cloud resources.

List is Auto generated from Azure Via API calls to your subscription. You may give API access to multiple Resource Groups by providing Contributor role access to the App Registration account created in earlier steps. When building sites in Azure, you will choose the Resource Group containing the NetFoundry Gateway which in most cases will not be the same Resource Group as your primary Azure Cloud resources. If you are using vCPE, select the Resource Group containing your Virtual WAN and HUB.

List is Auto generated from Azure Via API calls to your subscription. The Azure Virtual WAN is a global resource.

Pick the region where  Azure Cloud Resources reside.

F) PUBLIC IP ADDRESS - external interface of NetFoundry Gateway

G) Local BGP Peering Address.
Select the Internal IP address of the NetFoundry Gateway at the Branch location(non-cloud)

G) Autonomous System Number

Select an appropriate private AS number to be used for Cloud connectivity. Private AS numbers are reserved for 64512 - 65534. Default in Azure is 65515.

NOTE: Hit Create and Copy the registration key and save as Text file for installation on host in Step 6.



3. Next, using the key from the previous step,  it is necessary to activate the NetFoundry Gateway software on your Branch/Remote host. Registering your endpoint binds your new NFN Gateway/Endpoint to your organizations NetFoundry Cloud console. 

Register the NFN Gateway and look for errors in the registration process output or verify "Success when the registration completes. 

> sudo nfnreg [key]

Validate the VM is now active on the NetFoundry Network by checking the status of the NetFoundry service.

> sudo systemctl status dvn

NOTE: Most common causes for registration to fail are: Not having an reachable IP assigned, not having a default gateway defined or not having a valid DNS resolver specified.

Within the NetFoundry console validate your Site Registration has completed. Your Azure site should indicate online with a Green indicator.


Step 6. Finish Azure Virtual WAN Configuration

Deploy Virtual WAN site to Azure. Your site will be in 1 of 2 stages at this point. If you have configured the site without Public IP, Private IP or ASN information - the site will be in Staged. Once this information is populated -- the site will be in Deployable stage. Select the site and hit Depoly to Azure in the upper right corner.

Staged site


 Deployable site



NOTE: It is recommended to allow 10 minutes prior to starting this portion of the setup to allow for all scripts to complete.

Notice the NetFoundry Site is now populated within the Azure Virtual WAN VPN sites page. It will need to be connected to the desired HUB. It should be in a provisioned status at this point.

Connect VPN site to HUB>






Confirm VPN site connection from Branch to Azure. 

NOTE: Allow 15 minutes for connection scripts to recycle and for the connection to complete. Reboot NetFoundry gateway should it take longer than expected.




Verify you have a Virtual Network Gateway Entry in your Effective Routes Table for your NetFoundry Gateway Instance IP Interface as below.




Best Practice: Implement Azure Connection Monitor for each site.




Testing connectivity - Branch NetFoundry Gateway to Azure Server Resources. From the Gateway in your Branch try to access a host in Azure with SSH, RDP, ICMP or HTTP.

Example: Host is a web server sitting in Azure.



Additional testing for end to end connectivity - test connection status from resources behind Branch gateways to resources  on virtual networks connected to the Azure Hub.

Managing Azure Virtual WANs

Adding Sites to your Azure VWAN subscription. 

From the NetFoundry Console - follow the same step performed in the original create documentation but select the appropriate Network information for the new Branch site.




Download and/or launch the desired Gateway appropriate for the Branch Use case.

NOTE: Copy and/or make note of new Gateway Registration key to be used in the selected Gateway initial configuration/registration. See Section NetFoundry Endpoint Configuration step 3. 


The new site will now populate via API to the Azure Virtual WAN. Within Azure Portal, navigate to Home>Resource Groups>Virtual WAN>"Your Virtual WAN". You will now see a new site in the portal with a "provisioned" status requiring HUB connection. The new site will need to be connected to a HUB to become active in the Virtual WAN. Check the new site & select New HUB association and select the HUB in use for the GEO of that Branch.



NOTE: Security or Routing will need to be implemented at the Branch sites.

Removing VPN sites from Azure and NetFoundry.

From the Azure Portal, navigate to your Virtual WAN and select VPN Sites from the pane. On the right side of the main resource screen select the site to be removed by clicking the 3 white dots. Select remove connection.   dots.png



Once the site is disconnected from the Hub, select the 3 dots again and Delete site.




On the NetFoundry Console, remove any AppWAN and/or Services definitions which are associated with the site to be deleted. Proceed to the to the Gateways section and remove the desired site.









Was this article helpful?
1 out of 2 found this helpful



Article is closed for comments.