This article explains how to use the Azure Marketplace to automatically deploy a virtual Cato Socket (vSocket) for a site hosted in Microsoft Azure.
For more about manually deploying a vSocket with the Cato installation script, see Configuring an Azure vSocket Site.
-
Make sure the environment meets the requirements listed in Cato Socket Connection Prerequisites
-
In tenants with a Private Azure Marketplace, the Azure Administrator should the following:
-
Go to the Private plans screen and make sure you have two Cato offers - "Azure Application" and "Virtual Machine".
-
Go to the Private marketplace screen and add the two Cato offers to your desired Collection. Make sure this Collection applies to the relevant tenant in which you would like to install the vSocket.
Note: For more information, see the Microsoft documentation.
-
-
To use the new Marketplace deployment in your account, send an email to support@catonetworks.com and include the account’s Azure subscription ID and subscription name in text format (How to get my Azure Subscription ID).
-
The Azure vSocket must have access to a public DNS server. Make sure that the VNet isn't configured to only use a private DNS server.
-
Each vSocket instance requires outbound connectivity to these resources:
-
Virtual Network - DNS and HTTP
-
Azure Resource Manager - HTTPS
-
The management interface requires Internet access for public DNS servers (if configured, UDP/53) and management.azure.com (TCP/443)
-
-
Deploying vSockets from the Azure marketplace is not supported for Azure sites based in China. To deploy a vSocket in China, manually deploy the vSocket with the Cato installation script, see Deploying an Azure vSocket Site with the Cato Script.
-
When deploying resources with an Availability Zone set, the Public IP Set will not work. To workaround this, deploy the Availability Zone using the marketplace deployment wizard and manually configure the Public IP Set after the deployment wizard is complete.
When you deploy an Azure vSocket from the Marketplace, the following virtual resources are used by the vSocket:
-
VM instance that the vSocket firmware is installed on
-
WAN virtual network for traffic that is sent to the Cato Cloud
-
LAN virtual network for internal LAN traffic
-
MGMT virtual network
-
For vSocket HA sites, the management communication between the vSocket and the Azure API used for the failover mechanism between the vSockets
-
Single vSocket sites don't require inbound or outbound traffic for the management interface
-
-
LAN Routing Table for the vSocket
-
WAN and LAN Network Security Groups
In the Cato Management Application, create a new vSocket Azure site. All the network segments that you create in the Cato Management Application must be included in the network range of the Azure virtual networks.
The Local IP for the vSocket must be the same as the IP address for the LAN interface on the VM. The first three IP addresses of the subnet are reserved by the VPC.
After you create the site, the Cato Management Application assigns a unique serial number (S/N) to it. We recommend that you copy and paste the serial number in a text file.
To create the site for the Azure vSocket:
-
From the Cato Management Application's navigation menu, click Network > Sites.
-
Click New. The Add Site panel opens.
-
Configure the General settings for the site:
-
Enter the Site Name.
-
Select the Site Type. This option determines which icon is used for the site in the Topology window.
-
Select vSocket Azure for the Connection Type.
-
Configure the Country, State, and Time Zone to set the time frame for the Maintenance Window.
-
-
Configure the WAN Interface Settings, including the Downstream and Upstream bandwidth according to your ISP bandwidth.
-
Configure the LAN Interface Settings, including the Native Range for the Azure site. This setting must be the same as the LAN subnet IP range in Azure.
-
Click Apply. The site is added to the Sites list.
-
Copy and save the vSocket serial number for the vSocket configuration script:
-
From the Sites list, select the new vSocket site.
-
From the navigation menu, click Site Settings > Socket. Copy the serial number (S/N) and save it.
-
Use the automated Cato wizard in the Azure Marketplace to create the virtual resources for the primary (or single) vSocket and deploy it for the Azure site.
If you are using a high availability (HA) configuration for the site, you need to run the wizard twice, and select the appropriate options for the second vSocket (see below Adding a Secondary vSocket for High Availability).
This section explains the different optional settings that you can choose to define for a vSocket in the Optional Configurations window in the Cato wizard.
You can choose to define a static or dynamic public IP address from Azure for the WAN or MGMT interfaces and Virtual Networks. The MGMT interface must have a public IP address to access the Socket WebUI over the public Internet.
Network Security Groups defines which traffic is allowed and helps to manage inbound traffic for a virtual network, defined according to the WAN, LAN, or MGMT interface. You can use an existing Security Group or create a new one for the vSocket.
Azure provides these features for cloud resource redundancy:
-
Availability Set - secures the Azure services from outages inside individual data centers
-
Availability Zone - protects against incidents that impact the entire data center
You can choose to assign the vSockets to a single Availability Set or Availability Zone. Availability Sets are mostly used in a vSocket HA configuration when you want to make sure that the both vSockets are assigned to different Fault and Update domains.
You can't assign an Availability Set to VMs that are using different Availability Zones.
Note
Note: Azure doesn't let you assign a VM to an Availability Set after you create it.
Use the Cato vSocket wizard in the Azure Marketplace to define the settings for the virtual resources and deploy the primary vSocket. Then the vSocket automatically connects to the Cato Cloud and is assigned to the Azure site in your account.
Make sure that Cato approved your Azure Subscription ID before deploying the vSocket from the Marketplace.
For more about deploying the secondary vSocket for HA configurations, see below Adding the Secondary vSocket to an Azure Site.
To deploy the primary Azure vSocket from the Marketplace:
-
From the Azure Marketplace, search for Cato, and select the Cato Networks Virtual Socket.
-
In the Overview screen, select the Plan and Subscription for the Azure resources, and then click Create.
-
In the Basics screen, define the following settings for the resources and costs:
-
Subscription - Billing account for the Azure resources
Note: The vSocket is only successfully deployed for approved Subscription IDs, otherwise after you complete the wizard, the vSocket isn't deployed.
-
Resource group - Azure resource group that the vSocket resources are associated to
-
Region - Azure region for the vSocket resource
-
Resource prefix - optional prefix to add to each of the vSocket resources
-
-
In the vSocket Deployment screen, select Deploy a primary vSocket.
-
In the Networking screen, select a new Virtual Network for the site or one that already exists.
These are the vSocket subnets:
-
MGMT subnet – Management communication between the vSocket and the Azure API
-
WAN subnet - External WAN traffic for the vSocket (Internet and Cato Cloud)
-
LAN subnet - Internal Azure resources and traffic that are connected to the vSocket
Note: Make sure that the IP range of the LAN subnet is the same as the Native Range for the vSocket site in the Cato Management Application.
-
-
In the Cato vSocket Configuration screen, define the following settings for the vSocket based on the vSocket site that you created in the Cato Management Application (above Creating the Azure vSocket Site).
-
vSocket Serial Number (S/N) - Copy the S/N from the Site Configuration > Socket screen.
-
vSocket LAN IP - Enter the Local IP for the primary vSocket from the Site Configuration > Networks screen in the Cato Management Application.
-
vSocket Name - Enter the name for the VM that hosts the vSocket.
The vSocket Name can't include spaces or Azure restricted characters.
-
WAN interface IP allocation – Select a Dynamic or Static internal IP address for the WAN interface. For Static IP allocation, you can allocate any IP address.
-
MGMT interface IP allocation – Select a Dynamic or Static internal IP address for the MGMT interface. For Static IP allocation, you can allocate any IP address.
-
-
In the Optional Configuration screen, you can choose to define these settings:
-
Public IP addresses for the WAN and/or MGMT interfaces
-
Network Security Groups for the WAN, MGMT, and/or LAN interfaces
-
Availability Options for the vSocket:
-
Azure Availability Set - Create new or use an existing one
Note: The Availability Set must be in the same Resource Group as the vSocket
-
Azure Availability Zone - Select an Availability Zone in the range of 1 - 3
-
For more information about these settings, see above Optional Configurations with the Marketplace Wizard.
-
-
In the Review + create screen, review the vSocket settings and then click Create.
Note: You can choose to export the deployment template and use it future vSocket deployments.
The Deployment is in progress screen shows real-time status of the vSocket deployment. It can take several minutes to complete deploying all the resources.
After the vSocket resources are deployed, the vSocket automatically connects the site to the Cato Cloud and checks if it's necessary to upgrade to the newest vSocket version. The Cato Management Application notification area shows messages regarding the status of connecting the vSocket.
To provide redundancy for vSockets within an Azure site, you can deploy two vSockets in the same Azure Virtual Network (VNet), and set them to work in a high availability (HA) configuration. The vSockets operate in active/passive mode and the LAN links are used to send keepalive messages between the vSockets.
The Azure HA configuration uses a Floating IP address which is bound to the LAN interface for the active vSocket. When there is a failover to the passive secondary vSocket, the Floating IP moves to the secondary vSocket LAN interface. The route tables use this Floating IP as the next hop for traffic that is sent over the Cato Cloud.
Where required, you can deploy Azure HA supports vSockets to different Availability Zones. Alternatively, you can use the Availability Sets to make sure that both vSockets are deployed in different Fault and Update domains in Azure.
After deploying the primary vSocket, in the Cato Management Application add the secondary vSocket to the Azure site. Then use the Marketplace wizard to deploy the secondary vSocket.
For more information about Azure HA, see Configuring High Availability (HA) for Azure vSockets.
-
You must be the owner of the Azure Resource Group for the virtual resources
-
The Azure vSockets must use the same VNet
Use the Add Secondary Socket option in the Network > Sites > Site Settings > Socket screen to prepare the site for the secondary vSocket. There is a pop-up window where you enter the following settings:
-
LAN Interface IP - IP address for the LAN interface of the secondary vSocket
-
LAN Floating IP - IP address for the Floating IP that is used for the Azure HA configuration
The Cato Management Application uses the LAN Interface IP address as the management IP address for the secondary vSocket. This LAN interface is also used for the HA keepalive packets.
After you add the secondary vSocket to the site, the Cato Management Application does the following:
-
Generates the vSocket serial number for the new vSocket (this serial number is used when you run the Cato script to install the vSocket on the VM)
-
Enables the High Availability Configurations section for that site
-
Modifies the Networks section Native Range, the Local IP is replaced with the Floating IP
To configure an Azure site for HA:
-
From the navigation menu, select Network > Sites, and select the Azure site.
-
From the navigation menu, select Site Settings > Socket.
-
Click Add Secondary Socket. The Add Secondary vSocket (High Availability) window opens.
-
Configure the LAN IP settings:
-
Enter the LAN Interface IP. This value is used as the MGMT IP and for keepalive packets.
-
Enter the LAN Floating IP.
-
-
Click Apply. The Floating IP settings are configured and copied to the Socket > High Availability Configurations section.
-
Click Save.
-
Copy and save the serial number (S/N) for the Secondary vSocket.
Use this S/N when you deploy the secondary vSocket from the Azure Marketplace.
Use the automated Cato wizard in the Azure Marketplace to create the virtual resources for the secondary vSocket and deploy it for the Azure site.
When you configure the settings for the secondary vSocket in the Marketplace wizard, the following settings must be the same settings for the primary and secondary vSockets:
-
Networking - You must use the same Virtual Network and MGMT, WAN, and LAN subnets for the primary and secondary vSockets.
-
Optional Configuration > Security Groups - if you create a new group for the primary, use it again with the secondary. Otherwise select None for both, or the same existing group.
To deploy the secondary Azure vSocket from the Marketplace:
-
From the Azure Marketplace, search for Cato, and select the Cato Networks Virtual Socket.
-
In the Overview screen, select the Plan and Subscription for the Azure resources, and then click Create.
-
In the Basics screen, define the same settings that you defined for the primary vSocket:
-
Subscription - Billing account for the Azure resources
-
Resource group - Azure resource group that the vSocket resources are associated to
-
Region - Azure region for the vSocket resource
-
Resource prefix - optional prefix to add to each of the vSocket resources
-
-
In the vSocket Deployment screen, select Deploy a secondary vSocket.
-
In the Networking screen, select a new Virtual Network for the site or one that already exists.
-
Select the VNet used by the primary vSocket
-
For the WAN, MGMT, and LAN subnets, select the same subnets that you used for the primary vSocket
-
-
In the Cato vSocket Configuration screen, define the following settings for the vSocket based on the vSocket site that you created in the Cato Management Application (above Creating the Azure vSocket Site).
-
Select the Primary vSocket - The primary vSocket that you previously created
-
Select the Primary vSocket LAN NIC – The NIC for the primary vSocket’s LAN subnet that you previously created
-
Secondary vSocket Serial Number (S/N) - Copy the S/N for the secondary vSocket from the Site Configuration > Socket screen in the Cato Management Application.
-
Secondary vSocket LAN IP - Enter the Local IP for the secondary vSocket from the Site Configuration > Socket > High Availability Configurations screen in the Cato Management Application.
-
Floating IP for the Site -The same Floating IP is used by both vSockets. The Floating IP is configured in Site Configuration > Socket > High Availability Configurations screen in the Cato Management Application.
-
Name for the Secondary vSocket - Enter the name for the VM that hosts the secondary vSocket.
-
WAN interface IP allocation – Select a Dynamic or Static internal IP address for the WAN interface. For Static IP allocation, you can allocate any IP address.
-
MGMT interface IP allocation – Select a Dynamic or Static internal IP address for the MGMT interface. For Static IP allocation, you can allocate any IP address.
-
-
In the Optional Configuration screen, define these settings for the secondary vSocket:
-
Make sure to configure the same Security Groups and Availability configurations as the primary vSocket.
-
LAN Route Table Update - Select the same LAN Routing Table as the primary vSocket. The HA Floating IP is automatically used as the next hop.
-
-
In the Review + create screen, review the vSocket settings and then click Create.
The Deployment is in progress screen shows real-time status of the vSocket deployment. It can take several minutes to complete deploying all the resources.
After the vSocket resources are deployed, the vSocket automatically connects the site to the Cato Cloud and checks if it's necessary to upgrade to the newest vSocket version. The Cato Management Application notification area shows messages regarding the status of connecting the vSocket.
In some cases, Azure may fail to complete the deployment of your vSocket.
There are two known deployment failure reasons:
-
Incorrect Subscription ID details
-
The deployment wizard was not approved by an administrator in a private Azure Marketplace
You may inspect the deployment error summary or the Azure Activity Log for more information about the failed deployment.
During the deployment process, Azure resources are created automatically regardless of the deployment status. If your deployment failed, make sure to delete the resources before attempting another deployment.
To delete Azure deployment resources:
-
In Azure, go to Resource Groups and select the resource group you used for this deployment.
-
Under Resources, use the filter screen to filter for the prefix of your deployment. All the deployment resources created using this prefix appear.
-
Check all resources match the prefix and bulk-select them using the checkbox.
-
Click Delete. You can optionally apply force-delete to Virtual machines, if selected.
When ready, run the deployment wizard again. If you are unable to complete the deployment please contact Cato Support support@catonetworks.com.
Cato offers multiple options for deploying, configuring and troubleshooting Azure vSockets.
-
Deploying an Azure vSocket Site with the Cato Script - If you prefer to explore custom (ARM template deployment) or manually creating resources for the vSocket instead of using the Azure marketplace
-
Configuring High Availability (HA) for Azure vSockets - Manually creating the HA configuration for vSockets
Comments
0 comments
Please sign in to leave a comment.