Cato Networks Knowledge Base

Configuring an Azure vSocket Site

Overview of the Azure vSocket

For sites that are hosted in Azure, you can deploy a Cato vSocket on an Azure virtual machine (VM) and benefit from many of the same features as a physical Socket.

Cato provides the VM image and an interactive script that automatically configures the settings for the vSocket. You can also create a file that contains the settings for the vSocket and run this script in non-interactive mode.

You can choose to assign a vSocket VM to an Availability Set for resiliency purposes. This may be required for vSocket high availability considerations.

Copying the vSocket Image and Configuration Script

Cato provides a VHD image and a configuration script for the Azure vSocket. Use Azure PowerShell to copy the vSocket image from Cato to your Azure storage container, and download the script file from the Cato public repository.

For more about the Azure vSocket image and a configuration script, see Copying the Azure vSocket VHD Image with SAS.

General Prerequisites

You can run the vSocket configuration script directly from the Azure Cloud Shell or from the macOS and Linux Ubuntu operating systems. The Windows 10 BASH shell isn't supported to run the Azure vSocket script.

Note

Note: The Azure vSocket must have access to a public DNS server. Make sure that the VNET isn't configured to only use a private DNS server.

  • For High Availability (HA) configurations, the vSocket requires a public IP address for the MGMT interface
  • (Optional) If access to the vSocket WebUI is required over the Internet:

    • Assign a public IP to the MGMT interface and create a security rule to allow TCP/443 inbound traffic

    • Cato recommends only temporarily exposing the WebUI to the Internet for as long as needed, and in addition, restrict access by source IP (if possible)

  • Make sure the environment meets the requirements listed in Cato Socket Connection Prerequisites
  • The vSocket configuration script supports the D2s v4 (8 GB RAM, 2 vCPUs) VM instance type:

    • Supported in Azure China
    • Select the Standard_LRS storage option to use this instance type

OS Prerequisites for the Configuration Script

These are the prerequisites to run the script for both Linux and macOS operating systems:

  • BASH shell and typical binutils package

  • Lightweight JSON processor jp (https://stedolan.github.io/jq/), for Ubuntu OS install the processor as apt update && apt install jq

  • Azure CLI utility - for more about installing the Azure CLI, see the documentation for Microsoft Azure

Known Limitations

  • For Socket versions earlier than v14.0, the primary vSocket LAN IP is used for BGP peering. This does not survive failover to the secondary vSocket.

    • Starting with v14.0, in vSocket HA configurations, the Floating IP is used for BGP peering. Make sure to define the Floating IP in the neighboring BGP router.

  • Cato doesn't support accelerated networking on vSocket interfaces (including the MGMT interface). The vSocket may lose Internet connectivity if accelerated networking is enabled for an interface.

High Level Overview of Creating the Azure vSocket

  1. In the Cato Management Application, create a new site for the Azure vSocket.

  2. In Azure, create these virtual resources for the vSocket VM:

    • Virtual network for the vSocket

    • WAN and LAN virtual subnets

    • WAN and LAN interfaces

    • LAN routing table for the vSocket

    • WAN and LAN network security groups

  3. Run the vSocket configuration script.

Creating the Azure vSocket Site

In the Cato Management Application, create a new vSocket VGX for Azure site. All the network segments that you create in the Cato Management Application must be included in the network range of the Azure virtual networks.

The Local IP for the vSocket must be the same as the IP address for the LAN interface on the VM. The first three IP addresses of the subnet are reserved by the VPC.

After you create the site, the Cato Management Application assigns a unique serial number (S/N) to it. We recommend that you copy and paste the serial number in a text file.

You need to enter this serial number when you run the vSocket configuration script (see below Running the Azure Configuration Script).

To create the site for the Azure vSocket:

  1. From the Cato Management Application's navigation menu, click Network > Sites.

  2. Click New. The Add Site panel opens.

    azurenewsite.png
  3. Configure the General settings for the site:

    1. Enter the Site Name.

    2. Select the Site Type. This option determines which icon is used for the site in the Topology window.

    3. Select vSocket Azure for the Connection Type.

    4. Configure the Country, State, and Time Zone to set the time frame for the Maintenance Window.

  4. Configure the WAN Interface Settings, including the Downstream and Upstream bandwidth according to your ISP bandwidth.

  5. Configure the LAN Interface Settings, including the Native Range for the Azure site. This setting must be the same as the LAN subnet IP range in Azure (see below Configuring the LAN Subnet).

  6. Click Apply. The site is added to the Sites list.

  7. Copy and save the vSocket serial number for the vSocket configuration script:

    1. From the Sites list, select the new vSocket site.

    2. From the navigation menu, click Site Settings > Socket. Copy the serial number (S/N) and save it.

Creating the Azure Virtual Resources

This section explains how to create the virtual resources in Azure for the vSocket. Depending on your deployment, you may be able to use some existing Azure virtual resources. Otherwise, you need to create and configure each of these virtual resources:

  • Virtual network for the vSocket

  • WAN and LAN virtual subnets

  • WAN, LAN, and management interfaces

  • Networking security groups

  • LAN Route table for the vSocket

Note

Note: Make sure that you have permissions to create virtual resources in Azure.

Creating the Virtual Network

Create the virtual network resource in Azure for the vSocket. This network contains the subnets for the Azure vSocket. When you create the virtual network, you also create the default subnet which is used for the management link.

To create the virtual network:

  1. From the Microsoft Azure dashboard, create a new virtual network: click Virtual networks > Add.

  2. In the Create virtual network window, configure the settings for the virtual network.

    • The Address space must include the Native Range that you configured for this site in the Cato Management Application.

    • The Address range for the Subnet must be within the Address space for the virtual network.

    • IPv6 address spaces are NOT supported.

    • Make sure that the virtual network is in the same Location as the vSocket image.

      01_createVnetwork.png
  3. Click Create. The virtual network is deployed to the Azure account.

Configuring the LAN Subnet

Configure the subnet resource in Azure for the internal LAN traffic. This subnet belongs to the Virtual Network resource in Azure for the vSocket. If you are using an existing LAN subnet, then you can skip this section.

 

To create the LAN subnet:

  1. Open the virtual network you created in the previous step, and from the Settings section click Subnets.

  2. Click the Subnet button, and the Add subnet pane opens.

    02_AddSubnet.png
  3. Enter the Address range for the LAN subnet.

    IPv6 address spaces are NOT supported.

    Note

    Note: Make sure that the LAN subnet is the same as the Native range for the site in the Cato Management Application.

  4. Make sure that the virtual network is in the same Location as the image.

  5. Click OK. Azure creates the virtual subnet for the LAN.

Configuring the WAN Subnet

Configure the subnet resource in Azure for the external WAN traffic. This subnet belongs to the Virtual Network resource in Azure for the vSocket.

To create the WAN subnet:

  1. Click Subnet, and the Add subnet pane opens.

  2. Enter the Address range for the WAN subnet.

    IPv6 address spaces are NOT supported.

  3. Make sure that the virtual network is in the same Location as the image.

  4. Click OK. Azure creates the virtual subnet for the WAN.

Creating the LAN Interface

Configure the virtual interface in Azure for the LAN traffic that is sent to the internal Azure resources. This interface is configured to use the LAN subnet. After you create the interface, you need to enable it to support IP forwarding.

For Azure HA configurations, during failover there is an API call that adds the Floating IP to the LAN interface of the standby vSocket and deletes settings configured on the LAN interface (including the LAN NSG). Don't manually configure the Floating IP on the LAN interface of a vSocket. The Cato HA script assigns the Flouting IP to the primary vSocket LAN interface and then reboots the vSockets.

To create the LAN interface:

  1. From the left-hand pane, click Create a resource.

  2. In Search the Marketplace, enter network interface and press Enter.

  3. From the Marketplace, click Network interface and click Create.

    The Create network interface pane opens.

    03_networkInterface.png
  4. Configure the settings for the LAN interface:

    1. Enter a Name that indicates this is the LAN interface.

    2. Make sure that the Virtual network is the correct network for the vSocket.

    3. From the Subnet drop-down menu select the LAN subnet.

    4. In Private IP address assignment, select Static.

    5. In Private IP address, enter the IP address for the LAN interface.

      IPv6 address spaces are NOT supported.

    6. Make sure that the virtual network is in the same Location as the image.

    7. If necessary, configure the other settings for the LAN interface.

  5. Click Create. The LAN interface is deployed to the Azure account.

  6. Enable the LAN interface to support IP forwarding:

    1. From the search bar, search for the LAN interface.

      04_SearchInterface.png
    2. Click and open the LAN interface.

    3. From the Settings section, click IP configurations.

      05_IPconfigurations.png
    4. In IP forwarding, click Enabled.

    5. Click Save. The LAN interface is configured for IP forwarding.

Creating the WAN Interface

Configure the virtual interface in Azure for the WAN traffic that is sent to the Cato Cloud. This interface is configured to use the WAN subnet. After you create the interface, you need to enable it to support IP forwarding.

To create the WAN interface:

  1. From the left-hand pane, click Create a resource.

  2. In Search the Marketplace, enter network interface and press Enter.

  3. From the Marketplace, click Network interface and click Create.

    The Create network interface pane opens.

  4. Configure the settings for the WAN interface:

    1. Enter a Name that indicates this is the WAN interface.

    2. Make sure that the Virtual network is the correct network for the vSocket.

    3. From the Subnet drop-down menu select the WAN subnet.

    4. In Private IP address assignment, select Static.

    5. In Private IP address, enter the IP address for the WAN interface.

      IPv6 address spaces are NOT supported.

    6. Make sure that the virtual network is in the same Location as the image.

    7. If necessary, configure the other settings for the WAN interface.

  5. Click Create. The WAN interface is deployed to the Azure account.

  6. Enable the WAN interface to support IP forwarding, and assign it a public IP address:

    1. From the search bar, search for the WAN interface.

    2. Click and open the WAN interface.

    3. From the Settings section, click IP configurations.

    4. In IP forwarding, click Enabled.

    5. Click the IP config for the interface.

      The Public IP address settings pane opens.

      WAN_publicIP.png
    6. In Public IP address, click Enabled and choose the IP address.

    7. Click Save and close the panel. The public IP address is assigned to the WAN interface.

    8. Click Save. The WAN interface is configured for IP forwarding.

  7. (Optional) Configure the WAN interface for a specific security group.

    1. From the Settings section, click Network security group.

    2. Click Edit.

    3. Click the security group (None).

    4. In the Choose network security group pane, click the security group.

    5. Click Save. The security group is assigned to the WAN interface.

Creating the Management Interface

Configure the virtual interface in Azure for the management communication between the vSocket and the Azure API. Inbound access to the management interface is a potential security risk, make sure to configure the Azure network security group to restrict access to this interface only to necessary admins.

The management interface is configured to use the default subnet that you created with the virtual network.

A single vSocket does not require inbound or outbound traffic for the management interface.

  • Outbound Internet traffic is only required for Azure HA configurations

  • Inbound internet connections on TCP/443 must be allowed to access the vSocket​ WebUI using the public management IP (if assigned)

To create the management interface:

  1. From the left-hand pane, click Create a resource.

  2. In Search the Marketplace, enter network interface and press Enter.

  3. From the Marketplace, click Network interface and click Create.

    The Create network interface pane opens.

  4. Configure the settings for the management interface:

    1. Enter a Name that indicates this is the management interface.

    2. Make sure that the Virtual network is the correct network for the vSocket.

    3. From the Subnet drop-down menu select the default subnet.

    4. In Private IP address assignment, select Static.

    5. In Private IP address, enter the IP address for the management interface.

      IPv6 address spaces are NOT supported.

    6. Make sure that the virtual network is in the same Location as the image.

    7. If necessary, configure the other settings for the management interface.

  5. Click Create. The management interface is deployed to the Azure account.

  6. (Optional) Configure the management interface for a specific security group.

    Note

    Important: Only allow access to the management interface for the specific admins that require it.

    1. From the Settings section, click Network security group.

    2. Click Edit.

    3. Click the security group (None).

    4. In the Choose network security group pane, click the security group.

    5. Click Save. The security group is assigned to the management interface.

Creating a Network Security Group

Create a network security group that defines which traffic is allowed. After you create the vSocket VM, you can apply this security group to help manage inbound traffic for the network interfaces.

Note

Note: You can use an existing security group instead of creating a new one for the vSocket. Skip this section if you are using an existing security group.

To create the network security group:

  1. Click Create a resource, and enter Network security group.

  2. From the Network security group page, click Create.

    The Create network security group page opens and shows the Basics tab.

  3. Select the Resource group.

  4. Enter the Name for the network security group.

  5. Select the Region for the security group.

  6. Click the Tags tab.

  7. Create a tag for the vSocket resources, for example:

    • Name - Cato

    • Value - vSocket

  8. Click Review + create.

  9. After the security group passes validation, click Create. The security group is deployed to the Azure account.

Configuring the WAN and LAN Security Rules

Configure the inbound security rules for the network security group to define the traffic that is allowed to connect to the vSocket. We recommend that you configure the WAN network security group to deny all inbound traffic and allow all outbound traffic. Use the Cato firewall to control the inbound LAN traffic, so you can allow all traffic in both directions for the LAN network security group.

To configure the inbound security rules:

  1. From the search bar, search for the WAN network security group.

  2. From the Settings section, click Inbound security rules.

  3. Click Add to open the Add inbound security rule pane and configure the inbound WAN rule.

  4. From the Settings section, click Outbound security rules.

  5. Click Add to open the Add outbound security rule pane and configure the outbound WAN rule.

  6. For each rule, click Add to create the rule for the network security group.

  7. Repeat the previous steps for the LAN network security group.

The following table shows sample inbound security rules.

Name

Source > IP Addresses

Source port

ranges

Destination

Dest port ranges

Protocol

Action

Priority

WAN_inbound

0.0.0.0/0

* (any)

Any

0-65535

* (any)

Deny

100

WAN_outbound

0.0.0.0/0

* (any)

Any

0-65535

* (any)

Allow

100

LAN_inbound

0.0.0.0/0

* (any)

Any

0-65535

* (any)

Allow

100

LAN_outbound

0.0.0.0/0

* (any)

Any

0-65535

* (any)

Allow

100

Creating the Route Table

Create the route table for the Azure site and vSocket. You need the following settings to configure the route table:

  • IP address range for the LAN subnet:

    • If all traffic from your Azure account is routed through the vSocket, then you can use 0.0.0.0/0 for the LAN subnet

    • However, if only some of the traffic is routed through the vSocket, then configure the LAN subnet for the IP range of the relevant traffic

  • Private IP address for the LAN interface

You can find the settings in the Overview window for each resource.

After you configure the LAN routes, then you assign the LAN subnets to the route table.

To create the route table:

  1. From the search bar, search for the route tables.

  2. From the Route tables page, click Add.

  3. From the Create route table pane, enter the Name and configure the other settings.

  4. Click Create. The route table is deployed to the Azure account.

To configure the LAN routes for the vSocket:

  1. From the Route tables page, click the new route table.

  2. In the left-hand pane, from the Settings section, click Routes.

  3. Create a route for the LAN traffic:

    1. Click Add.

    2. From the Add route page, enter the Route name.

    3. In Address prefix, enter the IP address range for the LAN subnet.

    4. In Next hop type, select Virtual appliance.

    5. In Next hop address, enter the private IP address for the vSocket VM.

    6. Click OK. The LAN to Internet route is added to the route table.

To associate the LAN subnet to the route table:

  1. In the left-hand pane of the route table page, from the Settings section, click Subnets.

  2. Click Associate.

  3. From the Associate subnet pane, in the Virtual network drop-down menu select the virtual network.

    09_AssociateSubnet.png
  4. From the Subnet drop-down menu, select the LAN subnet.

  5. Click OK. The LAN subnet is added to the route table.

Running the Azure Configuration Script

The Cato Networks configuration script helps you to create the Azure vSocket. The script automatically creates the VM for the vSocket, and then asks you for the necessary settings to configure it for your account.

You can also create a custom executable file with the settings for the vSocket, and run the script in non-interactive mode.

Note

Notes:

  • The default password for the vSocket is the VM ID for the vSocket VM. The VM ID is shown at the end of the vSocket script.

  • Make sure that all the virtual resources are in the same location before your run the configuration script.

Make sure that the vSocket image is uploaded to the Azure container, and that you have the configuration script. For more information, see .

Assigning the vSocket VMs to an Availability Set (Optional)

The Cato vSocket script (create_vm_from_vhd.sh) lets you assign the vSockets to an Availability Set. This option is mostly used in a vSocket HA configuration when you want to make sure that the both vSockets are assigned to different Fault and Update domains. You must create the Availability Set BEFORE you run the Cato vSocket script.

You can't assign an Availability Set to VMs that are using different Availability Zones.

Note

Note: Azure doesn't allow you to assign a VM to an Availability Set after you create it.

Create a new Availability Set and configure the settings as follows:

  • Assign it to the same resource group as the VM

  • Set the Fault domains and Update domains to 2

The following screenshot shows an example of a vSocket Availability Set:

AvailabilitySet.png

Azure Information for the Script

The vSocket configuration script asks for the following information to configure the vSocket settings correctly:

  • Azure account subscription and login details

    • Make sure that you only enter the resource IDs. Entering the resource names can cause the script to fail.

  • Resource group

  • Storage account

  • Storage container

  • Storage blob

  • Storage type

    • Select the Standard_LRS storage option for non-accelerated instance D2s v4

  • Availability Set or Availability Zone

  • Interface names on the VM

  • Enter a name for the vSocket VM

  • S/N for the vSocket from the Cato Management Application

  • Azure VM instance type

Running the Script

Run the configuration script in interactive mode to create and configure the Azure vSocket. As part of the script, you configure the name for the vSocket VM. You can't change this name at a later time.

Part of the script is choosing a SSD for the vSocket VM. In general, you can use the standard SSD for the VM.

For more information about the vSocket script, run ./create_vm_from_vhd.sh --help

Running the Script from the Azure Cloud Shell

You can use the Azure Cloud Shell in the Azure environment to run the Cato vSocket script.

To use the Azure Cloud Shell to run the vSocket configuration script:

  1. From the top of the Microsoft Azure window, click Cloud Shell CloudSHell.png.

  2. The Welcome to Cloud Shell panel opens in the bottom of the window, click Bash.

  3. Go to home directory in Azure

  4. Click Upload and select the script file.

  5. Give executable permissions to the script, run chmod u+x create_vm_from_vhd.sh
  6. Run the Cato vSocket script, ./create_vm_from_vhd.sh --login

  7. Select interactive mode and enter the vSocket settings.

    The script creates and deploys the vSocket VM.

Running the Script from macOS or Linux:

Note

Note: Before you run the script, make sure you are in the same directory as the script file.

To run the vSocket configuration script from macOS or Linux:

  1. Give executable permissions to the script, run chmod u+x create_vm_from_vhd.sh

  2. Start the script and from the CLI run ./create_vm_from_vhd.sh --login

  3. Select interactive mode and enter the vSocket settings.

    The script creates and deploys the vSocket VM.

Running the Script in Non-Interactive Mode

You can create a custom executable file that runs the vSocket script and automatically passes the environment variables. This means that you enter all the vSocket data for the script in the custom file and then the Cato script configures the vSocket in non-interactive mode.

The following sections describe the custom executable file and show a sample file.

Note

Note: Before you run the custom file, make sure you are in the same directory as the script file.

To run the vSocket script in non-interactive mode:

  1. Create a new executable file that contains the environment variables for the Cato vSocket script.

  2. Give executable permissions to the file. For example, run chmod a+x <file_name>.sh

  3. Run the file. The file passes the environment variables to the Cato script and creates the vSocket.

Explaining the vSocket Environment Variables

This section explains the environment variables that you configure in the custom executable file to create a vSocket in non-interactive mode. At the end of the list of variables is the command to run the Cato script.

AZ_VS_SUBSCRIPTION - Azure subscription name or ID

AZ_VS_RESOURCE_GROUP - Resource group name

AZ_VS_STORAGE_ACOUNT - Storage account name

AZ_VS_STORAGE_CONTAINER - Storage container name

AZ_VS_STORAGE_BLOB - VHD disk image blob name (inside of storage container)

AZ_VS_STORAGE_SKU - storage disk type SKU - Standard_LRS

AZ_VS_LAN_NIC - Name of management virtual NIC

AZ_VS_WAN_NIC - Name of WAN virtual NIC

AZ_VS_MNG_NIC - Name of LAN virtual NIC

AZ_VS_SERIAL_ID - Serial ID number of Cato vSocket for Azure site

AZ_VS_VM_NAME - Unique name for Azure vSocket VM

AZ_VS_VM_SIZE - Specifications for for Azure vSocket VM - Standard_D2s_v4

./create_vm_from_vhd.sh - Runs the Cato script to create the vSocket VM.

Sample Custom File with Environment Variables

This section shows a sample file with the environment variables to create a vSocket in non-interactive mode.

export AZ_VS_SUBSCRIPTION=38a5bc1d-e3f6-4g50-h34i-kj01k23456789

export AZ_VS_RESOURCE_GROUP=CatoNetworks-Resource_Group

export AZ_VS_STORAGE_ACOUNT=catonetowksstorageinwe

export AZ_VS_STORAGE_CONTAINER=vhds

export AZ_VS_STORAGE_BLOB=vsocket-7.0-rel.vhd

export AZ_VS_STORAGE_SKU=Standard_LRS

export AZ_VS_LAN_NIC=vm-custom-data-mark-1VMNic

export AZ_VS_WAN_NIC=vm-custom-data-mark-2VMNic

export AZ_VS_MNG_NIC=vm-custom-data-mark-3VMNic

export AZ_VS_SERIAL_ID=ZZ-11-77-99-55-66

export AZ_VS_VM_NAME=vsocket-vm

export AZ_VS_VM_SIZE=Standard_D2s_v4

./create_vm_from_vhd.sh

Connecting to the Azure vSocket WebUI

After the vSocket is deployed, we recommend that you connect to the WebUI and change the password for the VM. The default password for the vSocket is the VM ID for the vSocket VM. The VM ID is shown at the end of the vSocket script.

To connect to the vSocket WebUI and change the default password:

  1. Open a Web browser and connect to the vSocket, enter https://<vSocket public ip> .

  2. Log in to the WebUI with these credentials:

    • Username: admin

    • Password: VM ID

  3. Change the password as prompted.

Related Resources

Was this article helpful?

3 out of 4 found this helpful

Comments

10 comments

  • Comment author
    Casey Moore (Admin)

    I thinks this documentation is missing some information, where do I get the vsocket image and configuration script?

     

     

    Thanks

    0
  • Comment author
    Yaakov Simon

    Casey,

    Thanks so much for the comment - so embarrassing! I added the correct link to the article.

    Yaakov

    0
  • Comment author
    Yaakov Simon

    Due to Azure stability issues regarding the accelerated VM instances, we temporarily only support the D2s V4 instance for new vSockets. The configuration script only offers this instance for new vSockets.

    No action is required for existing Azure vSocket deployments.

    0
  • Comment author
    Eivind Nesje

    It would be good to quickly find info on whether IPSEC or vSocket is the preferred way of deploying CATO to Azure

    0
  • Comment author
    Yaakov Simon

    Eivind,

    In general, the best practices and preferred method to deploy sites is to use the vSocket.

    We are working on a new article that summarizes IPsec vs. Cato Sockets and vSockets.

    Thanks!

    0
  • Comment author
    Oscar Cuevas
    • Edited

    Hello,

    The instance type D2s V4 is not available in uswest2 region. Anything else we can use?

    0
  • Comment author
    Daniel Virkler

    Oscar Cuevas, I've just tested this feature in my Azure lab and was able to select and utilize the D2s_V4 size in the Azure US-West-2 region.

    To complete this activity, you must click "See all sizes" then navigate to "D-Series v4" to see the required VM Size of "D2s_V4". Click on the "D2s_V4" size and then click "Select". 

    After completing that procedure, you will have successfully selected the D2s_V4 size for deployment. 

    CC: Community Manager

     
    1
  • Comment author
    Bert-Jan Kamp

    The document is not entirely clear that you need to add 2 security groups, one for the LAN side and one for the WAN side. Can you please update the document to reflect that you require 2 security Groups. It is also advised that the table with example security rules should reflect this in the example table as inbound rules and outbound rules are separate per security group. This will make things more clear especially for users that are less common with Azure

    0
  • Comment author
    Chris Minder

    Is this a left-over words there? In Azure HA KBA it mentioned WAN, LAN, MGT subnets and interface but not here?

    0
  • Comment author
    Community Manager The chief of community conversations. Community manager

    Thanks for your feedback, Chris!

    The documentation team are currently reviewing this and will be update the KB soon.

    Kind Regards,

    Dermot Doran (Cato Networks Community Manager).

    0

Please sign in to leave a comment.