Set up Microsoft Azure as a cloud provider

Set up Microsoft Azure as a cloud provider in your Conductor to make deploying cloud Airwall Gateways and High-availability standby Conductor easier.

Create an Azure Application to connect to the Airwall Conductor

Check your Azure documentation for the most recent instructions on creating an application.

  1. In Azure, in Active directory, under App registrations, register or choose an application to act as Airwall API endpoint.
  2. In the Azure application, in Certificates & secrets, create a new client secret for the app to connect to Conductor. Copy it to a secure location.
    Important: You must copy the new client secret value at this step, because you won’t be able to retrieve the key later.
  3. From the Azure application you created, note the following information:
    • Azure Application ID – Get from the Azure application Overview page.
    • Azure Application key – The client secret you noted above.
    • Azure Subscription ID – In Azure, under Users, get the subscription details to find the ID. It’s also at the top of your Powershell window.
    • Directory ID – Get Directory (tenant) ID from the Azure application Overview page.

    Azure Application Overview page showing TenantID

  4. Set up a role for the application you created to use as authorization to create Airwall Gateways in your Azure environment.
    1. From Subscriptions, select your subscription, and then select Access control (IAM).
    2. Add a role assignment, and assign the App you created to the role: For Role, select Contributor, and for Assign access to, select User, group, or service principal, and then search for your App. You can also select a custom role with the permissions you want. For more information, see Azure help: Create a role in the Azure portal.

Add an Azure Cloud Airwall Gateway

You must Set up Microsoft Azure as a cloud provider before you can add an Airwall Gateway in the Conductor

  1. On the Airwalls page, (or in Conductor Settings Cloud providers tab), select New cloud Airwall, and then select Microsoft Azure Airwall.
    Create cloud Airwall menu
  2. In v2.2.8 and later, select Create stand-alone Airwall gateway, and then Next.
  3. In v2.2.8 and later, if you want to use a template to create the Airwall Gateway, select the template, select Next, and then give the Airwall Gateway a descriptive name. You can then skip to the next step.
    To continue without a template and enter the information manually, just select Next.
    1. If you are filling in information manually, or want to change the template, fill in the Name and Image and network options for this Airwall Gateway. For Machine type, the default typically works. You can select a different size if needed for your purposes.
      Azure Cloud template dialog
    2. Under Airwall gateway image ID, pick the Airwall Gateway image you want to use. The list shows the Airwall Gateway images available on your cloud provider.
    3. If you do not have a pre-configured virtual network, you need to create a new network. Click Create new network and fill in the form:
      • Network CIDR – Enter an available network address and subnet mask in CIDR notation.
      • Public subnet CIDR – Must be a subnet of the main network. Traffic flows between the underlay interface of the Airwall Gateway and the Public IP address object in Azure.
      • Protected subnet CIDR – Must be a subnet of the main network. Traffic must pass through theAirwall Gateway or through manually-crafted routes.

      When you’re finished entering the information, select Create network, and when processing is complete, select Back.


      Create cloud airwall network dialog

    4. Back on the Create cloud Airwall page, select the network and public and protected subnets you just created.
  4. Check the summary and if everything is correct, select Create cloud Airwall.
  5. Select Finish. It may take up to 5 minutes for Microsoft Azure to complete creating the Airwall Gateway.

You’ve completed creating an Azure cloud Airwall Gateway, and now need to configure Provision, License, and configure it. For help, see Provision and License Airwall Edge Services and Configure Airwall Edge Service Settings.

Add Azure as a Cloud Provider in Conductor

  1. In Conductor Settings, open the Cloud providers tab.
  2. Under Configured cloud providers, click Add cloud provider, and then select MS Azure.
  3. Fill in the form, using the values noted when creating an application in Azure:
    • Application ID – Enter the Azure Application ID.
    • Client secret – Enter the Azure Application key.
    • Subscription ID – Enter the Azure Subscription ID.
    • Tenant ID – Enter the Directory (tenant) ID.
  4. The Azure route injection setting determines how new routes are added to the Azure routing table. The routes are for traffic on your protected overlay network between protected devices and the Airwall Gateway. Here are the recommended settings depending on your deployment details:
    • If you are using a Airwall Relay, or want to manage routes on your own, set to Disabled.
      Important: If your Airwall's subnet has a route table with existing or planned future routes, then do not set route injection to Individual traffic or All traffic. This removes these existing and future routes from the route table, retaining only routes created by Conductor.
    • If you want to handle traffic for devices individually, set to Individual traffic.
    • If you want one route to send all traffic to the overlay port on the Airwall Gateway, set to All traffic.
      Note: All traffic is effectively ‘full tunnel’ mode. With Individual traffic, you could add routes that send traffic around the Airwall Gateway.
  5. For Default region, click the Sync icon to check the connection and fill in your options. When it connects, select your default region from the list.
    Edit Cloud Provider dialog
  6. Click Finish.

You’re now ready to create cloud Airwall Gateways in Azure in the Conductor.