Configure a Public Cloud Device To Be a Virtual CPE Router or an SD-WAN Gateway
For supported software information, click here.
Normally, the Versa Operating SystemTM (VOSTM) devices that you receive are preconfigured as either a virtual CPE router or an SD-WAN device. If your devices are preconfigured, you can skip this article. If they are not, follow the procedures in this article to configure an AWS or Azure virtual machine (VM) to be either a virtual CPE or an SD-WAN gateway.
Configure a VOS Device as a Secure SD-WAN or SD-Security Device
To configure a branch VOS device on AWS or Azure to be an SD-WAN gateway device:
- In Director view, select the Workflows tab in the top menu bar.
- Select Devices > Devices in the left menu bar. The table in the main pane displays the devices that are already configured.
- Click the
Add icon. In the Basic section, enter information for the following fields.
Field Description Name (Required) Enter a name for the VOS device. The name is a text string. Global Device ID (Required) Displays the device ID, which is automatically assigned by the Director node. Organization (Required) Select the name of the organization to which the VOS device belongs. Deployment Type Select the deployment type as CPE-Public Cloud, to deploy the device as a gateway to the public cloud.
Serial Number (Required)
Displays the generated serial number. Generate Serial Number Click to assign a unique serial number to the VOS device. Device Groups (Required) Select the AWS or Azure device group to which the VOS device belongs. Resource Tag Enter a tag name, and then click Add icon to add the resource tag. Admin Contact Information (Group of Fields) Enter the contact email address of the administrator. - Phone
Enter the contact phone number of the administrator. Subscriptions (Group of Fields) - License Period
Select the period, in years, for which the license is valid. The options are 1 year, 3 years, and 5 years. - Service Bandwidth
Select the bandwidth, in Mbps or Gbps, to use for service that the device offers. - Click Next or select Cloud Profile.
- In the Cloud Profile section, enter information for the following fields.
Field Description Connector (Required) Select the connector to use to establish communication between AWS or Azure and the Director node.
Note that after deploying the cloud VOS branch/hub-controller with the CMS connector, you must remove the public IP address of eth0 from the cloud instance portal. The Director node will manage the VOS branch/hub-controller using the SD-WAN overlay IP address, and will not use the eth0 public IP address. Additionally, you must change the default passwords for all cloud-hosted VOS nodes, for admin and versa accounts.
Region (Required) Select the geographic region in which to deploy the VOS device. Instance Type (Required) Select the VM instance type for VOS deployment.
VPC/Network (Required) Select the type of virtual public cloud (network):
- VNET—For the Azure virtual public cloud
- VPC—For the Amazon virtual public cloud
Image (Required)
Select the VOS image to use to launch the VOS device. - Availability Zone (Required)
For AWS only, select the AWS availability zone - IAM Role/Instance Profile
For AWS only, click to use IAM instance credentials instead of an access key. One reason to use IAM instance credentials is so that the branch device can communicate with AWS APIs using instance credentials. Resource Group For Azure virtual WAN, select the resource group. If you do not select any value, a new resource group is created. Availability Set For Azure virtual WAN, select the availability set to instantiate a VOS VM. Enable Accelerated Networking (For Releases 22.1.1 and later.) Click to enable accelerated networking. Accelerated networking enables single root I/O virtualization (SR-IOV) on supported VMs. When you enable or disable accelerated networking on existing VMs during an upgrade, the VM shuts down and restarts after updating the accelerated networking.
Note that enabling accelerated networking is supported only on VOS branch devices running Ubuntu 18.04 (Bionic). It is not supported on devices running Ubuntu 14.04 (Trusty).
Network/Subnet Mapping (Group of Fields) Configure the subnet mapping for the VOS device. - Interface
Select the interface to use for the network. - Device Network
Enter the name of the device. - Subnet
Select the subnetwork that you created for the device. - Security Group
Select the security group to use for the subnetwork. This is the security group configured on the network interface. Be sure to check for any additional security group that is applied on an instance level and that might be blocking required traffic.
Caution: You must disable all inbound ports on eth0 to restrict access from the public internet after successful deployment.
- Public IP Required
Click to provide a public IP address for the network interface. Tags (Group of Fields) - Key
Enter the tag key for the VM deployed in AWS or Azure. - Value
Enter the tag value for the VM deployed in AWS or Azure. - Click Next or select Device Service Template.
- In the Device Service Template section, enter information for the following fields.
Field Description Tenant Select the name of the tenant. Category Select the category of the service template:
- Application Steering
- General
- NextGen
- QoS
- Statefull Firewall
- Service Chain
- Secure Access
Template Select the template to use. The drop-down lists the templates available based on the options you select in the Tenant and Category fields. - Click Next or select Bind Data.
- In the Bind Data section, add the required field values for the templates for which you have not enabled DHCP. If you enable DHCP for a template, the system populates the values dynamically. Note that the system validates the bind data variables per the specified variable type. If they do not match, an error message displays.
- Select the Autogenerated tab to view and edit the values.
- Click Save.
Add Custom Routes in Azure to Send Traffic to the VOS Interface
By default, Azure sends traffic to its core network. To instead send traffic to the VOS interface, you create a user-defined route in Azure. Then, to allow the network interfaces to receive and forward traffic, you enable IP forwarding. If you use a Director node to start the Azure VOS device using a CMS connector, the Director node enables IP forwarding.
Create User-Defined Routes
To create user-defined routes in Azure to send traffic towards a VOS device:
- Log in to the Azure portal at https://portal.azure.com.
- Create a route table. Enter information for the following fields.
Field Description Name (Required)
Enter a name for the route table. Subscription (Required)
Select the Azure subscription. Resource Group (Required)
Select a resource group name. Click Create New to create a new resource group. Location (Required)
Select the location of the Azure data center. Virtual Network Gateway Route Propagation Click Enabled. - Click Create.
- Open the route table that you created in Step 2.
- Click Routes in the left menu bar to add a route. Enter information for the following fields.
Field Description Route Name (Required)
Enter a name for the route. Address Prefix (Required)
Enter the destination prefix for the route. Next-Hop Type Select Virtual Appliance. Next-Hop Address (Required)
Enter the IP address of the VOS LAN that connects to clients in the LAN virtual router (VR). - Click Subnets in the left menu bar.
- Associate the route table with LAN subnet that belongs to VOS LAN VR.
- Click OK.
Enable IP Forwarding
If you use a Director node to start the Azure VOS device using a CMS connector, the Director node enables IP forwarding. To enable IP forwarding on the VOS LAN interface from the Azure portal:
- Search for the VM in Azure portal, and select the VOS device on which to enable IP forwarding.
- Select Settings > Networking in the left menu bar
- Select the LAN interface and then click Network Interface.
- Select Settings > IP Configurations in the left menu bar.
- In the IP Forwarding field, click Enabled.
- Click Save.
Supported Software Information
Releases 20.2 and later support all content described in this article, except:
- Release 22.1.1 adds support for accelerated networking.
Additional Information
Licensing Overview
Qualified AWS, Azure, and Google Cloud Instances