Overview

This article encompasses a detailed step by step guide for configuring and deploying Netskopes Borderless SD WAN in Azure and achieving High Availability and Load Sharing with the Azure Route Server. 

Use Case

The use case for this scenario is having always-on connectivity for your Azure Workloads to Netskopes Next GEN Secure Web Gateway for workstation internet access. 

With this use case, workstations deployed within a single VNET or across multiple VNETs can have secure connectivity to the Netskope platform. BGP is utilized to provide resiliency, symmetry and load sharing across Netskope Borderless WAN Gateways in the Azure cloud.

Architecture

In the above architecture I have 2 Network Virtual Appliances that are the Netskope SASE Gateways. Each Gateway VM is performing an EBGP peering relationship with the Azure Route Server. The Netskope Gateways are each advertising a default route that will later be used to perform ECMP and High Availability for the workloads inside your VNET/s. 

Why Azure Route Server

Traditionally, customers achieved high availability for Network Virtual Appliances (NVAs) in Azure by using Azure functions to probe virtual machine connectivity. If a response was not seen on the primary VM, the function would rewrite the User Defined Routes in the Azure routing table. While this solution works technically, it presents challenges in scalability, manageability, and delay.

Additionally, when adding new workloads or subnets to existing sites, you no longer need to manually update the User Defined Routes in the Azure routing table. This is because we now utilize BGP to exchange reachability, offering redundancy and symmetrical load balancing across multiple SASE Gateways.

Deployment Steps

Deploy Netskope SASE Gateways from Azure Marketplace

The steps for deploying Netskope Gateways from the Azure marketplace are out of scope for this document. For more information on deploying virtual MXs from the Azure marketplace please reference the following link: https://netskope.document360.io/docs/sase-gateway-deployment-in-azure 

Requirements for Gateway deployment:

• Resource group (Best practice to place in their own Resource Group)
• VNET
• 2 subnets (One for the WAN NICs of the VMs and one for the private (LAN) NICs where EBGP occurs)
• 2 Network Interfaces 
• 1x Public IP
• 2x Security Groups

Below are screenshots showing my 2 deployed Netskope SASE Gateways from both the Azure portal and the Borderless WAN portal:

Deploy Azure Route Server inside VNET

Below snippets were taken directly from Azure documentation: https://docs.microsoft.com/en-us/azure/route-server/quickstart-configure-route-server-cli

You can verify your Azure Route Server configuration with the following azure cli command:

az network routeserver show \

    --name NetskopeBWANRouteServerInstance \

    --resource-group NetskopeBWANRouteServer 

Configure BGP Peering on the Azure Route Server 

The below steps have to be performed for all Netskope SASE Gateway VMs. 

1. Go to the Route Server deployed in the previous step and select Peers under Settings in the left navigation panel. Select + Add to add a new peer.

• You need the LAN interface IP of each of your VMs (this is the peer IP for route server)
• You will also need the remote ASN which in this case for Netskope will be 400 by default

Configure BGP on Netskope Portal

Go to the Routeserver from the Azure portal and obtain the information from the Overview section or rerun the same command from above:

Noting in the above you will want to grab the 'Asn' and 'Peer IPs' for the BGP config. (This is also available in the UI of the Azure portal when viewing your route server instance)

Next navigate to the Netskope Borderless SD WAN portal from the Netskope dashboard and select Gateways on the left tab:

In this example we will be using the console to directly configure the EBGP peers as well as the default route.

To navigate to the console click the 3 dots on the right side of the gateway and select console:

Once selected a new tab will open and you will need to enter the following commands to access the routing daemon inside the VMs container:

1- From BWAN GW console CLI, Login to the router:

# docker exec -it infiot_spoke vtysh

2- Edit the router config:

# configure terminal

3- Advertise the default route using the following commands (update the neighbour ip x.x.x.x)

router bgp 400

 address-family ipv4 unicast

  neighbor x.x.x.x default-originate

4- exit the router shell

(config)# end

# exit

5- Make it persistent by Creating a new file in /infroot/workdir/frrcmds-user.json and add

{

"frrCmdSets": 1

{

"frrCmds": #

"conf t",

"router bgp 400",

"address-family ipv4 unicast",

"neighbor x.x.x.x default-originate",

]

},

{

"frrCmds": #

"write integrated"

]

}

]

}

Troubleshooting 

Netskope Gateways offer direct cli access for troubleshooting and validating configuration. To enter the FRR routing daemon from the console you will need to enter the below commands:

Once you are able to access the routing daemon we can run any show commands for BGP and basic network configuration:

The Provisioning State on the Route Server will always show Failed unless you have the LAN interface for each VM set to Enable IP Forwarding. 

mitchell s ~ ]$ az network routeserver peering list-learned-routes --resource-group NetskopeBWANRouteServer --routeserver NetskopeBWANRouteServerInstance -n NetskopeGateway7