The Resource groups window is displayed.

The Create a resource group window is displayed.

Perform the following in the Project details and Resource details area:

• Subscription: Verify if the subscription listed is the correct one. You can change the subscriptions using the drop-down list.

• Resource group: Select an existing resource group, or click Create new to create a new one. For more information about resource groups, see Azure Resource Manager Overview.

• Region: Select the location for your resource group.

The Virtual Network window is displayed.

The Create virtual network window is displayed.

In the Project details and Instance details area, perform the following:

• Subscription: Verify if the subscription listed is the correct one. You can change the subscriptions using the drop-down list.

• Resource group: Select an existing resource group, or click Create new to create a new one. For more information about resource groups, see Azure Resource Manager Overview.

• Name: Enter the name for your virtual network.

• Region: Select the location for your VNet.

• IPv4 address space: By default, an address space is automatically created. You can click the address space to adjust it to reflect your own values.

• Subnet: If you use the default address space, a default subnet is created automatically. If you change the address space, you need to add a subnet. Select + Add subnet to open the Add subnet window. You need to configure the following settings and click Add to add the values:

  • Subnet name: For example, you can name the subnet as FrontEnd.

  • Subnet address range: You can provide the subnet address range for this subnet.

• DDos protection: Disabled

• Firewall: Disabled

The Virtual network gateways window is displayed.

The Create virtual network gateway window is displayed.

In the Project details and Instance details area, perform the following:

• Subscription: Select the subscription you want to use from the drop-down list.

• Resource group: This setting is auto-filled when you select your virtual network on this page.

• Name: Enter the name for your gateway.

• Region: Select the region you want to create this resource.

  Note	The region for the gateway must be the same as the virtual network.

• Gateway type: Select VPN.

• VPN type: Select the VPN type that is specified for your configuration.

• SKU: Select the gateway SKU you want to use from the drop-down list. Based on the VPN type you selected earlier, you get to view the SKUs. For more information about gateway SKUs, see Gateway SKUs.

• Generation: Select the generation you want to use. For more information, see Gateway SKUs.

• Virtual network: From the drop-down list, select the virtual network to which you want to add this gateway.

• Gateway subnet address range: This field appears only if your VNet does not have a gateway subnet.

  Note	We recommend you create a range greater than /28. Click Subnets to view the range. If you want to change the range, you can delete and recreate the Gateway subnet.

In the Public IP address area, perform the following:

• Public IP address: Retain Create new value.

• Public IP address name: Enter a name for your Public IP address instance.

• Assignment: By default, the VPN gateway supports only Dynamic.

• Enable active-active mode: Select this mode only if you want to create an active-active gateway. Otherwise, leave this setting as Disabled.

• Configure BGP: Disable this mode unless your configuration specifically requires this setting. If you require this setting, the default ASN is 65515, although this can be changed.

You can view the deployment status in the Overview page for your gateway.

After creating the gateway, you can view the IP address assigned to the gateway by viewing the virtual network in the Azure Web UI.

The gateway appears as a connected device.

The Create local network gateway window is displayed.

• Name: Specify a name for your local network gateway object.

• Endpoint: Select the endpoint type for the on-premises VPN device IP address or FQDN (Fully Qualified Domain Name).

  • IP address: If you have a static public IP address allocated from your Internet service provider for your VPN device, select the IP address option and fill in the IP address as shown in the example. This is the public IP address of the VPN device that you want Azure VPN gateway to connect to. If you don't have the IP address right now, you can use the values shown in the example, but you'll need to go back and replace your placeholder IP address with the public IP address of your VPN device. Otherwise, Azure will not be able to connect.

  • FQDN: If you have a dynamic public IP address that could change after certain period of time, usually determined by your Internet service provider, you can use a constant DNS name with a Dynamic DNS service to point to your current public IP address of your VPN device. Your Azure VPN gateway will resolve the FQDN to determine the public IP address to connect to.

• Address Space: Refers to the address range for the local network. You can add multiple address space ranges. Make sure that the ranges you specify here do not overlap with ranges of other networks that you want to connect to. Azure will route the address range that you specify to the on-premises VPN device IP address.

• Configure BGP settings: Use only when configuring BGP. Otherwise, don't select this.

• Subscription: Verify is the correct subscription is displayed or not.

• Resource Group: Select the resource group that you want to use. You can either create a new resource group, or select one that you have already created.

• Location: The location is the same as Region in other settings. Select the location that this object will be created in. You may want to select the same location that your VNet resides in, but you are not required to do so.

The Virtual network gateways window is displayed.

In the Add connection window, configure the following values for your connection:

• Name: Enter a name for your connection.

• Connection type: Choose Site-to-site (IPSec).

• Virtual network gateway: The value is fixed because you are connecting from this gateway

• Local network gateway: Select Choose a local network gateway and select the local network gateway that you want to use.

• Shared Key: This value must match the value you are using for your local on-premise VPN device. The important thing is that the value you specify here must be the same value that you specify when configuring your VPN device.

  Note	We recommend that you specify the same value when configuring the VPN device.

• Leave Use Azure Private IP Address unchecked.

• Leave Enable BGP unchecked.

• Choose IKEv2 as the IKE protocol.

  Note	The Subscription, Resource Group, and Location values are fixed.

You can view the connection in the Connections page of the virtual network gateway. The Status goes from Unknown to Connecting, and then to Succeeded.

• Subscription: Verify if the subscription listed is the correct one. You can change the subscriptions using the drop-down list.

• Resource group: Select an existing resource group, or click Create new to create a new one. For more information about resource groups, see Azure Resource Manager Overview.

• Virtual machine name: Enter the name of your virtual machine or controller name.

• Region: Select the Azure data center region.

• Image: Choose a C9800-CL image.

• Size: Choose the VM size for different scale.

The following table shows the scale and VM size details:

• Authentication type: Choose the Password option.

• Username: Enter a username.

• Password: Enter a password.

  Note	The password must be at least 12 characters long. For information about the requirements, see defined complexity requirements.

• Public inbound ports: Choose Allow selected ports.

• Select inbound ports: Choose HTTPS (443), SSH (22) from the drop-down list.

The Create a virtual machine window appears.

• Virtual network: Choose the virtual network created while creating the VPN.

• Subnet: Choose an appropriate subnet created while creating the VPN.

• Public IP: Creates a new one.

• NIC network security group: Choose Advanced.

• Configure network security group: Choose an existing security group from the drop-down list, if you had created one earlier. (Or) Click Create new to create a new network security group.

  Note

  You can restrict access to your security group instance for security reasons. For example, if you want to permit only CAPWAP from a certain IP range so that only those APs register to the controller, you need to enable inbound and outbound. The following table lists the ports and protocols that may be enabled on the controller: By default, all the outbound traffics are unblocked only the inbound traffics are blocked. You may allow these protocols based on your service and security requirements. Table 2. Ports and Protocol Ports Protocols UDP 5246/5247/5248 CAPWAP TCP 22 SSH, SCP TCP 21 FTP ICMP Ping UDP 161, 162 SNMP/SNMP traps TCP 443/80 HTTPs/HTTP TCP/UDP 49 TACACS+ UDP 53 DNS Server UDP 1812/1645/1813/1646 Radius UDP 123 NTP Server UDP 514 Syslog

• Custom data: Enter the custom IOS config meta data.

  Note	This custom IOS configuration meta data is applied in bootstrap. If the same information is available in the deployment and custom data, the deployment data takes precedence.

You can now navigate to the Day 0 configuration using either serial console, SSH to the controller, or Web UI.

The Resource groups window is displayed.

The Create a resource group window is displayed.

Perform the following in the Project details and Resource details area:

• Subscription: Verify if the subscription listed is the correct one. You can change the subscriptions using the drop-down list.

• Resource group: Select an existing resource group, or click Create new to create a new one. For more information about resource groups, see Azure Resource Manager Overview.

• Region: Select the location for your resource group.

The Virtual Network window is displayed.

The Create virtual network window is displayed.

In the Project details and Instance details area, perform the following:

• Subscription: Verify if the subscription listed is the correct one. You can change the subscriptions using the drop-down list.

• Resource group: Select an existing resource group, or click Create new to create a new one. For more information about resource groups, see Azure Resource Manager Overview.

• Name: Enter the name for your virtual network.

• Region: Select the location for your VNet.

• IPv4 address space: By default, an address space is automatically created. You can click the address space to adjust it to reflect your own values.

• Subnet: If you use the default address space, a default subnet is created automatically. If you change the address space, you need to add a subnet. Select + Add subnet to open the Add subnet window. You need to configure the following settings and click Add to add the values:

  • Subnet name: For example, you can name the subnet as FrontEnd.

  • Subnet address range: You can provide the subnet address range for this subnet.

• DDos protection: Disabled

• Firewall: Disabled

• Subscription: Verify if the subscription listed is the correct one. You can change the subscriptions using the drop-down list.

• Resource group: Select an existing resource group, or click Create new to create a new one. For more information about resource groups, see Azure Resource Manager Overview.

• Virtual machine name: Enter the name of your virtual machine or controller name.

• Region: Select the Azure data center region.

• Image: Choose a C9800-CL image.

• Size: Choose the VM size for different scale.

The following table shows the scale and VM size details:

• Authentication type: Choose the Password option.

• Username: Enter a username.

• Password: Enter a password.

  Note	The password must be at least 12 characters long. For information about the requirements, see defined complexity requirements.

• Public inbound ports: Choose Allow selected ports.

• Select inbound ports: Choose HTTPS (443), SSH (22) from the drop-down list.

The Create a virtual machine window appears.

• Virtual network: Choose the virtual network that was created earlier or create a new one.

• Subnet: Choose the subnet that was created earlier or create a new one.

• Public IP: Creates a new one.

• NIC network security group: Choose Advanced.

• Configure network security group: Choose an existing security group from the drop-down list, if you had created one earlier. (Or) Click Create new to create a new network security group.

  Note

  You can restrict access to your security group instance for security reasons. For example, if you want to permit only CAPWAP from a certain IP range so that only those APs register to the controller, you need to enable inbound and outbound. The following table lists the ports and protocols that may be enabled on the controller: By default, all the outbound traffics are unblocked only the inbound traffics are blocked. You may allow these protocols based on your service and security requirements. Table 4. Ports and Protocol Ports Protocols UDP 5246/5247/5248 CAPWAP TCP 22 SSH, SCP TCP 21 FTP ICMP Ping UDP 161, 162 SNMP/SNMP traps TCP 443/80 HTTPs/HTTP TCP/UDP 49 TACACS+ UDP 53 DNS Server UDP 1812/1645/1813/1646 Radius UDP 123 NTP Server UDP 514 Syslog

• Custom data: Enter the custom IOS config meta data.

  Note	This custom IOS configuration meta data is applied in bootstrap. If the same information is available in the deployment and custom data, the deployment data takes precedence.

You can now navigate to the Day 0 configuration using either serial console, SSH to the controller, or Web UI.