Difference between traditional networking & SDN and NFV, i felt below depicted diagram explained well so, i though to share with all of you..
The Barracuda Web Application Firewall blocks an ever-expanding list of sophisticated web-based intrusions and attacks that target applications hosted on web servers and in the cloud. The Barracuda Web Application Firewall scans all inbound web traffic to block attacks, and inspects the HTTP responses from the configured back-end servers for Data Loss Prevention (DLP). The integrated access control engine enables administrators to create granular access control policies for Authentication, Authorization & Accounting (AAA) without requiring application changes. The onboard L4/L7 Load Balancing capabilities enable organizations to add back-end servers quickly to scale deployments as they grow. Its application acceleration capabilities like SSL Offloading, caching, compression, and connection pooling ensure faster application delivery of the web application content
The Barracuda Web Application Firewall is available on Microsoft Azure with the Bring Your Own License (BYOL) and Hourly / Metered options. For BYOL, Barracuda offers four models. The table below lists each model, the corresponding Instance Type to be used in Microsoft Azure, the default CPU and Memory for the instance.
|Barracuda WAF||Instance Type in Azure||Default vCPU||Default Memory|
|Level 1||A1||1||1.7 GB|
|Level 5||A2||2||3.5 GB|
|Level 10||A3||4||7 GB|
|Level 15||A4||8||14 GB|
If you want to increase the performance of a license that you have already purchased, you can buy additional cores from Barracuda and reconfigure for a larger instance type and Hourly /Metered model and instance Type( on supported instance types, Default vCPU, Default Memory and Hourly pricing)
Note: It is recommended to assign a Static IP address to the Barracuda Web Application Firewall.
Note: it will take 15-20 mints for installed the WAF in Azure Virtual network and deploy the secondary wafprd03 same as wafprd02.
After you create the load-balanced set for wafprd02, add other Barracuda Web Application Firewall virtual machines to the set. Example: wafprd03
Creating an HTTP Service: An HTTP service is a controlled entry point for an HTTP web application on the server. To create an HTTP service, select HTTP as the type of service.Rules added to the Service allow content-aware processing decisions for Web traffic coming into that Service. Rules can use HTTP request headers to make load balancing and caching policy decisions. To add a content rule to a Service:
Application Firewall. You should backup your system on a regular basis in case you need to restore this information on a replacement Barracuda Web Application Firewall or in the event your current system data becomes corrupt.
If you are restoring a backup file on a new Barracuda Web Application Firewall that is not configured, you need to assign your new system an IP address and DNS information.
The ADVANCED > Firmware Update page allows you to manually update the firmware version of the system or revert to a previous version. The only time you should revert back to an old firmware version is if you recently downloaded a new version that is causing unexpected problems. In this case,call Barracuda Networks Technical Support before reverting back to a previous firmware version.
If you have the latest firmware version already installed, the Download Now button will be disabled.
The ADVANCED > Energize Updates page allows you to manually update the attack, virus and Security definition, as well as change the interval at which the Barracuda Web Application Firewall Checks for updates. Energize Updates provide the Barracuda Web Application Firewall with the latest Definitions.
Recommend that the Automatically Update setting be set to Hourly so you’re Barracuda Web Application Firewall receives the latest definitions as soon as new threats are identified by Barracuda Central.
The following table describes the common fields for Attack, Virus and Security Definition Updates.
Click Save Changes after making any changes
|Current Installed Version||Starts the Barracuda Web Application Firewall in the normal (default) mode. This option is automatically selected if no other option is specified within the first three (3) seconds of the splash screen appearing|
|Latest General Release||Displays the latest version that is available. If the current version running on the Barracuda Web Application Firewall is not the latest, click Update to download the latest version.The Update button is disabled if the system already has the latest version.|
|Previously Installed Version||Displays the previously installed version that was running on the system. To go back to this version of the definitions, click Revert|
|Automatically Update||Determines the frequency at which the Barracuda Web Application Firewall checks for updates. To disable automatic updates, select Off.Hourly updates occur at the beginning of each hour. Daily updates occur at 12:20am (twenty after midnight) based on the system time
zone. The recommended setting is Hourly.
Initial IOS is 7.9.0.021 and upgrade to 7.9.10.010
When we are trying to build the tunnel from Azure to cisco ASA with dynamic routing (IKEV1 & IKEV2) , tunnel is not coming up later found that ASA does n`t support azure dynamic routing(IKEV2 doesn`t support ASA 8.0) and looked at couple of options viz express route and installing virtual firewall etc..
Here are supported links..
http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/118743-configure-asa-00.html –> 8.4 and above supports IKE v2
Finally we have come up with different approach to fix this…
Created to two VNET`s, one VNET used for creating dynamic routing gateway and build the VPN tunnel`s on supported vendors(checkpoint and juniper ) .
Second VNET used to create static gateway and build the tunnel between Azure and enabled communication between VNET`s over public IP~s with restrictions.
One more thing that Vnet to Vnet Latency is less than 10ms ( Azure Public IP address traffic will not traverse through internet ) and it looks like LAN
For troubleshoot we require PowerShell scripting s/w which can be downloaded from below link
Here is the troubleshooting commands through PowerShell but before that we have to connect to Azure account with couple of commands.
Add-Azureaccount –> pop`s up the user credentials window there you have to type the azure account details.
Pre share creation
Set-AzureVNetGatewayKey -VNetName -LocalNetworkSiteName “xxxx” -SharedKey Cisco123
Initiating the traffic from VPN tunnel
Set-AzureVNetGateway -Connect –LocalNetworkSiteName “test” –VNetName “customer01”
PS C:\> Get-AzureVnetConnection -VNetName “test”
ConnectivityState : NotConnected
EgressBytesTransferred : 0
IngressBytesTransferred : 0
LastConnectionEstablished : 1/1/1601 5:30:00 AM
LastEventID : 21601
LastEventMessage : Unable to establish the cross-premise tunnel for site ‘MT-NOC-BLR’. Previous state:
Initializing. Current state: Not Connected.
LastEventTimeStamp : 8/23/2015 12:54:53 PM
LocalNetworkSiteName : test
Even we can configure VPN wit Azure PowerShell script:
<AddressPrefix>10.20.3.0/24</AddressPrefix> —> In azure,localnetworks called as remote networks in networking language.
<VPNGatewayAddress>18.104.22.168</VPNGatewayAddress> —> Site01- VPN Peer IP(Public IP add)
<AddressPrefix>172.20.3.0/24</AddressPrefix> –> Remote Network
<VPNGatewayAddress>22.214.171.124</VPNGatewayAddress> —> Site02- VPN Peer gateway address (Public Address)
<VirtualNetworkSite name=”VNET-01″ Location=”South Central US”>
<AddressPrefix>10.10.0.0/21</AddressPrefix> —-> Local Supernet for Site01(Azure end)
<Subnet name=”mgmtsubnet”> —-> Local Subnet(Azure end)
<Subnet name=”proddbsubnet”> —-> Local Subnet (Azure End)
<Subnet name=”GatewaySubnet”> —-> VNET-01 VPN Gateway
<VirtualNetworkSite name=”VENT-02″ Location=”South Central US”>
<AddressPrefix>172.16.0.0/23</AddressPrefix> —> Local Subpernet for site02(Azure End)
<ConnectionsToLocalNetwork> —-> Global Configuration
<Connection type=”IPsec” />
<Connection type=”IPsec” />