Azure Virtual Network Gateway Redundant Tunnels

Your Harmony SASE network must have at least two different gateways in the same network.

Notes -

You can deploy the gateways in two separate regions for comprehensive ISP redundancy.
You can scale up the network. Adding another region does not affect the connection.

Azure Redundant Tunnels - Virtual Network Gateway

Your Harmony SASE network must have at least two different gateways in the same network.

Notes -

You can deploy the gateways in two separate regions for comprehensive ISP redundancy.
You can scale up the network. Adding another region does not affect the connection.

Enter these:

Item	Value
Name	Name of the gateway.
Region	Region where your resources are located.
Gateway type	VPN
VPN type	Route-Based
SKU	Select based on your preference and requirements.
Virtual network	Select the relevant VNET.
Gateway subnet address range	(If not filled automatically) Address range reserved for your Azure gateway.
Public IP address	Create new or select existing.
Enable active-active mode	Enabled
Second Public IP Address	Create new or select existing.
Configure BGP	Enabled
ASN	Leave default or configure based on your preference.
Custom Azure APIPA BGP IP address	Leave as empty.

You must create two local network gateways, one for each of your Harmony SASE gateways.

Enter these:

Item	Value
Basics tab
Resource group	Select the relevant resource group.
Region	Region where your resources are located.
Name	Name of the gateway.
Endpoint	IP address
IP address	Public IP address of the gateway in the Harmony SASE Administrator Portal.
Address Space	Subnet value of the network in the Harmony SASE Administrator Portal.
Advanced tab
Configure BGP settings	Yes
ASN	Leave default or select a value from the permitted range.
BGP peer IP address	Any address from the permitted range.

Access the Azure Management Portal and go to your local network gateway and click Connections.
Click +Add.

The Add connection window appears.

Enter these:

Item	Value
Name	Name of the connection.
Virtual Private Gateway	Select the first Virtual Private Gateway you created.
Local network gateway	Field is locked for editing.
Shared key (PSK)	Generate a key on the Harmony SASE side, or on a different PSK generating application. The key must only contain numbers, letters, underscore (_) and period (.).
Use Azure Private IP Address	Leave as cleared.
Enable BGP	Select the checkbox.
IKE Protocol	IKEv2

Click OK.
Open the connection you just created and click Configuration.

The Configuration window appears.

In the IPsec / IKE policy field, select Custom and enter these (same values are set for the tunnel in the Harmony SASE Administrator Portal:

Item	Value
Encryption	AES256
Integrity/ PRF	SHA1
DH Group	DHGroup2
IPsec Encryption	AES256
IPsec Integrity	SHA1
PFS Group	PFS2
IPsec SA lifetime in KiloBytes	102400000
IPsec SA lifetime in seconds	27000

Repeat the above steps to create a connection for the second local network gateway.
Download the tunnel configuration for the first connection:
1. Go to your Virtual network gateway > Settings > Connections and click on your first connection.
2. Click Download configurations.
3. Enter these:
  1. Device vendor - Generic Samples
  2. Device family - Device Parameters
  3. Firmware version - 1.0
4. Click Download configuration.

Access the Harmony SASEAdministrator Portal and click Networks.
Click the network where you want to create the tunnel.
In one of the gateways, click > Add Tunnel.
Click IPSec Site-2-Site Tunnel and click Continue.
Select Redundant Tunnels and click Continue.

The Redundant IPSec Tunnels window appears.

Copy the values for the first tunnel from the downloaded configuration file:

Item	Value
Shared Secret	Pre-Shared Key
Harmony SASE gateway Internal IP	Inside IP Addresses of Customer Gateway
Remote Public IP & Remote ID	Outside IP Addresses of Virtual Private Gateway
Remote Gateway internal IP	Inside IP Addresses of Virtual Private Gateway
Remote Gateway ASN	BGP Configuration Options of Virtual Private Gateway ASN

In the Harmony SASE Administrator Portal, enter the values for Tunnel 1 as:

Repeat step 6 for the second tunnel.
In the Shared Settings section:
1. In Proposal Subnets, select Any(0.0.0.0/0) for both sides.
2. ASN number must be the same for the Harmony SASE side.

In the Advanced Settings section, enter the information for your tunnel type (unless you have configured customer settings on the Azure side):

Field	IKE Version	IKE Lifetime	Tunnel Lifetime	Dead Peer Detection Delay	Dead Peer Detection Timeout	Encryption (Phase 1)	Encryption (Phase 2)	Integrity (Phase 1)	Integrity (Phase 2)	Diffie Hellman Groups (Phase 1)	Diffie Hellman Groups (Phase 2)
Cloud Vendor	IKE Version	IKE Lifetime	Tunnel Lifetime	Dead Peer Detection Delay	Dead Peer Detection Timeout	Encryption (Phase 1)	Encryption (Phase 2)	Integrity (Phase 1)	Integrity (Phase 2)	Diffie Hellman Groups (Phase 1)	Diffie Hellman Groups (Phase 2)
Amazon AWS
Single Tunnel - AWS Virtual Gateway	V2	8h	1h	10s	30s	aes256	aes256	sha512	sha512	21	21
Single Tunnel - AWS Transit Gateway	V2	8h	1h	10s	30s	aes256	aes256	sha512	sha512	21	21
Redundant Tunnels - AWS Virtual Private Gateway	V2	8h	1h	10s	30s	aes256	aes256	sha512	sha512	21	21
Redundant Tunnels - AWS Transit Gateway	V2	8h	1h	10s	30s	aes256	aes256	sha512	sha512	21	21
Google Cloud Platform
Single Tunnel ¹	V2	8h	1h	10s	30s	aes256	aes256	sha512	sha512	21	21
Redundant Tunnels	V2	8h	1h	10s	30s	aes256	aes256	sha512	sha512	21	21
Microsoft Azure
Single Tunnel - Azure Virtual Network Gateway	V2	3600s	27000s	10s	45s	aes256	aes256	sha1	sha1	2	2
Redundant Tunnels - Virtual Network Gateway	V2	9h	9h	10s	30s	aes256	aes256	sha1	sha1	2	2
Redundant Tunnels - Virtual WAN	V2	8h	1h	10s	30s	aes256	aes256	sha256	sha256	14	14
Other tunnel types
Alibaba Cloud	V1	8h	1h	10s	30s	aes256	aes256	sha1	sha1	2	2
IBM Cloud	V1	8h	1h	10s	30s	aes256	aes256	sha256	sha256	21	21

¹ Suggested values. For other supported ciphers, see this Google article.