A couple of days ago I got a Ubiquiti UniFi Dream Machine, which is an all-in-one device with an access point, 4-port switch, and a security gateway. After the basic setup, I wanted to connect my Ubiquiti UniFi Dream Machine USG to an Azure VPN Gateway (Azure Virtual Gateway), using Site-to-Site VPN. In this blog post, I am going to show you how you can create a site-to-Site (S2S) VPN connection from your Ubiquiti UniFi Dream Machine to Azure Virtual Network Gateway.
Azure Virtual Network Gateway and Connection
I already have a virtual network in Azure with the address space 10.166.0.0/16, and I also deployed the Azure Virtual Network Gateway connected to that vNet. The next thing I did was to add a connection to the gateway.
Azure VPN Connection
You need the following:
- Name for the connection
- Set Connection type to Site-to-site (IPSec)
- Create a local network gateway (basically the configuration of your local VPN gateway.
- Define a shared secret
Configure Ubiquiti UniFi Dream Machine VPN connection
Now you can switch to your UniFI Dream Machine, which has an UniFI USG integrated. Under settings go to Networks and click on Create new Network.
UniFi Network Azure VPN
Here you configure the following:
- Name of your VPN connection
- VPN Type Manuel IPSec
- Remote Subnets which is the Azure vNet address space (in my case 10.166.0.0/16)
- Peer IP which is the public IP address of the Azure virtual network gateway
- Local WAN IP
- the pre-shared key (shared secret)
- IPSec Profile: Customized
- Key Exchange Version: IKEv2
- Encryption: AES-256
- Hash: SHA1
- DH Group: 2
After that, the VPN will connect and the status of your Azure virtual network gateway connection will change to connected.
Dream Machine Azure VPN Connection
You can now reach your Azure virtual machine using the private IP address range.
Connected Azure VPN
I hope this was helpful and show you how you can connect a Ubiquiti Unifi Dream Machine (USG) to an Azure Virtual Network using a site-to-site VPN connection. If you want to learn more about Azure Virtual Network Gateways check out the following documentation:
- What is VPN Gateway?
- Tutorial: Create and manage a VPN gateway using PowerShell
- Tutorial: Create and manage S2S VPN connections using PowerShell
- About Point-to-Site VPN routing
If you want to know more about point-to-site VPN connection to Azure check out my blog posts:
- How to set up Windows Server Azure Network Adapter
- OpenVPN support in Azure VPN gateways
- Create Azure P2S VPN with Azure AD authentication
If you have any questions, feel free to leave a comment.
Tags: Azure, Azure VPN, configure, connect, Connection, Dream Machine, Firewall, Gateway, Microsoft, Microsoft Azure, Network, UniFi, Uniquiti, USG, Virtual Network, VPN, VPN Gateway Last modified: March 17, 2020
Hallo Thomas, erstmal möchte ich Dir danken für Deine wertvollen Beträge rund um Azure. Nun wollte ich Deinen Beitrag “Configure Ubiquiti UniFi Dream Machine VPN connection” für mein LAB nachbauen. Ich habe eine Swisscom InternetBox und dahinter eine UniFi Security Gateway und bekomme kein Verbindung nach Azure zustande. Ich habe die DMZ Funktion der Swisscom Box auf die Unifi Firewall gelenkt und die Ports UDP500, 4500 und ESP50 freigeschaltet. Ohne Erfolg. Ich habe gelesen das NAT nicht mit Azure P2S funktioniert. Wie sieht den Dein Setup aus? Hast Du Deine “Dream Machine” evtl direkt ans Internet gehängt?
Vielen Dank für eine Antwort im Voraus
Grüsse Horst Fichter
Hallo Horst
Ja genau, ich nutze meine Dream Machine als Router und GW fürs internet. Meine UPC box ist im bride modus und alles andere handlet die Dream Machine.
Und besten Dank für dein Feedback :)
Hallo Thomas,
hast vllt. im Kopf mit welchen Datendurchsatz die UDM-Pro zur Azure schafft bzw. für mich testen.
Wir wollen auch gerade eine UDM-Pro holen, aber leider finden wir im Netz nicht über den Datendurchsatz zwischen der UDM-Pro und Azure.
Danke :)
Grüsse Cuong Vu
Hallo Cuong Vu
Hast du die Microsoft Docs zu den Gateway SKUs gesehen: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways?WT.mc_id=thomasmaurer-blog-thmaure#gwsku
Soweit ich weiss kommt die UVM mit Threadprotection etc auf ca 800Mbps internet throughput (Gesehen in einen YouTube Video).
Gruss Thomas
Hallo Cuong Vu,
bei der UDM kommt man auf ca. 800MBPS.
Gruss Klaus
Hello Thomas,
Thank you for the post, I have been attempting the same but was not able to ping VMs in Azure.
I established a connection and it says connected both on Azure and USG.
However I am getting request timed out when pinging a VM located in a subnet in the same VNet as the Virtual Gateway Subnet.
Did you have to change any firewall rules whether on USG or Azure side?
Thanks for this helpful article. Keep Posting
I have this all configured and I can ping and everything is fine for an hour. The VPN drops every hour, which would make sense if this was a policy based VPN that only has a phase 2 lifetime of 3600 seconds, but I am configured as IKE v2 route based.
Any ideas?
Hello Thomas,
How exactly do you put your Swisscom router in bridged mode? I cannot find this option on the device by Swisscom that we are currently working with.
Gruss,
Deyan
Haven’t tried it with the Swisscom Router, back in the days I still had UPC.
It looks like Swisscom doesn’t offer a bridge mode in the Internet box 3 (https://community.swisscom.ch/t5/Router-Hardware/Internet-Box-3-Bridge-Mode/td-p/673802)
HelloThomas, Thanks for this helpful article. But I have trouble with setting 2 isp to same subnet on Azure. Failed saving network “Azure2”. This IP/subnet overlaps with a remote subnet “XXX.XXX.XXX.XXX/24” defined in VPN “Azure1”.
Hi
I have just learnt that terraform has added support connecting UniFi networks to Azure VPN. hat should make life simpler.