As a self confessed Ubiquiti fanboy that wants to learn the Microsoft Azure platform (just well, because), it made sense to attempt to create a Site-to-Site (AKA Site-to-Cloud) VPN connection between my Ubiquiti UniFi USG and my Azure Cloud. The following tutorial shows the steps that worked for me.
First off, versions and assumptions, at the time of writing I was using:
Ubiquiti UniFi USG Firmware Version: 188.8.131.5252168
Ubiquiti UniFi Controller Version: 5.6.29
Stage 1: Azure Preparation
Create Virtual Network Gateway
In order to connect our USG to our Azure space, we need a destination within Azure in the form of a Virtual Network. Assuming this is already done, we now need to create a Virtual Network Gateway for our VPN connectionr, to create one, perform the following steps:
Click on the burger menu in the top left
In the search box of the New pane that appears, type Virtual Network Gateway, then press enter
At the top of the list should be an option for Virtual Network Gateway, click it and in the new pane that appears, click Create (bottom of the screen):
On the Create Virtual Network Gateway form, all of the options should stay as default but except for the following:
Virtual Network: select the one you want to connect to.
Public IP Address: you may need to create a new one, this is a defined service from Azure to provide a public IP address for your Cloud estate.
Subscription: how you want to pay for the services.
Location: Physical hosting location for your services around the VPN connection.
Create Local Network Gateway
In the search box of the New pane that appears, type Local Network Gateway, then press enter
Click Create in the page that appears
The IP Address is the public IP address of your UniFi USG unit
The Address Space is a usable range of IPs on your local network (the network serviced by he UniFi USG), I use this CIDR calculator to easily define a small range of numbers in the upper range of my local submit, for example: 192.168.12.180/30 gives me four addresses.
In the search box of the New pane that appears, type Connection, then press enter
Click on Connection in the results:
Click Create at the bottom of the Connection pane
In the form that appears, user the following options (choosing your own subscription, resource group and Location):
Stage 2: Ubiquiti UniFi Setup
Create Virtual Network Gateway
Click Create New Network
Give the Network a useful name
For the Purpose property, select Site-to-Site VPN
Select Manual IPsec has the VPN Type
Under Remote Subnets, click Add Subnet and enter the same local subnet you defined earlier in the Create Local Network Gateway section (example: 192.168.12.180/30)
In Peer IP enter the public IP address from Azure
In Local WAN IP enter the IP address on the public interface of your UniFi USG
In Pre-Shared Key enter the key we defined earlier in the Create Connection section
Under the IPsec Profile select Azure dynamic routing
Click to expand Advanced Options
Uncheck both PFS and Dynamic Routing
Verifying the Connection Status
Viewing the Connection Status on Azure
Once everything is setup, the VPN connection should initiate automatically, to verify, you can view the connection status in the Microsoft Azure portal. To do this:
Go to your Dashboard
Click the Connection we made earlier
Make sure you are on the Overview tab
Wait a short while and you should see something like the following:
Viewing the Connection Status on Ubiquiti UniFi USG
Unfortunately at the time of writing their appears to be a bug with the Ubiquiti Controllers reporting of Site-to-Site VPN connections because despite having the VPN connection to Azure established, the Ubiquiti Controller Dashboard shows no Active Tunnels and zero packets in either direction.
I can confirm the my standard client-to-site connection shows up on the Dashboard so the issue is specific to site-to-site VPNs.
If you do want to verify on the USG that the VPN tunnel is up, you can do so via the command line:
SSH in to the USG device directly (not in to the controller)
Type the following command:
show vpn ipsec sa
You should get a result similar to the following:
peer-184.108.40.206-tunnel-0: #1, ESTABLISHED, IKEv2, 0d1dh838jd29d39:39483jdhudsu3fd
local ‘220.127.116.11’ @ 18.104.22.168
remote ‘22.214.171.124’ @ 126.96.36.199