¶ CGW-SIF VM Deployment on Azure
¶ Pre-requisites
- Privileged login and subscription on Azure portal to create VMs, networks, subnets and route tables.
- The recommended machine type and specification for the VM are provided below:
| Azure VM Type |
OS |
CPU |
RAM |
HDD |
|---|---|---|---|---|
| Standard B1s |
or Ubuntu 22.04 |
1 vCPU |
1.0 GB |
Standard with minimum 30GB |
- Network Interfaces: 1 (Same interface for both WAN and LAN)
- Connectivity to Internet
- Connectivity to private resources
- Whitelisting of ports in case Firewall is present on Azure before CGW VM
|
Protocol |
Allow Outgoing Ports |
Allow Incoming Ports |
|---|---|---|
| UDP | 3478-3479, 51800-51850 | None |
| TCP | 8089 | None |
¶ Create a Virtual Machine
- Use privileged credentials and login to Azure portal.
- Check subscription and identify resource group and region to deploy CGW.
- Users can use existing vnet (Virtual Networks)
- Create a VM on Azure
- Navigate to home page and select Virtual machines
- Click on Create and select Azure virtual machine
- Provide details such as Subscription, Resource group, Virtual machine name, Region, Image (Recommended- ubuntu Server 22.04 LTS – x64 Gen2), VM Architecture (x64), Size (As per throughput requirement, but user can use 1 vCPU and 1 GB RAM configuration)
- Select Authentication type as SSH public key. Username and key name can be modified or skipped with default values.
- Click on Review + create
- Select Networking section to validate subnet used for networking
- This interface of VM must provide Internet and private resource connectivity to CGW
- Click on Review + create
- Validate inputs and configuration for CGW VM and click on Create
- Download ssh keys to access CGW later from ssh clients
- VM deployment will start and it will show progress on terminal
- After VM deployment completes, click on Go to resource
- Verify CGW VM is up and running before execution of further processes
- Login to CGW VM using public IP and ssh keys
- Command to do ssh from ssh client :
- On your laptop, navigate to the path where CGW VM key is downloaded (cgw_key.pem)
- Change file permission to 400 (chmod 400 cgw_key.pem)
- ssh -i cgw_key.pem azureuser@<cgw-vm-public-ip-address>
- Public IP of the CGW VM can be fetched from Azure portal (Home -> Virtual machines -> CGW VM -> Overview page)
- Command to do ssh from ssh client :
- Check IP address are matching with the subnets configured during deployment
azureuser@cgw:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0d:3a:a7:0f:b8 brd ff:ff:ff:ff:ff:ff
inet 10.19.0.4/24 metric 100 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20d:3aff:fea7:fb8/64 scope link
valid_lft forever preferred_lft forever
- After ssh access or login, check WAN/Internet on CGW VM – ping 8.8.8.8 and ping google.com to verify Internet access
- Few times, due to firewall in path, ping may not work. Allow ping to 8.8.8.8, 1.1.1.1 and google.com for CGW WAN IP on firewall.
- If no firewall in path, it is possible that Network Security Group (NSG) is not allowing ping to work. Configure inbound and outbound rules for the CGW VM. Add rule or modify existing rule and include ICMP protocol in allow list for any IP range.
azureuser@cgw:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=13.0 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=115 time=13.2 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=115 time=13.2 ms
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 12.989/13.102/13.162/0.080 ms
azureuser@cgw:~$ ping google.com
PING google.com (142.250.125.100) 56(84) bytes of data.
64 bytes from jh-in-f100.1e100.net (142.250.125.100): icmp_seq=1 ttl=101 time=25.7 ms
64 bytes from jh-in-f100.1e100.net (142.250.125.100): icmp_seq=2 ttl=101 time=25.7 ms
64 bytes from jh-in-f100.1e100.net (142.250.125.100): icmp_seq=3 ttl=101 time=25.8 ms
64 bytes from jh-in-f100.1e100.net (142.250.125.100): icmp_seq=4 ttl=101 time=25.6 ms
--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 25.639/25.701/25.795/0.058 ms
- LAN Connectivity check – ping private VM/resource IPs
¶ Create a Cyber Gateway
To create a Single-Interfce Cyber Gateway (CGW-SIF), follow the steps below.
- Navigate to the MSP admin console -> Client Workspace
- Click on Sites in the left menu bar → Add Gateway
- Make sure Single-Interface is selected
- Enter a Name for the cyber gateway, admin email to receive notifications or alerts
- Select User Groups if already created or skip if no there is no additional requirement, admin can add/delete user group association later also.
- Select HA yes, in case high availability is required
- Click Save
¶ Deploy the Cyber Gateway
- Copy the install command for the cyber gateway you just created as shown in the screenshot below
- Paste the install command in the machine's SSH console/terminal
- Press Enter
In case, you are unable to login to machine using SSH to copy and run CGW install command, then we recommend you to run pre-install script mentioned below. You have to type it on console, because copy paste won't work on some direct machine consoles.
bash <(curl -s https://s3-api.speerity.net/cgw/scripts/cgwctl.sh)Please share Workspace and CGW names with us on support@exium.net. We will push installation remotely.
The CyberGateway deployment will start. At this time, you can leave the deployment running unattended. You will receive an email on the admin email that you specified earlier when the deployment is complete. You can also check the status of the cyber gateway in the Exium admin console. When cyber gateway is deployed successfully and connected, you will see a Green Connected Status as in the screenshot below.
Post successful deployment, subnet of the CyberGateway machine's interface will be added as a Trustpath automatically. It will be associated to “workspace” group category, i.e. all the users in workspace will be able to access the resources on that private subnet. You can edit group association any time as per requirement. You may create new user groups and associate them with the trust path.
Once the CyberGateway is deployed successfully and connected, you can start testing the Zero Trust Secure Private Access policies.
Additional trust paths can be added manually. In case additional trust paths have different next hops, then those can also be configured from admin console. In case additional trust path subnets are already accessible via Cybergateway's default gateway then next hop configuration is not required.
You can follow below steps to add additional trust path subnets with or without their next hop.
- Click on Zero-Trust Paths
- Select CyberGateway from drop down list
- Click on Add Trust Path
- Provide Network Destination or private subnet to allow access for remote users
- Provide Next HOP Gateway IP, if it is different from default gateway of CyberGateway machine
Make sure next hop gateway IP is accessible from CyberGateway machine, else route configuration will fail
- Select Allowed User Groups or leave workspace group associated in case whole organization is allowed to access that subnet
- Save the configuration [CGW will pull configuration, and routes will be added after few mins.]
- Additional trust path configuration can be modified later as per requirement or when the next hop changes
Do not add next hop configuration in the default trust path which is created automatically by CyberGateway post deployment.
¶ Uninstall CyberGateway
Uninstall can be done from admin console or using CGW CLI commands
¶ From Admin console
- Navigate to the MSP admin console -> Client Workspace
- Click on Sites → Cyber Gateways in the left menu bar
- Select the CyberGateway you want to uninstall and click on the icon show in screenshot
- It will take around 5 ~10 mins complete uninstallation
¶ On CyberGateway terminal using command line
To uninstall CyberGateway from CyberGateway system directly
- SSH to CyberGateway
- type “sudo -s” to switch to root
- Run following command on terminal to uninstall
cgw uninstall