Aruba EdgeConnect SD-WAN
Cloudflare partners with Aruba’s EdgeConnect SD-WAN solution to provide users with an integrated solution. The EdgeConnect appliances manage subnets associated with branch offices or retail locations. Anycast tunnels are set up between the EdgeConnect appliances and Cloudflare to securely route traffic.
This tutorial describes how to configure the EdgeConnect device for both east-west (branch to branch) and north-south (Internet-bound) use cases.
Prerequisites
Before setting up a connection between EdgeConnect and Cloudflare, you must have:
- A contract that includes Magic WAN and Secure Web Gateway.
- Received two Cloudflare GRE endpoints (Anycast IP address).
- Determined a private static /31 IP pair to use with each GRE tunnel. The /31 pairs should be from a different private subnet, separate from the private subnets used behind each EdgeConnect appliance.
- The EdgeConnect devices used in this tutorial and on v9.0.
Example scenario
For the purpose of this tutorial, the integration will refer to a scenario with two branch offices, each with distinct subnets.
There are 2 branch offices each with distinct subnets.
- The east branch office has a 10.3.0.0/16 network with an EdgeConnect terminating the Anycast GRE tunnel.
- The west branch office has a 10.30.0.0/16 network with an EdgeConnect terminating the Anycast GRE tunnel.
Below are examples of the east_branch deployment on the Orchestrator.
The Deployment screenshot displays several different IP addresses and interfaces. From left to right:
- Next Hop 10.3.0.1 - Our example uses Google Cloud. This IP defines the default gateway IP for the subnet and is built into GCP.
- IP/Mask (LAN) 10.3.0.2/24 - This defines the LAN0 interface IP of the EdgeConnect appliance
- IP/Mask (WAN) 10.2.0.2/24 - This defines the WAN0 interface IP of the EdgeConnect appliance
- Next Hop 10.2.0.1 - Our example uses Google Cloud. This IP defines the default gateway IP for the subnet and is built into GCP.
1. Define a common site on the Orchestrator
For all EdgeConnect devices using Cloudflare, modify the devices to put them on the same site. This disables automatic IPSec tunnel creation between the EdgeConnect devices using the same labels for the WAN interfaces in use.
2. Configure overlay policies
We use Aruba Orchestrator’s Business Intent Overlays to create intuitive policies which automatically identify and steer application traffic to Cloudflare. Two Business Intent Overlay (BIO) policies are created in this example.
Cloudflare’s tunnel health checks are ping reply packets encapsulated in GRE packets. The source IP is the Edgeconnect WAN interface used to establish a tunnel, and the destination IP is Cloudflare servers. These packets need to be sent directly from the WAN interface and not through the established tunnels.
To create the overlay policy:
- Create a compound application, which is a combination of all Cloudflare public IPs and ICMP packets.
Create a breakout Business Intent Overlay (BIO) to bypass the GRE tunnel as the first policy and use this newly created application as the match criteria.
Define at least one additional overlay policy and the traffic you want to send to Cloudflare over the GRE tunnels.
The service name used to send traffic through the tunnel created in the next step is Cloudflare_GRE. The example uses Match Everything to send all other traffic through the established tunnel (both private east-west traffic & Internet bound north-south traffic through Cloudflare’s Secure Web Gateway).
3. Create tunnels on Cloudflare and EdgeConnect
- Create a tunnel on the EdgeConnect using Cloudflare’s assigned public Anycast IP and the service used in the overlay policy in the previous step .
- Create a Virtual Tunnel Interface (VTI) using the private IP pair shared with CF GRE tunnel endpoint and the passthrough tunnel to match the newly created tunnel alias (CF_GRE_east in our example).
- Define a GRE tunnel on the Cloudflare dashboard using the EdgeConnect appliance’s public IP and the private IP pair /31 shared with the appliance.
4. Create static routes on Cloudflare and EdgeConnect
Define static routes on the Cloudflare dashboard for the LAN subnet(s) attached to the EdgeConnect appliance. Use the private IP pair for the EdgeConnect tunnel endpoint.
In the example below, the traffic to subnet 10.3.0.0/16 attached to the east_branch EdgeConnect appliance has a next hop of 10.40.8.10.
Define static routes on the Orchestrator so Cloudflare can route traffic between sites.
In the example below, we create a route for the subnet 10.30.0.0/24 on the west_branch to be routed via the established GRE tunnel between the EdgeConnect appliance and Cloudflare.
5. Validate traffic flow
Validate Secure Web Gateway
To validate traffic flow from the local subnet through Cloudflare’s Secure Web Gateway, perform a curl as show in the example below.
You can validate the request went through Gateway with the presence of the Cf-Team response header, or by looking at the logs in the dashboard under Logs > Gateway > HTTP.
Validate east-west traffic
To validate east-west traffic flow, perform a traceroute as shown in the example.
The example shows a client in GCP East (10.3.0.3), which can ping the private IP of a client in GCP West (10.30.0.4).
The traceroute shows the path going from the client (10.3.0.3)
→ to the GCP East lan0 IP on the EdgeConnect (10.3.0.2)
→ to the Cloudflare private GRE endpoint IP (10.4.8.11)
→ to the GCP West lan0 IP on the West EdgeConnect (10.30.0.3)
→ to the GCP West client (10.30.0.4).
This validates the east-west traffic flow through Cloudflare Magic WAN.
6. Cloudflare policies
At this point, the GRE tunnels should be connected from the EdgeConnect appliances to Cloudflare’s edge, and traffic is scoped to route over the tunnels using the EdgeConnect Business Intent Overlays.
To begin filtering traffic and gathering analytics, refer to the Magic Firewall documentation to learn how to create filters for east-west inter-branch traffic and the Secure Web Gateway documentation to learn how to configure Gateway policies if you decide to send traffic from your local private subnets to the Internet through Cloudflare Gateway.