Securing Microsoft Azure with iboss SaaS Network Security

iboss and Microsoft Azure Working Together to Enable Secured Virtual Hubs


The iboss cloud secures Internet access on any device, from any location, in the cloud. iboss SaaS Network Security in Azure provides in-the-cloud security for Internet-bound traffic from Azure with gateways optimally located in Azure. Traffic receives best-of-breed internet protection, including compliance, web filtering, SSL inspection, file, and stream-based security, malware defense, and data loss prevention. The Azure traffic is secured in Azure, with centralized security policies and instant scaling as bandwidth grows.


Azure SaaS Network Security Prerequisites

  • An active iboss cloud account
  • Communicate to iboss operations the expected Azure regions where hubs will be connected to iboss and the number of iboss gateways expected in each region.
  • Verify or set the cluster settings to not sync ‘Tunnels’ and ‘Networks’ on the iboss platform.
  • An Azure Virtual WAN subscription
  • An Azure virtual hub with iboss selected as the Security Partner Provider
  • A VPN site configured for the virtual hub

For more information, see the Microsoft Azure Virtual WAN documentation here.


Configuring Microsoft Azure SaaS Network Security

Iboss/Azure API configuration

To integrate the Microsoft Azure account and settings with iboss, a valid Subscription ID, Client ID, Key, and Tenant ID are required.

From the iboss cloud admin console, click Integrations > Microsoft.

Enable Azure, as shown below:

Enabling Azure

To obtain the Subscription ID:

  1. Log in to
  2. Obtain the Subscription ID by clicking All services > General > Subscriptions.
Azure Subscriptions page
  1. Copy the Subscription ID of the Azure role that you will register to the iboss application.
Subscription ID
  1. Paste this in the Subscription ID field on the iboss cloud Azure integration page.

To obtain the Application (Client) ID:

  1. From the left navigation pane, click Azure Active Directory.
  2. Then click App registrations in the pane that appears to the right.
  3. Click + New registration and register a new application by providing a name and clicking Register.
  4. Copy the Application (Client) ID for the newly created application.
Application ID
  1. Paste this in the Client ID field on the iboss cloud Azure integration page.

Note: You must add a role assignment to the application.

To add a role assignment:

  1. From the left navigation pane, click Subscriptions.
  2. Click the subscription name.
  3. Click Access control (IAM) from the navigation pane.
  4. Click + Add, then Add role assignment.
  5. Select a role and apply it to the newly created application.
  6. Save the role assignment.
New Client Secret
  1. Once added, ensure to copy the Key immediately as it will not be accessible after leaving the page.
  2. Paste this in the Key field on the iboss cloud Azure integration page.

To obtain the Tenant ID:

  1. From the left navigation pane, click Azure Active Directory.
  2. Found in the Overview, copy the Tenant ID.
Tenant ID
  1. Paste this in the Tenant ID field on the iboss cloud Azure integration page.

From the iboss cloud Azure integration page, click Test Azure Settings, then Save.


Iboss/Azure networking configuration

To complete the tunnel connection from Azure to an iboss gateway, you need to associate specific Azure hubs to the iboss cloud gateways.

  1. In the iboss cloud, GUI select Locations & Geomapping.
Locations & Geomapping
  1. Click on a geographic region; in this example, Canada, to define a new zone.
  2. Set the Enable Azure Virtual WAN toggle to YES to get a list of Azure Virtual Hubs (you may need to Sync Virtual Hub if the pull-down is blank.)
  3. Select the virtual hub name deployed in Azure.
  4. Then select Add New PAC Zone.
New PAC Zone

Tunnels will now be provisioned from the new VM to connect to the selected virtual hub. This process can take up to an hour.

Once the process is complete, new nodes will be visible from the Node Collection Management page on the iboss cloud.  These new nodes will show Microsoft Azure as the deployment type.

Node Collection Management

In the Azure portal, the new Secured connectivity status can be viewed under Firewall Manager > Secured virtual hubs.

Secured virtual hubs

To be able to route traffic appropriately, local subnets need to be added to the gateway of interest for each of the two IPsec tunnels that were generated automatically.

To create a local subnet, click Network, then Local Subnets.

Local Subnets

Then click +New Local Subnet/IP Range.

New Local Subnet/IP Range

In the pop-up, enter the IPv4 Address, IPv4 Subnet, and Network Tunnel.

Network Tunnel

The Network Tunnel is one of the two names of the tunnels seen in the IPsec Tunnels page found on the iboss cloud. The IPv4 Address and IPv4 Subnet can be determined from the VM or VNET connected to the hub.

Repeat the same procedure for the second IPsec tunnel. The resulting configuration can be reviewed for both local subnets.

Second IPsec tunnel

Once the local subnets have been created, Microsoft Azure SaaS Network Security is now configured with the iboss cloud.