You can create a VPN gateway for a tenant so that your VM cloud robots or serverless cloud robots can access your on-premises resources that are behind a firewall.
Prerequisites
To set up the VPN gateway, you must meet the following requirements:
- Have the knowledge or assistance from your network administrator or someone who has a good understanding of VPN and networking concepts.
- Be an organization administrator in Automation Cloud.
- Have the new Admin experience enabled in Automation Cloud.
- Have an Orchestrator role that includes the Machines - Edit permission.
- Each tenant for which you want to create a VPN gateway must have at least 5000 robot units allocated to it.
- Information from your network administrator:
- A list of reserved IP address ranges located in your on-premises network configuration, in CIDR notation. As part of configuration, you need to specify the IP address range prefixes that we will route to your on-premises location.
The subnets of your on-premises network must not overlap with the virtual network subnets to which you want to connect. - Use compatible VPN devices and have the ability and know-how to configure them, as described in About VPN devices for connections - Azure VPN Gateway.
- Your VPN device must use externally-facing, public IPv4 addresses.
- A pre-shared key (PSK) for each VPN device.
- You must enter a single IP range, in CIDR notation, with a mask of
/25
.
- A list of reserved IP address ranges located in your on-premises network configuration, in CIDR notation. As part of configuration, you need to specify the IP address range prefixes that we will route to your on-premises location.
Step 1. Create the VPN Gateway
To create a VPN gateway for a tenant:
- In Automation Cloud, go to Admin.
If not already enabled, enable the new Admin experience using the toggle from the header. - In the Tenants panel on the left, click the tenant for which you want to create a VPN gateway.
The settings page for the selected tenant opens. - Click the VPN Gateway tile.
- Click Create gateway for Tenant.
The Create gateway panel opens at the right of the page. - In the Name field, type a name for the gateway, as you want it to be displayed in the tenant's VPN Gateway page.
- In the Address space for VPN gateway vnet field, add the IP addresses you obtained from your network administrator.
This should be an IP address range that your network administrator reserved for this virtual network. Also, it must not overlap with the IP ranges representing the on-premises network or the IP ranges for the VM pool (defined later). - (Optional) If you want to use a DNS for this connection, click Add DNS Address and then:
a. In the DNS Address field, add a DNS address.
b. To add additional DNS addresses, click Add more to add another field and then add the address to that field.
You can add DNS addresses later, after the VPN gateway is created, but that requires that you restart all VMs that are connected to the gateway. - Click Create at the bottom of the panel to create the VPN gateway connection.
If the current tenant does not have at least 5000 robot units allocated to it, you cannot create the gateway.
The panel closes and the VPN gateway status is Provisioning. Deploying the gateway can take up to 45 minutes to complete.
When complete, the status Deployed is displayed on the card of the gateway.
If the status is Failed, delete the gateway and re-create it by following the above instructions.
Step 2. Create cloud robot templates
The VPN gateway must show the Deployed status before you can perform this step.
The Vnet for a cloud robot template is created when each template is created.
Cloud robots - VM: In Orchestrator, create one or more Cloud robot - VM pools, following the instructions in Creating the cloud robot pool. During setup, make sure to select the Connect VPN Gateway option.
For each pool, you can monitor the VPN status from the Machines > Manage Cloud Robot - VM page.
Existing Cloud robot - VM pools cannot connect to the VPN gateway. You must create new ones.
Additionally, for pools that were set up to connect to the tenant's VPN gateway, you have the option to edit the pool and switch off the Enable VPN Integration toggle to disconnect the pool. Once disconnected, you cannot reconnect the pool to the VPN gateway.
Cloud robots - serverless: In Orchestrator, edit or create Cloud robot - Serverless templates, following the instructions in Automation Cloud™ robots - Serverless. During setup, make sure to configure options on the VPN Setup page.
Step 3. Creating the site-to-site connection
To configure the VPN gateway to connect to a VPN device:
- In Automation Cloud, go to Admin > Tenant > VPN Gateway.
- On the tile for the gateway, click Add connection.
The Create connection panel opens at the right of the page. - Fill in the fields with the details for the VPN device.
The IP ranges represent the on-premises network. - Click Create at the bottom of the panel to add the connection.
The panel closes and the new connection is displayed on the Connections page.
The connection is ready to use when the Connection status column displays Connected.
If the connection status is Connection failed, you must delete the connection ( > Delete) and create it again.
To add more connections, on the Connections page, click Create connection above the table, on the right.
You can add up to 25 connections.
Step 4. Setting up VPN devices
Your network administrator can now:
- Set up your VPN device from your on-premise network.
The PSK must match the one specified for the connection created in step 3. - Add the address spaces used to configure the VPN gateway and Vnets for cloud robot templates to the allow list of your network.
For a list of supported VPN devices and for RouteBased configuration instructions, see About VPN devices for connections - Azure VPN Gateway in the Microsoft documentation.
Frequently asked questions
Data residency
The VPN gateway for a tenant is automatically created in the same region as the region of the tenant and you cannot change the region.
Switching to a different region
If a VPN gateway already exists and you chose to move your tenant to a different region, you can either:
- continue to use the gateway in the old region or
- delete the existing VPN gateway and create a new one, which is created in the current region of the tenant.
Data retention
If you disable a tenant that has a VPN gateway, you have a 60-day grace period before you lose access to your VPN device. After 60 days, your VPN gateway is permanently deleted from your tenants.
If you re-enable the tenant within 60 days, your VPN gateway is not deleted and available for use.
License expiration
If you no longer have the required robot units, you have a 60-day grace period before you lose access to your VPN device. After 60 days, your VPN gateway is permanently deleted from your tenants.
Updated 3 months ago