CGW Deployment on Azure

CGW Deployment on Azure

CGW VM Deployment on Azure


  1. Privileged login and subscription on Azure portal to create VMs, networks, subnets and route tables.
  2. OS: Ubuntu 22.04 (Recommended)
  3. CPU: 1 vCPU
  4. RAM: 1 GB
  5. HDD: Standard with size > 30GB
  6. Network Interfaces: 2 (WAN and LAN)
    • WAN on subnet1 – Connectivity to Internet (Default gateway pointing to WAN subnet gateway)
    • LAN on subnet2 – Connectivity to private resources
  7. Whitelisting of ports in case Firewall is present on Azure before CGW VM
    • UDP ports 4500 and 500

Create Network

  • Navigate to Home -> Virtual networks

  • To create new, click on “create”

  • Select “Subscription” and “Resource group”
  • Provide “Virtual network name”
  • Select “Region”, where CGW VM is being deployed

  • Click on “IP addresses”
  • Default values will be displayed, which user can modify if required.
    • It will also create “default” subnet with IP range

  • Click on “Review and create”
  • Verify all the details and click on “Create”

  • Virtual network will be created successfully

Create Subnets

  • Navigate to Home -> Virtual networks

  • Select the vnet created on previous step or user can select the existing vnet which is identified for CGW deployment.

  • Select “Subnets”
    • Default subnet will be present with an IP address range
    • Click on plus symbol to create Subnet
    • Provide the name and check the range by default filled by Azure.
    • Click on save.

  • New subnet will be displayed as below. It will not show any routing table associated with the subnet.

VM Creation

  • Use privileged credentials and login to Azure portal.
  • Check subscription and identify resource group and region to deploy CGW.
  • Users can use existing vnet (Virtual Networks) but we recommend to create new vnet to avoid modifying existing network configurations. (Refer to Create Network section of this page)
  • Create 2 subnets, one for WAN and another for LAN network. For eg. WAN subnet (default) and LAN subnet (Refer to Create Subnet section of this page)
  • Create a VM on Azure
    • Navigate to home page and select “Virtual machines”

    • Click on “Create” and select “Azure virtual machine”

    • Provide details such as “Subscription”, “Resource group”, “Virtual machine name”, “Region”, “Image” (Recommended- ubuntu Server 22.04 LTS – x64 Gen2), “VM Architecture” (x64), “Size” (As per throughput requirement, but user can use 1 vCPU and 1 GB RAM configuration)
    • Select Authentication type as “SSH public key”. Username and key name can be modified or skipped with default values.
    • Click on “Review + create”

  • Select “Networking” section to validate subnet used for networking
    • it will be primary interface for VM to provide WAN/Internet connectivity to CGW
  • Click on “Review + create”

  • Validate inputs and configuration for CGW VM and click on “Create”

  • Download ssh keys to access CGW later from ssh clients

  • VM deployment will start and it will show progress on terminal
  • After VM deployment completes, click on “Go to resource”

  • Shutdown VM by clicking on “Stop” button

  • Navigate to Home -> Virtual machines and check for CGW VM state. It must show “stopped” state

  • Select CGW VM, and on “Overview” page, select “Networking”

  • Click on  “Attach network interface”

  • Click on “Create and attach network interface”

  • Provide inputs:
    • Check Subscription, resource group, location/region are same where CGW VM was created
    • Provide unique network interface “Name”
    • Check for virtual network, make sure it matches with CGW VM’s vnet
    • Select subnet (Other then default, which was created for LAN interface) for eg.
    • Select “Static” option for “Private IP address assignment”
      • Provide static IP address as “” if LAN subnet selected or configured is (Application by default reserves and uses ‘.251’ IP address of the LAN subnet)
    • Leave rest everything as it is.
    • Create the network interface, by clicking on ‘Create’ button

  • Once LAN interface is created and attached, it will display on “Networking” section with the static IP address configured

  • Navigate to Home -> Virtual machines, select CGW machine and Start VM by clicking on start button

  • Verify CGW VM is up and running before execution of further processes

  • Login to CGW VM using public IP and ssh key keys
    • Command to do ssh from ssh client :
      • On your laptop, navigate to the path where CGW VM key is downloaded (cgw_key.pem)
      • Change file permission to 400 (chmod 400 cgw_key.pem)
      • ssh -i cgw_key.pem azureuser@<cgw-vm-public-ip-address>
      • Public IP of the CGW VM can be fetched from Azure portal (Home -> Virtual machines -> CGW VM -> Overview page)

    • Check IP address are matching with the subnets configured during deployment

    • After ssh access or login, check WAN/Internet on CGW VM – ping and ping to verify Internet access
      • Few times, due to firewall in path, ping may not work. Allow ping to, and for CGW WAN IP on firewall.
      • If no firewall in path, it is possible that Network Security Group (NSG) is not allowing ping to work. Configure inbound and outbound rules for the CGW VM. Add rule or modify existing rule and include ICMP protocol in allow list for any IP range.

    • LAN Connectivity check – ping private VM/resource IP

CGW Installation

  1. Login to admin console/workspace (From partner portal, access company workspace).
  2. Navigate to ‘Gateways’ page
  3. Add Gateway if not already created.
    • Configure name, verification email and phone number.
    • Select Gateway Type as “LAN/WAN Interface”
      • Select options: [SIA via Mesh: No, DHCP: No, HA: No, VLAN enabled: No]
      • Provide subnet (LAN subnet created on Azure setup for eg.
      • Click on save
    • Check for install command in column “Action”. Copy the installation command which can be fetched by clicking on an icon present in ‘Actions’ column

Command sample:

sudo apt update; sudo apt install curl -y; bash <(curl -sSL exi******nd,cgw.7898,6c7e7ca2-****-11ee-b640-5a1b2cf23172,,no,no,no,P,no
  1. Copy and paste command on CGW Azure VM ssh console and press enter.
  2. After successful installation, it will show a manual command to setup CGW:

Note: After successful installation, CGW VM on Azure will reboot automatically. Please do ssh login to verify state of the application.

  1. On admin console/portal, navigate to ‘Gateways’ page and check for the connection status of CGW. It will show connected to a Cyber Node.

Secure Private Access (SPA): Outside-In Access


  1. Make sure user is added or present on the workspace/admin console
  2. Make sure user is part of admin group (if no other group is created for testing)
  3. Make sure trust path is associated with the admin user group

Client connection and SPA testing

  1. Download and configure Wireguard on user’s laptop
  2. Connect the service and verify basic internet and browsing work.
  3. Ping any of the IPs from the trust path subnets
  4. If any web application is running behind CGW, then access on browser using private IP to test and confirm.

Secure Internet Access (SIA): Inside-Out Access

CGW can be configured as default gateway for the resources/VMs on Azure to act as a default gateway for internet access.

If user has already created LAN subnet, then configurations can be modified.

Refer to the below steps:

  1. Navigate to Home -> Virtual networks
  2. Select the vnet created for CGW
  3. Select Subnets
    1. Click on the LAN subnet (If not created, click on plus symbol to add subnet. Use the IP range/series other than WAN/primary interface for eg.
  4. Navigate to “Route tables” page
  5. Click on plus symbol to create new route table
  6. Select Subscription, select the resource group used for CGW VM creation, select region where CGW VM is created, provide name of the VM. Click on “Review and create” and create it.
  7. Click on “Go to resource”
  8. Click on “Routes” in left panel.
  9. Click on Add to add a new route in table.
  10. Fill all the fields:
    • Provide name
    • Select IP addresses in Destination type
      • Enter for default traffic in Destination IP addresses
    • Select virtual appliance in Next hop type
      • Enter the LAN interface static IP address which was created and attached to CGW VM during VM creation/deployment. (For eg. Click on Add.
  11. Navigate to Home -> Virtual networks
  12. Select the vnet created for CGW
  13. Select Subnets and click on LAN subnet
    • In the description, select the route table created above and save.

Note: Azure private VMs configured within LAN subnet will now be able to securely access internet via CGW as default gateway.