You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/magic-wan/configuration/manually/third-party/azure.mdx
+7-11Lines changed: 7 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -95,23 +95,19 @@ A single Cloudflare anycast address must be used in both Active/Active and Activ
95
95
96
96
### 2. Configure Local Network Gateway for Magic IPsec tunnel health checks
97
97
98
-
Magic WAN uses [Tunnel Health Checks](/magic-wan/reference/tunnel-health-checks/) to ensure the tunnel is available.
98
+
Magic WAN uses [Tunnel Health Checks](/magic-wan/reference/tunnel-health-checks/) to monitor whether a tunnel is available.
99
99
100
-
Tunnel health checks make use of ICMP probes sent from the Cloudflare side of the Magic IPsec tunnel to the remote endpoint (Azure).
100
+
Tunnel health checks make use of ICMP probes sent from the Cloudflare side of the Magic IPsec tunnel to the remote endpoint (Azure). Probes are sent from the tunnel's interface address, which you specify in two places:
101
101
102
-
There is an important distinction between how to configure Cloudflare and Azure to support the health checks:
103
-
104
-
- Magic IPsec Tunnel configuration settings requires specifying a discrete IP address (`/31` netmask recommended)
105
-
- Azure Local Network Gateway settings require specifying the Cloudflare Magic WAN Interface Addresss in CIDR notation using a `/32` netmask
102
+
1.**Cloudflare Dashboard:** In your Magic IPsec tunnel configuration as the address of the virtual tunnel interface (VTI) (so that Cloudflare knows what address to send probes from). _Cloudflare requires this address in CIDR notation with a `/31` netmask._
103
+
2.**Azure Portal:** In your VPN site's address space (so that Azure routes probe responses back over the tunnel). _Azure requires this address in CIDR notation with a `/32` netmask._
106
104
107
105
Cloudflare recommends customers select a unique `/31` subnet ([RFC 1918 - Address Allocation for Private Internets](https://datatracker.ietf.org/doc/html/rfc1918)) for each IPsec tunnel which is treated as a Point-to-Point Link and provides the ideal addressing scheme to satisfy both requirements.
108
106
109
107
Example:
110
-
111
-
```txt
112
-
10.252.3.55/32 - Define as the subnet (in CIDR notation) in Azure Local Network Gateway in the Azure Portal.
113
-
10.252.3.55/31 - Define as the discrete IP Address assigned to the Interface Address (VTI - Virtual Tunnel Interface) of the Magic IPsec Tunnel in the Cloudflare Dashboard (see Configure Magic WAN below).
114
-
```
108
+
- Select 169.254.251.137/31 as your unique point-to-point link subnet.
109
+
- In the Cloudflare dashboard, set 169.254.251.137/31 as your tunnel's **IPv4 Interface address**. (See Configure Magic WAN below.)
110
+
- In the Azure portal, add 169.254.251.137/32 to your Local Network Gateway's **Address space**.
115
111
116
112
:::note
117
113
It is important to ensure the subnet selected for the Interface Address does not overlap with any other subnet.
0 commit comments