[Magic WAN] update Azure instructions

mtovino-cloudflare · web-flow · commit a802fe5406a9 · 2024-12-19T11:49:31.000-08:00
This updates the Azure instructions to: 
- use the Active/Active configuration on the Azure Virtual Gateway
- use bidirectional health checks with a custom target equal to the Customer endpoint

These changes are unlocked by the completion of RM-19633.   (The work is done, and shipped, even if the RM is not yet closed)
diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/azure.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/azure.mdx
@@ -35,7 +35,7 @@ This configuration guide applies to Azure Virtual Network Gateway which includes
 1. Create a Virtual Network Gateway.
 2. Create a new public IP address or use an existing IP. Take note of the public IP address assigned to the Virtual Network Gateway as this will be the **Customer endpoint** for Magic WAN's IPsec tunnels configuration.
 3. Select the resource group and VNET you have already created.
-4. In **Configuration**, disable **Active-active mode** and **Gateway Private IPs**.
+4. In **Configuration**, enable **Active-active mode** and disable **Gateway Private IPs**.
 5. Select **Create**.
 
 :::note
@@ -85,9 +85,13 @@ To configure the Address Space for the Local Network Gateway to support Tunnel H
 
 1. Edit the Local Network Gateway configured in the previous section.
 2. Select **Connections**.
-3. Add the`/31` subnet in CIDR notation (for example, `10.252.3.54/31`) under **Address Space(s)**.
+3. Add the Interface Address of the Magic IPsec Tunnel from the Cloudflare Dashboard in CIDR notation (for example, `10.252.3.55/32`) under **Address Space(s)**.
 4. Select **Save**.
 
+:::note
+The Magic IPsec Tunnel Interface Address should be entered as a `/31` in the Cloudflare Dashboard, but as a `/32` when configuring the Local Network Gateway Address Space(s) in the Azure portal.  
+:::
+
 ### 5. Create an IPsec VPN Connection
 
 Choose the following settings when creating your VPN Connection:
@@ -165,9 +169,11 @@ ICMP (ping/traceroute) will work to remote Magic WAN sites, but is not forwarded
    3. **Cloudflare endpoint**: Use the Cloudflare anycast address you have received from your account team. This will also be the IP address corresponding to the Local Network Gateway in Azure. For example, `162.xxx.xxx.xxx`.
    4. **Health check rate**: Leave the default option (Medium) selected.
    5. **Health check type**: Leave the default option (Reply) selected.
-   6. **Health check direction**: Leave default option.
-   7. **Add pre-shared key later**: Select this option to create a PSK that will be used later in Azure.
-   8. **Replay protection**: **Enable**.
+   6. **Health check direction**: Leave default option (Bidirectional) selected.
+   7. **Health check target**: Select **Custom**.
+   8. **Target address**: Enter the same address that is used in the **Customer endpoint** field.
+   9. **Add pre-shared key later**: Select this option to create a PSK that will be used later in Azure.
+   10. **Replay protection**: **Enable**.
 3. Create static routes for your Azure Virtual Network subnets, specifying the newly created tunnel as the next hop.
 
 ## Validate connectivity and disable Azure Virtual Network Gateway anti-replay protection
@@ -355,20 +361,6 @@ curl --location --request PUT \
 
 6. Leave the replay protection setting checked in the Cloudflare dashboard, and wait several minutes before validating connectivity again.
 
-## Tunnel health checks and Azure
-
-We have identified cases where the IPsec Tunnels configured on the Azure Virtual Network Gateway need to be restarted one time before the tunnel health checks start passing.
-
-### Restart Azure tunnels
-
-1. Open the Virtual Network Gateway.
-2. Go to **Settings** > **Connections**.
-3. Open the properties of the tunnel.
-4. Go to **Help** > **Reset**.
-5. Select **Reset**.
-
-It may take several minutes for the tunnels to reset from the Azure side. Monitor the [tunnel health checks section](/magic-wan/configuration/common-settings/check-tunnel-health-dashboard/) in the Cloudflare dashboard to determine the status.
-
 :::note
 Tunnel Health Check percentages are calculated over a one hour period.
 :::
