title | description | author | ms.author | manager | ms.topic | ms.date | ms.service |
---|---|---|---|---|---|---|---|
How to add device links to remote networks |
Learn how to add and delete customer premises equipment device links to remote networks for Global Secure Access (preview). |
kenwith |
kenwith |
amycolannino |
how-to |
03/22/2024 |
global-secure-access |
Customer premises equipment, such as routers, are added to the remote network. You can create device links when you create a new remote network or add them after the remote network is created. This article explains how to add and delete device links for remote networks for Global Secure Access.
To configure remote networks, you must have:
- A Global Secure Access Administrator role in Microsoft Entra ID.
- Created a remote network.
- The preview requires a Microsoft Entra ID P1 license. If needed, you can purchase licenses or get trial licenses.
You can add a device link from the Microsoft Entra admin center or using the Microsoft Graph API.
You can add a device link to a remote network at any time.
-
Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
-
Browse to Global Secure Access (preview) > Devices > Remote network.
-
Select a remote network from the list.
-
Select Links from the menu.
-
Select the + Add a link button.
There are several details to enter on the General tab. Pay close attention to the Peer and Local Border Gateway Protocol (BGP) addresses. The peer and local details are reversed, depending on where the configuration is completed.
- Enter the following details.
- Link name: Name of your Customer Premises Equipment (CPE).
- Device type: Choose a device option from the dropdown list.
- IP address: Public IP address of your device.
- Peer BGP address: Enter the BGP IP address of your CPE.
- This address is entered as the local BGP IP address on the CPE.
- Local BGP address: Enter a BGP IP address that isn't* part of your on-premises network where your CPE resides.
- For example, if your on-premises network is 10.1.0.0/16, then you can use 10.2.0.4 as your Local BGP address.
- This address is entered as the peer BGP IP address on your CPE.
- Link ASN: Provide the autonomous system number (ASN) of the CPE.
- A BGP-enabled connection between two network gateways requires that they have different Autonomous System Number (ASN).
- For more information, see the Valid ASNs section of the Remote network configurations article.
- Redundancy: Select either No redundancy or Zone redundancy for your IPSec tunnel.
- Zone redundant local BGP address: This optional field shows up only when you select Zone redundancy.
- Enter a BGP IP address that isn't* part of your on-premises network where your CPE resides and is different from the Local BGP address.
- Bandwidth capacity (Mbps): Specify tunnel bandwidth. Available options are 250, 500, 750, and 1,000 Mbps.
- Select the Next button.
The Details tab is where you establish the bidirectional communication channel between Global Secure Access and your CPE. Configure your IPSec/IKE policy and select the Next button.
- IKEv2 is selected by default. Currently only IKEv2 is supported.
- The IPSec/IKE policy is set to Default but you can change to Custom.
- If you choose the custom IPSec/IKE policy, first review the How to create remote network with custom Internet Key Exchange (IKE) policy article.
- If you select Custom, you must use a combination of settings that are supported by Global Secure Access. The valid configurations you can use are mapped out in the Remote network valid configurations reference article.
- Whether you choose Default or Custom, the IPSec/IKE policy you specify must match the policy you enter on your CPE.
-
Enter the Preshared key (PSK). The same secret key must be used on your CPE.
-
Select the Save button.
Remote networks with a custom IKE policy can be created using Microsoft Graph on the /beta
endpoint.
-
Sign in to the Graph Explorer.
-
Select
POST
as the HTTP method from the dropdown. -
Set the API version to beta.
-
Run the following query to get a list of your remote networks and their details.
GET https://graph.microsoft.com/beta/networkaccess/connectivity/branches
-
Run the following query to get the device link details.
POST https://graph.microsoft.com/beta/networkaccess/connectivity/branches/BRANCH_ID/deviceLinks
Sample response:
{
"name": "CPE2",
"ipAddress": "100.1.1.56",
"BandwidthCapacityInMbps": "Mbps250",
"bgpConfiguration": {
"LocalIpAddress": "10.1.1.28",
"PeerIpAddress": "10.1.1.28",
"asn": 5555
},
"tunnelConfiguration": {
"@odata.type": "#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Default",
"preSharedKey": "secret.ppk"
},
"redundancyConfiguration": {
"redundancyTier": "zoneRedundancy",
"zoneLocalIpAddress": "1.1.1.12"
},
"deviceVendor": "citrix"
}
You can delete device links through the Microsoft Entra admin center and using the Microsoft Graph API.
-
Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
-
Browse to Global Secure Access (preview) > Devices > Remote network. Device links appear in the Links column on the list of remote networks.
-
Select the device link from the Links column to access the device link details page.
-
Select the Delete icon for the device link you need to delete. A confirmation dialog appears. Select Delete to confirm the deletion.
-
Sign in to Graph Explorer.
-
Select
DELETE
as the HTTP method from the dropdown. -
Set the API version to beta.
-
Enter the following query.
DELETE https://graph.microsoft.com/beta/networkaccess/connectivity/branches/BRANCH_ID/deviceLinks/LINK_ID
[!INCLUDE Public preview important note]