Global Secure Access: Microsoft Entra Internet Access

Wayne Bellows | 18th July 2024 | Uncategorised

In my last blog I introduced Microsoft’s new additions to the Entra Suite, Microsoft Entra Internet Access and Microsoft Entra Private Access which are part of Global Secure Access. I will now take a deep dive into Microsoft Entra Internet Access and how to configure it.

How To Configure GSA

There are a couple of ways to configure Microsoft Entra Internet Access, one being an agent you install on the VM, and the other enabled at the networking level. The Global Secure access client has a Windows and Android client:

Global Secure Access agent

Windows Prerequisites

  • Supports 64-bit versions of Windows 10/11.
  • Windows 365 & AVD single-session is supported but not multi-session.
  • Entra joined or hybrid joined are supported but not registered devices.
  • Local administrator credentials required for install.
  • The product requires licensing. I covered licensing in my previous blog.

Android Prerequisites

The GSA client can be deployed to Android devices using Microsoft Intune and Microsoft Defender for Endpoint on Android. The client is built into the Defender for Endpoint Android app, this streamlines how end users connect to GSA. The Android client makes it easier for your end users to connect to the resources they need without having to manually configure VPN settings on their devices.

  • At least one GSA traffic forwarding profile must be enabled.
  • Device installation permissions required.
  • Android 10.0 or later.
  • Must be Microsoft Entra registered devices.
  • Devices not managed by your organization must have Microsoft Authenticator app.
  • Devices not managed through Intune must have Company Portal app.
  • Device enrolment required for Intune device compliance policies to be enforced.

Remote Networks

Organizations might want to extend the capabilities of Microsoft Entra Internet Access to entire networks not just individual devices.

Remote networks are locations, such as a branch office, or networks that require internet connectivity. Setting up remote networks connects users in remote locations to GSA. Traffic forwarding profiles can be assigned to manage corporate network traffic. GSA provides remote network connectivity so network security policies can be assigned to outbound traffic.

Remote networks essentially create an Internet Protocol Security (IPSec) tunnel between a router or customer premises equipment (CPE), at the remote network and the nearest GSA endpoint. All internet-bound traffic is routed through the router of the remote network for security policy evaluation in the cloud. Installation of a client isn’t required on individual devices.

Prerequisites

  • GSA Administrator role in Entra ID.
  • Microsoft 365 E3 license is recommended to use traffic forwarding profiles.
  • CPE must support following protocols:
  • IPSec
  • GCMEAES128, GCMAES 192, or GCMAES256 algorithms for Internet Key Exchange (IKE) phase 2 negotiation
  • Internet Key Exchange Version 2 (IKEv2)
  • Border Gateway Protocol (BGP)
  • RouteBased VPN configuration with any-to-any (wildcard or 0.0.0.0/0) traffic selectors. Make sure that your CPE has the correct traffic selector set.
  • Remote network connectivity solution uses Responder modes. Your CPE must initiate the connection.

Components of the virtual network

Deploying a remote network in Azure provides the ability to understand how Microsoft Entra Internet Access works in a more broad implementation.

Remote network components

High-level steps

Steps are completed in the Azure portal and the Microsoft Entra admin center.

You need a resource group and VNet to use the following sections. If you already have a resource group and VNet configured, you can start at step 3.

  1. Create a resource group (Azure portal)
  2. Create a virtual network (Azure portal)
  3. Create a virtual network gateway (Azure portal)
  4. Create a remote network with device links (Microsoft Entra admin center)
  5. Create local network gateway (Azure portal)
  6. Create site-to-site (S2S) VPN connection (Azure portal)
  7. Verify connectivity (Both)

I will presume you already know how to create or already have a resource group and VNet.

Create a virtual network gateway

Create a virtual network gateway inside your resource group.

  1. From the Azure portal, go to Virtual network gateways.
  2. Select Create.
  3. Provide a Name and select appropriate region.
  4. Select the VNet.
  6. Create a Public IP address and provide a descriptive name.
  7. Select Availability zone.
  8. Set Configure BGP to Enabled.
  9. Set the Autonomous system number (ASN) to an appropriate value.
  11. Select Review + create, confirm settings.
  12. Select Create.

The virtual network gateway can take a while to create. Start the next section while you’re waiting, but you need the public IP addresses of the virtual network gateway to complete the next step.

These IP addresses can be found by browsing to the Configuration page of your virtual network gateway once it’s created.

Configuration settings

Create the remote network and add device links

  1. Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
  2. Go to Global Secure Access > Connect > Remote networks.
  3. Select Create remote network and provide following details:
    • Name
    • Region
    • On Connectivity tab, select Add a link.
    • On the General tab enter following details:
      • Link name: Name of your device link.
      • Device type: Set to Other.
      • Device IP address: Public IP address of your virtual network gateway.
      • Device BGP address: BGP IP address of your virtual network gateway.
      • Device ASN: ASN of your virtual network gateway. Refer to the valid ASN values list for reserved values that can’t be used.
      • Redundancy: Set to No redundancy.
      • Bandwidth capacity (Mbps): Specify tunnel bandwidth. Available options are 250, 500, 750, and 1000 Mbps.
      • Local BGP address: Private IP address that is outside the address space of the virtual network associated with your virtual network gateway.
        • For example, if the address space of your virtual network is 10.1.0.0/16, then you can use 10.2.0.0 as your Local BGP address.
        • Refer to the valid BGP addresses list for reserved values that can’t be used
        • On the Details tab leave the default values selected.
        • On the Security tab, enter the Pre-shared key (PSK) and select Save.
        • On the Traffic profiles tab, select the appropriate traffic forwarding profile.
        • Select Review + Create.
        • Select Create remote network.

Traffic forwarding profiles

Traffic forwarding profiles can be assigned to a remote network when you create it or at a later time. For more information, see Traffic forwarding profiles.

  1. Either select the Next button or select the Traffic profiles tab.
  2. Select the appropriate traffic forwarding profile. For this test I’ll be select Microsoft 365.
  4. Select Review + Create.
  5. Create remote network.

View connectivity configuration

After you create a remote network and add a device link, the configuration details are available in the Microsoft Entra admin center. You need several details from this configuration to complete the next step.

  1. Go to Global Secure Access > Connect > Remote networks.
  2. Select View configuration.
  3. Make a note of the Microsoft public IP address endpoint, asn, and bgpAddress.

The diagram below shows the key details of the configuration.

The resource group contains a VM which is connected to a VNet. A virtual network gateway connects to the local network gateway through a S2S redundant VPN connection.

The first highlighted section under localConfigurations shows details of the GSA gateway, which is your local network gateway.

Local Network Gateway 1

  • Public IP address/endpoint: 120.x.x.76
  • ASN: 65476
  • BGP IP address/bgpAddress: 192.168.1.1

Local Network Gateway 2

  • Public IP address/endpoint: 4.x.x.193
  • ASN: 65476
  • BGP IP address/bgpAddress: 192.168.1.2

The second highlighted section under peerConfiguration shows the details of the virtual network gateway, which is your local router equipment.

Virtual Network Gateway

  • Public IP address/endpoint: 20.x.x.1
  • ASN: 65533
  • BGP IP address/bgpAddress: 10.1.1.1

The address space for the VNet is 10.2.0.0/16. The Local BGP address and Peer BGP address can’t be in the same address space.

Create local network gateway

You will need to go over to the Azure portal for this section and will need some details from the previous step.

  1. Go to Local network gateways.
  2. Select Create.
  3. Select resource group and region.
  4. Provide local network gateway with a Name.
  5. For Endpoint, select IP address, then provide endpoint IP address provided in the Microsoft Entra admin center.
  6. Select Next: Advanced.
  7. Set Configure BGP to Yes.
  8. Enter ASN from the localConfigurations section of the View configuration details.
  9. Enter BGP peer IP address from localConfigurations section.
  11. Select Review + create.
  12. Select Create.

Go to Configurations to review details of the local network gateway.

Local network gateway configuration

Create Site-to-site (S2S) VPN connection

  1. Go to Connections.
  2. Select Create.
  3. Select resource group.
  4. For Connection type, select Site-to-site (IPsec).
  5. Enter a Name and select the Region.
  6. Select Next: Settings.
  7. Select Virtual network gateway & Local network gateway created previously.
  8. Enter same PSK.
  9. Enable BGP.
  10. Select Review + create.
  11. Select Create.

Verify connectivity

To verify connectivity we need to simulate the traffic flow from a VM.

  1. Go to Virtual machines.
  2. Select Create > Azure virtual machine.
  3. Select resource group.
  4. Enter a name.
  5. Select Image you want to use, for this example we choose Windows 11 Pro, version 22H2 – x64 Gen2
  6. Select Run with Azure Spot discount for this test.
  7. Provide a Username and Password.
  8. Confirm that you have an eligible Windows 10/11 license.
  9. Go to Networking tab and select the VNet created previously.
  10. Move to the Management tab and check Login with Microsoft Entra ID.
  11. Select Review + create.
  12. Select Create.
Verify connectivity status

We can validate the VPN tunnel is connected and BGP peering is successful.

  1. Go to the virtual network gateway created earlier and select Connections.
  2. Each of the connections should show a Status of Connected once the configuration is applied and successful.
  4. Go to BGP peers under Monitoring to confirm BGP peering successful. Look for the peer addresses provided by Microsoft. Once configuration is applied and successful, the Status should show Connected.

You can use the VM to validate traffic is flowing to Microsoft services. Browsing to M365 resources in SharePoint or Exchange Online will result in traffic on the virtual network gateway. This traffic can be seen by browsing to Metrics on the virtual network gateway or by Configuring packet capture for VPN gateways.

Universal Tenant Restrictions

Now we have GSA configured for our virtual networking please read my next blog on how we can use universal tenant restrictions to block tenant level access to any external tenant.

About the author

Wayne Bellows