# Azure

**For a more detailed tutorial refer to** [**Site-to-Site with IPsec**](https://docs.pritunl.com/kb/vpn/tutorials/pritunl-link)

Create a *Virtual Machine* and set the *Image* to *AlmaLinux 10*. Configure the instance authentication and set *Public inbound ports* to *None*. Then click *Next Disks* use the default disk settings and click *Next: Networking*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FB0jTndO5w1OrABYW6qdz%2Fazure_link0.png?alt=media\&token=10f4ebf5-194e-4895-b825-8299c33149f7)

Select the *Virtual network* that will be peered and select a subnet. A link is only needed on one subnet. The routing table of all subnets in the virtual network will be configured. Set *Network security group* to *Advanced* and click *Create new* under *Configure network security group*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2Fj2v7ELC2eXWw8ZUTfKWd%2Fazure_link1.png?alt=media\&token=4d4b0e4e-1015-4a03-b4fb-5669f91943ac)

Set the *Name* of the security group to `prutunl-link` and click *Add an inbound rule*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FrF8pZLVCX6CZVXCsi0rN%2Fazure_link2.png?alt=media\&token=f7670159-18d6-49b1-ad42-513ca95a5731)

Set the *Source* to *Any*, *Source port ranges* to `*`, *Destination* to *Any* and *Port* to `500`. Then select *UDP* and set *Priority* to `100`. Set the *Name* to `Port_500`. Then click *Add*.

**Optionally TCP port 9790 can also be opened for host to host checking. This allows each pritunl-link host to ping other hosts to measure latency and availability. These checks are used to detect network partitions and discover the best link to activate in a high availability configuration.**

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FWJX5YSztGjH8zVenlZnT%2Fazure_link3.png?alt=media\&token=f1adddec-c5ca-489e-a3f5-4cc207bc8ae3)

Click *Add an inbound rule* again. Set the *Source* to *Any*, *Source port ranges* to `*`, *Destination* to *Any* and *Port* to `4500`. Then select *UDP* and set *Priority* to `101`. Set the *Name* to `Port_4500`.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FvieuN4sJjaDjmMf7sfp3%2Fazure_link4.png?alt=media\&token=c8cc515b-e2ef-4756-baa8-cbbcfedc1618)

Click *Next: Management* and set *System assigned managed identity* to *On*. Then create the virtual machine.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FnPGcWcOvsG5sarYLnNwy%2Fazure_link5.png?alt=media\&token=1d3c8d66-7b23-4b5a-8b02-d5b55ff60f14)

Open the *Virtual Machine* settings and select *Networking*. Then click on the *Network Interface*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FnBWRgwFEdJEkLijHqvnq%2Fazure_link9.png?alt=media\&token=a2194ee9-d55d-43c2-8260-1c9bf4f40f99)

Open *IP configurations* and set *IP forwarding* to *Enabled*. Then click *Save*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FlRpYGnhJrvrMYPPkeO6i%2Fazure_link10.png?alt=media\&token=24a0e84b-7033-4f64-bcee-8deb1e20b7af)

Open the *Resource Groups* dashboard and select the resource group that contains the Pritunl Link instance. Then open *Access control (IAM)*. Optionally these access controls can be added to the virtual network and Pritunl Link instance instead of the resource group for a more restricted configuration.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FHozGxwHjgLb0Tt7zj7vF%2Fazure_link6.png?alt=media\&token=c1f15b0a-a6da-4684-8581-2d349661facc)

Click *Add* and set the *Role* to *Owner*, *Assign access to* to *Virtual Machine* and search for the Pritunl Link instance and add it. Then click *Save*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FL748zLPb8zx5R38Vo3lU%2Fazure_link7.png?alt=media\&token=baf7aee3-2d10-4210-a82c-c1d05c5f2a4a)

Click *Add* again and set the *Role* to *Reader*, *Assign access to* to *Virtual Machine* and search for the Pritunl Link instance and add it. Then click *Save*.

Connect to the server with SSH and run the script below. The first pritunl-link command needs to be run if the Pritunl server does not have a signed HTTPS certificate. The second command sets the provider to `azure`. The third command will add the URI, this needs to be replaced by clicking *Get URI* in the Pritunl web console. This command can be run multiple times if more then one link is configured. The `pritunl-link verify-off` line can be left out if the Pritunl server is configured with a valid SSL certificate. It is not necessary to verify the SSL certificate, the sensitive data is encrypted with AES-256 and signed with HMAC SHA-512 using the token and secret in the URI.#!/bin/bash

```shell
#!/bin/bash
sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Stable Repository
baseurl=https://repo.pritunl.com/stable/yum/almalinux/10/
gpgcheck=1
enabled=1
gpgkey=https://raw.githubusercontent.com/pritunl/pgp/master/pritunl_repo_pub.asc
EOF

sudo dnf -y update
sudo dnf -y install pritunl-link

sudo pritunl-link verify-off
sudo pritunl-link provider azure
sudo pritunl-link add pritunl://token:secret@test.pritunl.com
```

The security group or security rules of other instances will need to be modified to allow traffic from the peered networks. The outbound security rules may also need to be modified to allow traffic to the peered networks.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FAZEdhVTITR7TLF3ivALN%2Fazure_link11.png?alt=media\&token=69b12b6c-2687-4349-a18c-7e67bb349d8c)

The commands below can be run to check the logs and status of the link. The `pritunl-link` service will already be running and connected once the URI is added.

```shell
journalctl -u pritunl-link
sudo ipsec status
```