Network Configuration

IP Address Assignment for Internal, External and Management Interfaces

Each interface in Azure can have private and public IP addresses. Sample Azure 3NIC Templates provided by Ivanti Policy Secure creates the Ivanti Policy Secure Virtual Appliance with public and private IP addresses for management interfaces and only private IP address for internal and external interface Sample Azure  2NIC Templates provided by Ivanti Policy Secure creates the Ivanti Policy Secure Virtual Appliance with public and private IP addresses for internal interface and only private IP address for external interface More details about IP address types on Azure can be seen at: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-ip-addresses-overview-arm

IP Addressing Modes

When Ivanti Policy Secure gets deployed by using the sample templates provided by Ivanti, Ivanti Policy Secure comes up with multiple interfaces. If you take an example of a template “pulsesecure-pps-3-nics.zip” provided by Ivanti, you notice the following things.

Ivanti Policy Secure management interface is having both Public and Private IP addresses. In the below code snippet, observe the network interface getting created with two IP addresses - private IP address and public IP address. Highlighted section points to private IP allocation method and Public IP address getting assigned to NIC.

        "type": "Microsoft.Network/networkInterfaces", 

        "name": "[variables('ppsExtNic')]", 

        ---------------

         ---------------

        "properties": { 

         "privateIPAllocationMethod": "Dynamic", 

        "privateIPAddressVersion": "IPv4", 

        "publicIPAddress": { 

        "id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddr1'))]"

    },               

If you want to have control on the IP assigned to Network Interface, then you need to change the attribute “privateIPAllocationMethod” from “Dynamic” to “Static”. Also, you need to add an attribute called “privateIPAddress” which holds the static IP address in the variables section. When you are assigning static IP address, make sure that it is not in the reserved IP category.

    "ipConfigurations": [{ 

        "name": "ipconfig2", 

        "properties": { 

            "privateIPAllocationMethod": "Static", 

            "privateIPAddressVersion": "IPv4", 

            "privateIPAddress": "[variables('privateIPExternal')]",       

        } 

    }]

Modifying Network Parameters After Deployment

Since Networking Infrastructure is provided by Azure, a Ivanti Policy Secure admin cannot change Networking configuration after deployment. Hence, both admin UI and ssh does not support changing network configuration.

Controlling the Selection of Internal, External and Management Interfaces

Sample Azure Template, provided by Ivanti, requests Azure fabric to create three Network Interfaces. While running this template, Azure fabric creates interfaces named eth0, eth1 and eth2 and attaches them to Ivanti Policy Secure Virtual Interface.

So, the question is, among eth0, eth1 and eth2 which network interface will become external, internal or management interface? Below table answers this question.

Interface Name

Ivanti Policy Secure Interface

eth0

internal interface

eth1

external interface

eth2

management interface

Then, question is how you can control the order of network interfaces named eth0, eth1 and eth2 created through Azure Template?. Azure supports two types of interfaces: primary and secondary. Only one primary interface can be present on a VM.

For more details of primary and secondary interface, see https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-addresses.

The Ivanti Policy Secure Virtual Appliance is qualified with internal interface as primary and other two are secondary. In the following code snippet, three network interfaces get assigned to VM. These three NICs with ID “nic1”, “nic2” and “nic3” are internally mapped to ‘eth0’, ‘eth1’, and ‘eth2’ respectively.

    "networkProfile": { 

        "networkInterfaces": [{ 

            "id": “nic1”, 

            "properties": { 

                "primary": true 

            } 

        }, { 

            "id": “nic2”, 

            "properties": { 

                "primary": false 

            } 

        }, { 

            "id": “nic3”, 

            "properties": { 

                "primary": false 

            } 

        }] 

    }, 

Ivanti Policy Secure converts eth0 to int0, eth1 to ext0 and eth2 to mgmt0. This means, the network interface with ID nic1 will be internal interface, nic2 will be external interface and nic3 will be management interface.

The below table depicts this scenario well:

Interface Name

Ivanti Policy Secure Interface

Network ID

eth0

internal interface (int0)

nic1

eth1

external interface (ext0)

nic2

eth2

management interface (mgmt0)

nic3

Suppose if you make ‘nic2’ as primary, then the order may not be maintained, and it is difficult to predict which interface will become internal interface of Ivanti Policy Secure. As a best practice, always assign ‘primary’ to the first network interface which will become internal interface of Ivanti Policy Secure.