This document provides the procedure and links to enable setup and configuration of a Site 2 Site VPN connection from your network to the Azure cloud-hosted Kodak workflow servers. Upon successful completion, all Azure-hosted Kodak workflow servers will interact with your network resources as though they are located within your local network.
The customer is responsible to administer all Microsoft Azure network resources that are required to connect to the customer’s Local Area Network to the Kodak Managed Services Virtual Network. A Site-to-Site VPN gateway connection is used to connect the customer's on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. The customer's IT network specialist may find the information below helpful to create the site to site connection.
The instructions for connecting your network to the VNET in your Azure subscription are provided in one of two ways depending on the level of support of your VPN hardware. If you specified that your VPN hardware is Azure qualified in the Presite Checklist form that was filled out as part of the sales process, then refer to the section below titled: Azure Qualified VPN Device. If instead, your device is not qualified by Azure, but the manufacturer of your VPN hardware has specified that it is compatible with Azure, then refer to the section below titled: Manufacturer Supported VPN Device.
Azure Qualified VPN Device
For devices qualified by Microsoft, much of the body of the instructions is located on Microsoft Azure web portal documentation pages. This document will direct you to those pages (step 6 below). Kodak products use a standard Azure VPN Gateway. Because those pages are frequently updated by Microsoft, this means the links provided below will ensure that you are always using the latest, correct documentation.
- Read this section and the following links all the way through before beginning. There are a lot of steps, and it is easy to miss a detail.
- Make sure you have a compatible VPN device and someone who can configure it. For more information about compatible VPN devices and device configuration, see About VPN Devices: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices
If you do not have a supported device as per the above link, you should follow the instructions in the section titled: Manufacturer Supported VPN Device.
- Verify that you have an externally facing public IPv4 address for your VPN device.
- If you are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. NOTE: None of the subnets of your on-premises network can overlap with the virtual network subnets that you want to connect to.
- When your Managed Services account was set up, you should have received an automatically generated email from Microsoft inviting you to access the Eastman Kodak Azure subscription. For reference, it will contain the following graphic.
If you haven’t already, you should follow the prompt in this email to connect and login to the subscription Kodak has created for you. Do not continue until you can log into the subscription and see the resources Kodak has created. NOTE: The person you designated as the IT Admin should set up the VPN device. Only an IT Admin has been granted the permissions to create and edit networking resources in your subscription.
NOTE: To reach the Azure portal you should use the link in the Welcome email the first time you connect. Subsequently, you can go to portal.azure.com.
- The instructions on the Microsoft documentation portal contains the steps necessary to create the connection. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal. Please note that most of these steps in the link above have already been performed during the creation of your subscription. Please focus on the following steps to setup the connection:
- Steps one and two in the Microsoft Azure documentation are complete. You can gather any information you need for later steps from the Virtual Network and Gateway resources by selecting them in the portal and viewing the information in the Overview section.
- Step three in the Microsoft Azure documentation involves creating the Local Network Gateway. This is the first of two resources you need to create in the subscription. The local network gateway typically refers to your on-premises location. When filling in the required data, please specify the same region as the Virtual Network resource. NOTE: If you are connecting multiple printing sites to Azure, you will need a Local Network Gateway resource for each site.
- Step four involves configuring your on-premises VPN device. Since you indicated that your VPN device is on Microsoft’s Qualified VPN list for Azure, in many cases there will be a device Configuration script you can download from the Azure portal.
- Step five involves creating the Connection resource in Azure. This is the second and remaining resource that needs to be created in your subscription. The connection resource represents the connection between the Local Network Gateway resource and the Virtual Network. NOTE: If you are connecting multiple printing sites to Azure, you will need a Connection resource to connect each site to the Virtual Network.
- Depending on the VPN device, you may need to configure Border Gateway Protocol to automate routing between the networks. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-resource-manager-ps
Manufacturer Supported VPN Device
For devices that have not been qualified by Microsoft, but the manufacturer of your VPN appliance has stated that Azure connectivity is supported, you will have to rely on documentation supplied by the manufacturer. Microsoft does not directly support these devices, so Kodak cannot open an Azure support ticket on your behalf to resolve any connectivity issues. If connectivity issues arise, you will need to open a support call with the manufacturer of the VPN device.