Valid remote network configurations for custom and default configurations
Device links are the physical routers that connect your remote networks, such as branch locations, to Global Secure Access (preview). There's a specific set of combinations you must use if you choose the Custom option when adding device links. If you choose the Default option, you must enter a specific combination of properties on the customer premises equipment (CPE).
Custom and default details
The available regions, device types, autonomous system number (ASN), and border gateway protocol (BGP) addresses are used in both the default and custom configurations.
Available device options
- barracudaNetworks
- checkPoint
- ciscoMeraki
- citrix
- fortinet
- hpeAruba
- netFoundry
- nuage
- openSystems
- paloAltoNetworks
- riverbedTechnology
- silverPeak
- vmWareSdWan
- versa
Valid regions where remote networks can be created
| Europe Middle East Africa (EMEA) | Asia Pacific (APAC) | Latin America (LATAM) | North America (NA) |
|---|---|---|---|
| franceCentral | australiaEast | brazilSouth | canadaCentral |
| franceSouth | australiaSouthEast | canadaEast | |
| germanyWestCentral | centralIndia | centralUS | |
| israelCentral | japanEast | eastUS | |
| italyNorth | japanWest | northCentralUS | |
| northEurope | koreaCentral | southCentralUS | |
| polandCentral | koreaSouth | westCentralUS | |
| southAfricaNorth | southEastAsia | westUS | |
| southAfricaWest | southIndia | westUS2 | |
| swedenCentral | westUS3 | ||
| switzerlandNorth | |||
| uaeNorth | |||
| ukSouth | |||
| westEurope |
Valid ASN
You can use any 2-byte values (between 1 to 65534) except for the following reserved ASNs:
- Azure reserved ASNs: 12076, 65517, 65518, 65519, 65520, 8076, 8075
- IANA reserved ASNs: 23456, >= 64496 && <= 64511, >= 65535 && <= 65551, 4294967295
- 65476
Valid BGP addresses
You can use any BGP address except for the following addresses:
- 0.0.0.0/32
- 127.0.0.0/8
- 224.0.0.0/4
- 255.255.255.255/32
Default IPSec/IKE configurations
When you select Default as your IPsec/IKE policy when configuring remote network device links in the Microsoft Entra admin center, we expect the following combinations in the tunnel handshake. Each value in the combination is entered on your CPE.
Important
You must specify both a Phase 1 and Phase 2 combination on your CPE.
IKE Phase 1 combinations
| Properties | Combination 1 | Combination 2 | Combination 3 | Combination 4 |
|---|---|---|---|---|
| IKE encryption | GCMAES256 | GCMAES128 | AES256 | AES128 |
| IKE integrity | SHA384 | SHA256 | SHA384 | SHA256 |
| DH group | DHGroup24 | DHGroup24 | DHGroup24 | DHGroup24 |
IKE Phase 2 combinations
| Properties | Combination 1 | Combination 2 | Combination 3 |
|---|---|---|---|
| IPSec encryption | GCMAES256 | GCMAES192 | GCMAES128 |
| IPSec integrity | GCMAES256 | GCMAES192 | GCMAES128 |
| PFS Group | None | None | None |
Custom IPSec/IKE combinations
When you select Custom as IPSec/IKE configuration when configuring remote network device links in the Microsoft Entra admin center, you must use one of the following combinations.
IKE Phase 1 combinations
There no limitations for the IKE phase 1 combinations. Any mix and match of encryption, integrity, and DH group is valid.
IKE Phase 2 combinations
The IPSec encryption and integrity configurations are provided in the following table:
| IPSec encryption | IPSec integrity |
|---|---|
| GCMAES128 | GCMAES128 |
| GCMAES192 | GCMAES192 |
| GCMAES256 | GCMAES256 |
| None | SHA256 |
- PFS group - No limitation.
- SA lifetime - must be >300 seconds.
Valid enums
The following values can be used for the IKE, IPSec, DH group, and PFS group properties.
IKE encryption
| Value | Enum |
|---|---|
| AES128 | 0 |
| AES192 | 1 |
| AES256 | 2 |
| GCMAES128 | 3 |
| GCMAES256 | 4 |
IKE integrity
| Value | Enum |
|---|---|
| SHA256 | 0 |
| SHA384 | 1 |
| GCMAES256 | 2 |
| GCMAES256 | 3 |
DH group
| Value | Enum |
|---|---|
| DHGroup14 | 0 |
| DHGroup2048 | 1 |
| ECP256 | 2 |
| ECP384 | 3 |
| DHGroup24 | 4 |
IPSec encryption
| Value | Enum |
|---|---|
| GCMAES128 | 0 |
| GCMAES192 | 1 |
| GCMAES256 | 2 |
| None | 3 |
IPSec integrity
| Value | Enum |
|---|---|
| GCMAES128 | 0 |
| GCMAES192 | 1 |
| GCMAES256 | 2 |
| SHA256 | 3 |
PFS group
| Value | Enum |
|---|---|
| PFS1 | 0 |
| None | 1 |
| PFS2 | 2 |
| PFS2048 | 3 |
| ECP256 | 4 |
| ECP384 | 5 |
| PFSMM | 6 |
| PFS24 | 7 |
| PFS14 | 8 |
Terms of Use
Your use of the Microsoft Entra Private Access and Microsoft Entra Internet Access preview experiences and features is governed by the preview online service terms and conditions of the agreement(s) under which you obtained the services. Previews may be subject to reduced or different security, compliance, and privacy commitments, as further explained in the Universal License Terms for Online Services and the Microsoft Products and Services Data Protection Addendum (“DPA”), and any other notices provided with the Preview.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for