Azure Cloud-Hosted Virtual Edge

The Elisity Virtual Edge (VE) can be deployed as a cloud-hosted virtual appliance in Microsoft Azure, providing an alternative to on-prem or hypervisor-based deployments. This deployment model is functionally identical to other Virtual Edge deployments, and enables the VE to onboard and manage enforcement points such as switches, wireless LAN controllers (WLCs), and firewalls running the Elisity Virtual Edge Node (VEN) software.

The only requirement is network connectivity from the VENs to the VE, typically via private IP through VPN, ExpressRoute, vWAN, or direct peering.

Pre-Requisites

Azure Access

• Active Azure subscription
• Permissions to deploy a VM and assign roles within a Resource Group
• Access to the Elisity Virtual Edge image in the Azure Marketplace (granted via image terms acceptance). This image is a private listing, and must be explicitly shared with your Azure tenant by the Elisity team. You will need to provide your Azure Subscription ID and Tenant ID.

Virtual Machine Specifications

Additional Requirements

• Static private IP address (configured during VM creation)
• SSH access to the VM for manual operations or troubleshooting
• Network interface with outbound internet access for reaching Elisity Cloud Control Center (TCP port 443)
• Routing or VPN connectivity to on-prem VENs (via IPSEC tunnel, ExpressRoute, vWAN, or VNet peering)

Connectivity Requirements

The Virtual Edge must be reachable from Elisity Cloud Control Center and must be able to route traffic to and from connected Virtual Edge Nodes (VENs).

Cloud Control Center (CCC) Connectivity

• VE requires outbound internet access to communicate with your CCC instance (TCP port 443).
• Ensure outbound access is not blocked by NSGs, firewalls, or routing constraints.

VEN-to-VE Connectivity

• All VEN-to-VE communication must occur over private IP.
• Protocols between VE and VEN differ between supported hardware integrations, but SSH is required for most deployments.

Common Connectivity Models

Option 1: Site-to-Site VPN

• Connects Azure VNets to on-prem infrastructure using VPN Gateway.
• Routing must support private IP reachability between VE and all VENs.

Option 2: Direct Peering (VNet-to-VNet)

• Use peered VNets or shared VNet architecture to enable private routing.

All VEN-to-VE communication must occur over private IPs.

Validation Steps

After deployment:

• Confirm the VE can reach the CCC over TCP/443
• Ensure VENs can route to VE’s private IP
• Check that return traffic from VE to VENs is permitted and routable

Create the Virtual Edge(s) in Cloud Control Center

Creating the Virtual Edge in Cloud Control Center can be done before or after provisioning in Azure. Virtual Edges can be deployed individually, or deployed in bulk using a spreadsheet upload. See this article for details on bulk creation. The following guide shows creating a single Virtual Edge.

Create a Virtual Edge Group

Virtual Edge Groups are required for provisioning a Virtual Edge. A VE Group acts as an operational container for one or more VEs and their associated VENs. It defines site-level scope and enables high availability and failover between VEs.

For Azure deployments, consider creating a dedicated Virtual Edge Group. All VEs within a group must have routability to the same infrastructure, since they serve as potential failover peers.

To create a Virtual Edge Group:

1. Navigate to Virtual Edge Groups in Cloud Control Center.
2. Click + Add Virtual Edge Group.
3. Provide a name (e.g., "Azure VEs") and optionally assign it to a site.
4. Click Save.

Follow this article for more information on Virtual Edge Group creation.

Add a Virtual Edge

1. Navigate to Virtual Edges and click + Add a Virtual Edge > Add Single Virtual Edge.

   

2. Select Hypervisor Hosted as the Virtual Edge type.

   

3. Choose the VE Group you created in Step 1. Enter the Private IP Address that will be assigned to the VE during deployment. Enter a hostname and optional description.
    
    
4. Click Next, Review the Summary of configurations, then Finish to complete the provisioning.
    
    

The One-Time Password (OTP) generated by CCC is tied to the VE's private IP. Public IP addresses will not authenticate during registration.

Once created, CCC will generate a One-Time Password (OTP) tied to the VE's private IP. This OTP, along with your CCC URL, is required during the registration step. The VE entry will appear in CCC with a status indicating it is not yet connected, and will transition once registration is successful.

Deployment Workflow in Azure

Ensure that a Resource Group is configured for the Virtual Edge(s) prior to deployment.

Gain Access to the Elisity Virtual Edge Appliance 

Request the Virtual Edge Appliance to be shared with your Administrative account. You need to provide the Elisity team with your Azure Subscription ID and Azure Tenant (Directory) ID for Elisity to provide access to the marketplace listing. It takes 2-4 business days for access grants to go through the Microsoft process.

If you did not use custom data for automated registration, you can register the VE manually.

After gaining access to the private marketplace listing, create the Virtual Machine. Open the shared marketplace listing,  and click create.

Note: An internet gateway is required for the appliance to reach out to Cloud Control Center.

Choose your active azure subscription, Resource Group, and provide instance details. Make any desired configuration changes, as required configurations are immutable - or click Review + Create and make configuration changes post-deployment. It's recommended to configure the Virtual Machine in alignment with security standards practiced by your organization. SSH access to the VM is required for onboarding.

When creating a new virtual machine (VM) in Azure, SSH key authentication is the recommended method for secure remote access. The Basics tab includes required configurations to set up SSH access properly.

Required Fields

⚠️ Allowing SSH from all IPs is only recommended for testing. For production deployments, use the Networking tab to restrict access to known IP ranges.

The Virtual Machine settings will be validated by Azure. Review your configurations, then you can proceed with deployment by clicking Create.

Important: The private IP must remain static to ensure stable routing (default).

Automated Deployment via Custom Data

Elisity Virtual Edge supports automated registration using Azure's native custom_data mechanism.

Required Format in the custom_data .txt file:

OTP=<your-one-time-passcode>
CCC_URL=https://<your-cloud-control-center-url>

The file should contain only these two lines. No YAML or cloud-init formatting is required.

When supplied as custom data during VM provisioning, the VE will self-register with Cloud Control Center during first boot. No manual SSH or input is required.

Reference Documentation:

• Azure: Custom data and cloud-init
• Terraform: custom_data for Linux VMs

This method is compatible with any provisioning tool or interface that supports Azure's custom_data feature.

Connecting to the Virtual Edge CLI (Manual Method)

If deploying manually (egister the VE to Cloud Control Center via SSH entry of URL and OTP) follow these steps:

1. SSH into the VE:

   ssh -i yourprivatekey.pem elisity@<public-ip-address>

2. Run the registration command:

   register

3. When prompted, enter:
   • CCC URL (e.g., https://customer.elisity.io)
   • OTP from CCC

Use the VE's private IP when registering. Public IPs will not be accepted by the OTP system. 

Reminder: This step can be removed if using custom_data automation during provisioning.

Verify and Test Connectivity

• Confirm VE appears in Elisity Cloud Control Center (CCC)
• Ensure VE can communicate with proposed Virtual Edge Nodes
• Check routing for private network connectivity

At this point, the Virtual Edge is ready to onboard Virtual Edge Nodes for enforcement.