5 Steps to Launch VNS3 in Azure (in under 10 min!)

We’ve seen a huge uptick in new Azure cloud users. Clearly, more people are trying out Azure and realize they need more connectivity and flexibility. VNS3 is here to help!

But, if you’ve not set up an Azure Vnet with Security Groups before, it might seem overwhelming. That’s why we’ve redesigned our Azure guide to jump directly into deploying VNS3 and setting up the Azure services along the way. This route is actually faster than an VNS3 deployment in AWS – but don’t tell them we told you!

See it for yourself in our Azure guides on YouTube 

First, a note on addressing: Don’t Overlap Addresses!

Virtual Networks (Vnets) provide an isolated address space within the Azure cloud where you run your VMs. Virtual Networks allow you to define address spaces, and associated Network Security Groups allow control of access control policies via the hypervisor firewall. We highly recommend creating a new, separate Virtual Network Subnet for the VNS3 Controllers that is different from the subnet or subnets defined for the application VMs.

The Azure subnets you configure CANNOT overlap with the VNS3 networks you create during configuration.

We recommends configuring a small subnet at the top of the Virtual Network range for the VNS3 Controller(s). You can logically segment the lower part of the subnet for your application VMs in a single subnet or multiple subnets per VM role (e.g. web server, app server, db, etc.) See the diagram for how we will segment our /24 (255 addresses) Azure Virtual Network for this example deployment.

Azure VLAN ranges with VNS3

Launch VNS3 VM from Azure Marketplace

Select your VNS3 Image


VNS3 Free and Lite Edition virtual machine images are available in the Azure Marketplace. From the VNS3 page, click Get it Now.  From the popup, select the VNS3 Edition and click Continue.  You’ll be redirected to the Azure Portal.

Launch VNS3 in Azure Marketplace

From the Azure Portal, you can search for VNS3 in all Marketplace offerings.

azure launch vns3

Either way you choose, you’ll see the VNS3 information page in the Portal. Make sure to launch in the Resource Manager (not Classic). Click Create.

Step 1 – Configure Basics

In Basics window pane, name your VNS3 VM. FYI, spaces are not allowed, so use hyphens to separate the words of an instance name.

Choose Standard (HDD) or Premium (SSD) disk type. This is impact your size and storage costs on Azure. We recommend HDD.

Even though VNS3 does not allow SSH access, you still have to create a username and password in Azure. Cohesive Networks does not provide shell access to customers for VNS3 appliances. These entries are required, but will not be used.

In this step you can select or create a Resource Group for your deployment. We recommend a new Resource Group to better organize and launch your VNS3 applications in Azure.

Select your Location (aka region).

Click OK.

Basics in VNS3 Azure launch

Step 2 – Configure Size

On the resulting Size window pane, choose your disk size.

VNS3 should have at least one core and 1.5GB of memory, so the “A2 Basic” instance type is a good place to start.[2]

Click Select.

Step 3 – Configure Settings

On the resulting Settings widow pane, configure the settings for the VM.

Under Storage, choose managed disk or self-managed disk. Choose No to manage storage yourself and either select existing storage or create a new storage account. We recommend Standard (HDD) storage.

Under Network, create a new Virtual Network. In the resulting window pane enter a name, address space (CIDR notation), subnet name, and subnet address space. Click Ok.[3]

In this example we follow this addressing scheme:

  • Virtual network address space:
  • Subnet address space:

Under Network, the Subnet should automatically update.

Under Network, create a Network Security Group.[4]
Add the following inbound rules for basic VNS3 functionality:

  • TCP port 8000 either from Source: Internet or from the IP you will be using to access the UI
  • UDP 1194 from the devices you will be adding to the Overlay (likely the Virtual Network as the source)
  • UDP 500 from the IPs of devices you will be connecting to via IPSec VPN
  • UDP 4500 (NAT-Traversal) or Any Protocol (native IPsec) from the IPs of the devices you will be connecting to via IPSec VPN

Click OK.

Keep Default Outbound security rules set to allow all. Cohesive Networks recommends leaving this setting during implementation. You can always revisit to lock down the traffic per your use-case once the initial deployment is up and tested.

Under Network, create a static public IP address. Create a new public IP addresses, enter a name, select static. Click OK.

Click OK on Configure Settings.

Step 4 – Summary

Review the settings on the Summary page. Click OK.

Step 5 – Buy

Review the Purchase price and details on the resulting Purchase window pane. Click Purchase.

That’s it! 

See the Quick Start guide for Azure on our Documentation page here. 

Plus you can get through all these steps in under 10 minutes. Don’t believe me? Watch it:

[1] Need access to a private unlicensed VNS3 VM? contact our support team.

[2] Depending on need, VNS3 can be run as a very large disk to provide more throughput for the virtual network, site-to-site connections, firewall rules, or other network functions. If throughput is a big priority for you, get in touch with support for tips on how to maximize VNS3 speeds on Azure.

[3] You can add other subnets to the Virtual network after creation. For more customized networking set up in Azure, see our full Azure documentation. 

[4] Azure network security groups allow you to build access control lists (ACLs) that are enforced at the Azure hypervisor firewall. These ACLs control access into and out of your Azure VMs. Network security groups can be associated with subnets or individual network interface cards (NICs) that are running on individual VMs.
Network security rules are processes in priority order. The lower the number the higher the priority. Default inbound rules include a Deny all traffic from anywhere to anywhere (essentially deny all) with the highest number (lowest priority). With that rule in place, you will need to include specific rules to allow inbound traffic per your use-case, as any traffic that does not match a specific Allow rule will be denied.
In this example we associate a VNS3 controller network security group with the VNS3 controller subnet previously created. If you do not plan on segmenting out the VNS3 controllers into their own Azure network subnet, associate the network security group with the NIC running on the VNS3 controller during the launch steps covered later.

By: Margaret Valtierra