How to Deploy the Barracuda NG Firewall on Microsoft Azure via PowerShell

For most advanced networking features in the Microsoft Azure Cloud, such as multiple network interfaces or reserved IP addresses for the Cloud Service, you must deploy the Barracuda NG Firewall via PowerShell. You can either enter the commands directly into the Azure PowerShell or combine the commandlets to a custom deployment script. Using a custom PowerShell script allows for rapid deployment and fast recovery in case of failure. The number of network interfaces depends on the Instance size:

  • Small –  One network interface.
  • Medium – One network interface.
  • Large – Up to two network interfaces.
  • Extra Large – Up to four network interfaces.

Microsoft Azure charges apply. For more information, see the Microsoft Azure Pricing Calculator[1].


Example Deployment Script

You can combine the PowerShell commandlets to customize the deployment of your Barracuda NG Firewall in the Microsoft Azure cloud. See below for an example deployment script. This script assumes that you already configured a Regional VNET, Reserved IP (optional) in the Azure cloud, and the Azure Account for Azure PowerShell on your client.

#If needed import Azure PSD file 
#Import-Module "C:\Program Files (x86)\Microsoft SDKs\Azure\PowerShell\ServiceManagement\Azure\Azure.psd"

# Use Default System Proxy 
[System.Net.WebRequest]::DefaultWebProxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials

# Modify the variables below
$vmname = "BNG-MultiNIC"
$RootPassword = "secretpa$$word"
$instanceSize = "Large"
$cloudService = "BNG-CS"
$Location = "North Europe"
$storageAccount ="mystorageaccount"
#Leave empty is no reserved IP is used 
$reservedIPname = ""
$VNetName = "NG-VNET"
$Subnet1 = "Frontend"
$Subnet2 = "Backend" 
$NIC1IP = ""
$NIC2IP = ""
#Enter a VM Image name below to use a custom image. If left empty the latest image from the Azure Marketplace is used. 
$image = ""
$availabilitySetName ="BarracudaNGAVSet" 
$azureSubscriptionName = "Pay-As-You-Go"

function AskYesNo( $title, $question, $YesInfo, $NoInfo ) {
    $yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", $YesInfo
    $no = New-Object System.Management.Automation.Host.ChoiceDescription "&No", $NoInfo
    $options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)
    $result = $host.ui.PromptForChoice($title, $question, $options, 0)
    return $result

Write-Host -NoNewLine "This script will create a "
Write-Host -NoNewLine -ForegroundColor yellow "dual-NIC Barracuda NG Firewall"
Write-Host " instance in Azure"
Write-Host ""
Write-Host -NoNewLine "Vnet name: "
Write-Host -ForegroundColor yellow $VNetName
Write-Host -NoNewLine "NIC 1: "
Write-Host -NoNewLine -ForegroundColor yellow "$NIC1IP in $Subnet1"
Write-Host " (management)"
Write-Host -NoNewLine "NIC 2: "
Write-Host -ForegroundColor yellow "$NIC2IP in $Subnet2"
Write-Host -NoNewLine "Azure DC: "
Write-Host -ForegroundColor yellow $Location

if ($reservedIPName -ne "")
    Write-Host "Using the Existing Reserved IP address: $reservedIPName" 

$yesorno = AskYesNo 'Do you want to continue?' $warn 'aborting script' 'using existing VNET' 
    switch ( $yesorno ) {
        0 { "OK! Creating a new Barracuda NG Firewall VM." }
        1 { 
            "Got it :( Please correct variable values in script and rerun."

# Create storage if it doesn't exist yet
if(!(Test-AzureName -Storage $storageAccount))
    Write-Host "Creating Storage Account $storageAccount in $Location"
    New-AzureStorageAccount -StorageAccountName $storageAccount -Location $Location

if ($reservedIPName -ne "") 
$reservedIP = Get-AzureReservedIP -ReservedIPName $reservedIPName
Write-Host "Using Existing Reserved IP!"

# Set storage account as default storage 
Set-AzureSubscription -SubscriptionName $azureSubscriptionName -CurrentStorageAccountName $storageAccount 

# If no explicit image is defined get the latest Barracuda NG Firewall Azure Image available in the Azure Marketplace
if ( $image -eq "")
    $image = Get-AzureVMImage | where { $_.ImageFamily -Match "Barracuda NG Firewall*"} | sort PublishedDate -Descending | select -ExpandProperty ImageName -First 1
    Write-Host "Using Image from Azure Marketplace..."

# Create Azure VM 
$vm1 = New-AzureVMConfig -Name $vmname -InstanceSize $instanceSize -Image $image –AvailabilitySetName $availabilitySetName
Add-AzureProvisioningConfig -Linux -LinuxUser "azureuser" -Password $RootPassword -VM $vm1 -NoSSHEndpoint

# Add Endpoints for 1st NIC of the Barracuda NG Firewall 
Add-AzureEndpoint -Protocol tcp -LocalPort 22 -PublicPort 22 -Name "SSH" -VM $vm1
Add-AzureEndpoint -Protocol tcp -LocalPort 807 -PublicPort 807 -Name "MGMT" -VM $vm1
Add-AzureEndpoint -Protocol tcp -LocalPort 691 -PublicPort 691 -Name "TINATCP" -VM $vm1
Add-AzureEndpoint -Protocol udp -LocalPort 691 -PublicPort 691 -Name "TINAUDP" -VM $vm1
Write-Host "Added Endpoints..."

# Define Subnet and static IP Address for 1st NIC
Set-AzureSubnet -SubnetName $Subnet1 -VM $vm1 
Set-AzureStaticVNetIP -IPAddress $NIC1IP -VM $vm1 
Write-Host "Configured First NIC..."

# Add Additional NICS 
Add-AzureNetworkInterfaceConfig -Name "NIC2" -SubnetName $Subnet2 -StaticVNetIPAddress $NIC2IP -VM $vm1 
Write-Host "Added Second NIC..."

# Create Barracuda NG Firewall VM 
if ($reservedIPName -eq "") 
    New-AzureVM -ServiceName $cloudService -VM $vm1 -Location $Location -VNetName $VNetName 
    Write-Host "Creating VM without Reserved IP Address..."
    New-AzureVM -ServiceName $cloudService -VM $vm1 -ReservedIPName $reservedIPName -Location $Location -VNetName $VNetName 
    Write-Host "Creating VM with Reserved IP Address $reservedIPName... "
Write-Host "Script is done. Creating the Virtual Machine can take a while. Have a cup of coffee! Use Barracuda NG Admin to login to $ user: root, password: $RootPassword)"


In this article

Before You Begin

  • Create a Microsoft Azure account[2].
  • Download and install the latest version of Azure PowerShell[3].
  • Purchase a Barracuda NG Azure license or get a Barracuda NG Azure license from the Barracuda Networks Evaluation page[4]:
    1. From the Select a Product list, select Barracuda NG Firewall Azure under the Public Cloud Solutionscategory.
    2. From the Select Edition list, select the Level that you want. Azure Level 3 or 4 required for multi-NIC Deployments
    3. Complete and submit the rest of the form. You will receive an email containing your serial number and license token.

Step 1. Configure your Azure PowerShell to use your Azure Account

Import the Azure Subscription file, to associate Azure PowerShell with your Azure account.

  1. Open an Azure PowerShell.
  2. To download your publishsettingsfile, enter:
    1. GetAzurePublishSettingsFile
  3. The download popup of your browser opens. Save the file.
  4. Import the publishsettingsfile by entering:
    1. ImportAzurePublishSettingsFile PATH_TO_FILE
  5. Check your subscription by entering. If CurrentStorageAccountName is set, make sure that the storage account is in the same location you want to create the VM in.
    1. GetAzureSubscription


Step 2. Create an Azure Regional Virtual Network

You must use a Regional VNet to deploy the Barracuda NG Firewall. Older Affinitygroup-based VNets are not compatible with reserved static IP addresses, static internal IP addresses, Public IP Addresses (PIP), or multiple network interfaces. Configuration information of the VNet is stored in an XML file and then deployed in the Azure Cloud via PowerShell commandlet. An example vmnet.xml with 2 subnet:

<NetworkConfiguration xmlns="">
      <VirtualNetworkSite name="NEVNET" Location="North Europe">
          <Subnet name="Frontend">
          <Subnet name="Backend">
  1. Open the Azure PowerShell.
  2. If VNets already exist, export the existing Virtual Networks to a xml file
    1. GetAzureVNetConfig ExportToFile c:\azure\vmnet.xml
  3. Edit the vnet.xml file and enter the configuration for your VIRTUALNETWORKSITE. Use the example file above as a guideline. If you are using multiple network interfaces, create one subnet per network interface.
  4. Upload the VNet configuration file:
    1. SetAzureVNetConfig ConfigurationPath PATHTOYOURVNETXMLFILE

The virtual network is now listed in VIRTUAL NETWORKS in the web UI, via PowerShell:

  1. GetAzureVNetSite VNetName “YOUR VNET NAME”


Step 3. (optional) Use Reserved IP for the Azure Cloud Service

To avoid the difficulty of changing IP address when redeploying your Cloud Service, you can reserve a public IP address and assign it when creating a cloud service. This IP address persists even when the cloud service that it is assigned to is deleted.

Create a Reserved IP address (RIP).

  1. NewAzureReservedIP ReservedIPName “RIP NAME” Label “NG Firewall IP” Location “YOUR LOCATION”

Step 4. Create Storage Account

  1. Create a Storage Account and set it as the default storage account.
    1. NewAzureStorageAccount StorageAccountName “STORAGEACCOUNT NAME” Location “YOUR LOCATION”
  2. Use the storage account as the default storage account for this Azure subscription.
    1. SetAzureSubscription SubscriptionName “YOUR AZURE SUBSCRIPTION NAME” CurrentStorageAccountName “STORAGEACCOUNT NAME”
  3. Verify that you are using the correct storage account:
    1. GetAzureSubscription


Step 5. Barracuda NG Firewall Image

You can either create your own image from a VHD file you have uploaded to the storage account, or use the Barracuda NG Firewall image from the Azure Marketplace.

Get ID of the Barracuda NG Firewall image from the Azure Marketplace (Recommended)

To deploy the VM image of the Barracuda NG Firewall from the Azure Gallery, you need to find the exact image name. E.g., for 5.4.3 the image name is: 810d5f35ce8748c686feabed1344911c__BarracudaNGFirewall-5.4.3-182-pl4. The Azure image name changes every time the image in the Azure Gallery is updated.

  1. Open an Azure PowerShell.
  2. Get a list of all available Azure images in the Azure Gallery and only show the ones for the Barracuda NG Firewall and store the image name in a variable. E.g., $image
    1. $image = GetAzureVMImage | where { $_.ImageFamily Match “Barracuda NG Firewall*”} | sort PublishedDate Descending | select ExpandProperty ImageName First 1
Upload a VHD Disk Image and Create the Virtual Machine (Alternative)

If you want to deploy a version of the Barracuda NG Firewall that is not available in the Azure Marketplace, or want to be certain to always deploy the exact same firmware version of the Barracuda NG Firewall, upload a VHD disk image and create your own Virtual Machine.

  1. Download the VHD file from[5].
  2. Create a new Azure Storage Container.
    New-AzureStorageContainer -Name <name of storage container>

    1. NewAzureStorageContainer Name “images”
  3. Upload the VHD to the Azure storage account.
    Add-AzureVhd -Destination <storage account URL>/<storage container name>/filename.vhd -LocalFilePath -NumberOfUploaderThreads 4

    1. AddAzureVhd Destination -LocalFilePath c:\Azure\GWAY-6.0.0-190.vhd -NumberOfUploaderThreads 4

    Depending on your connection, uploading the disk image might take a long time.

  4. Create a Virtual Machine from the VHD disk image and save the Virtual Machine in a variable so it can be used as a parameter later:
    1. $vmimage = AddAzureVMImage ImageName IMAGE_NAME MediaLocation STORAGE_ACCOUNT_URL/CONTAINER/VHD_DISK_IMAGE_FILE.vhd Label YOUR_LABEL OS “Linux”
    2. $image = $vmimage.ImageName

Step 6. Create and Provision the Azure Configuration for the new Barracuda NG Firewall Virtual Machine

Create the configuration for the new Azure Virtual Machine by defining VM size, the VM image created in step 4, and the Availability Set. If you want to use multiple Network interfaces, you must use a Large or  Extra Large Instance. LargeInstances support two Network Interfaces, Extra Large Instances four Network Interfaces. The LinuxUser parameter is ignored, and the password set is used for the root user on the Barracuda NG Firewall.

  1. $vm1 = NewAzureVMConfig Name “VMNAME” InstanceSize $instanceSize Image $image AvailabilitySetName “NGHACluster”
  2. AddAzureProvisioningConfig Linux LinuxUser “azureuser” Password “SUPERSECRETPASSWORD” VM $vm1 NoSSHEndpoint

Step 7. (optional) Add Endpoints

Add Endpoints for SSH, NG Admin, and all services (e.g., VPN, SSL VPN,..) running on the Barracuda NG Firewall. You can also add Endpoints later.

  1. AddAzureEndpoint Protocol tcp LocalPort 22 PublicPort 22 Name “SSH” VM $vm1
  2. AddAzureEndpoint Protocol tcp LocalPort 807 PublicPort 807 Name “MGMT” VM $vm1
  3. AddAzureEndpoint Protocol tcp LocalPort 691 PublicPort 691 Name “TINAVPN” VM $vm1

Step 8. Assign the Subnet and a Static IP Address to the First Network Interface

You need to assign the subnet in the VNET to the first Network Interface of the Azure Instance. Note that you can define Endpoints only for the first Network Interface of a VM.

  1. Before you assign a static IP address to the VM, check to see if the IP address is available or already in use by another VM
    1. TestAzureStaticVNetIP VNetName “VNET NAME” IPAddress “FRONTEND STATIC IP”
  2. Assign the subnet and
    1. SetAzureSubnet SubnetName “FRONTEND SUBNET NAME” VM $vm1
    2. SetAzureStaticVNetIP IPAddress “FRONTEND STATIC IP” VM $vm1

Step 9. (optional) Add Additional Network Interfaces

Depending on the Azure Instance size, add one or two additional Network Interfaces to your VM. Each Network Interface is assigned a static IP address in their Subnet. You can only use one Network Interface per Subnet.

Limitations of Multiple Network Interfaces in the Azure Public Cloud

  • Multiple NIC is supported on Large and Extra Large Azure VMs. VMs must be in a location-based Azure Virtual Network.
  • Adding or removing NICs after a VM is created is not possible.
  • NICs in Azure VMs cannot act as Layer 3 gateways.
  • Internet-facing VIP RIP is only supported on the first default NIC, and there is only one VIP mapped to the IP of the default NIC. The additional NICs cannot be used in a Load Balance set.
  • The order of the NICs inside the VM will be random, but the IP addresses and the corresponding MACs will remain the same.
  • You cannot apply Network Security Groups or Forced Tunneling to the non-default NICs.
  1. Check if the desired IP address is available:
    1. TestAzureStaticVNET VNetName “VNET NAME” IPAddress “BACKEND STATIC IP”
  2. Add a second Network Interface:
    1. AddAzureNetworkInterfaceConfig Name “NIC2” SubnetName “BACKEND SUBNET NAME” StaticVNetIPAddress “BACKEND STATIC IP” VM $vm1
  3. If you are using an Extra Large Instance, you can add two additional Network Interfaces (four total).

Step 10. Create the Barracuda NG Virtual Machine

You can now create the Barracuda NG Firewall virtual machine.

With a Reserved IP Address:
  1. NewAzureVM ServiceName “CLOUD SERVICE NAME” VM $vm1 ReservedIPName “RESERVED IP NAME” Location “YOUR LOCATION” VNetName “VNET NAME”
Without a Reserved IP Address:
  1. NewAzureVM ServiceName “CLOUD SERVICE NAME” VM $vm1 Location “North Europe” VNetName “VNET NAME”

Step 11. Configure Barracuda NG Admin

You must use the latest version of Barracuda NG Admin to connect to your Barracuda NG Firewall Azure.

You must use Single Point of Entry (SPoE) to connect to the Barracuda NG Firewall in the Azure cloud. SPoE is enabled per default.

  1. Launch NG Admin.
  2. In the upper left-hand corner, click Option and Settings.
  3. Select the check box for SPoE as default.

Next Steps