™

CLOUD GATEWAY
TECHNICAL GUIDE
TABLE OF CONTENTS
INTRODUCTION ......................................................................................................................................4
1 Why Cloud Gateway? ...............................................................................................................4
2 Why us? ....................................................................................................................................4
3 Telstra Cloud Gateway overview ..............................................................................................4
4 Network connectivity and bandwidth tiers .................................................................................6
5 Cloud service and data storage providers and locations ..........................................................7
ACCESS CONTROL LIST (ACL) .............................................................................................................8
CLOUD GATEWAY CONNECTIONS ......................................................................................................9
6 Amazon Web Services (AWS) Cloud Gateway connection ......................................................9
AWS connection via private peering .................................................................................... 9
AWS connection via public peering .................................................................................... 13
7 Microsoft Azure Cloud Gateway connection .......................................................................... 16
Azure connection via private peering ................................................................................. 18
Azure connection via Public Peering (Legacy services only) .............................................. 20
Azure connection via Microsoft peering.............................................................................. 20
8 VMware vCloud Air Cloud Gateway connection .................................................................... 23
9 IBM Cloud Gateway connection ............................................................................................. 25
10 Telstra Cloud Infrastructure Cloud Gateway connection ....................................................... 27
11 Virtual Storage (powered by NetApp) Cloud Gateway connection ........................................ 29
TECHNICAL SPECIFICATIONS ........................................................................................................... 31
12 End-to-end network architecture ............................................................................................ 31
13 Bandwidth management ........................................................................................................ 32
14 Service modifications (moves, adds and changes) ............................................................... 32
15 Security .................................................................................................................................. 33
16 IP routing protocols ................................................................................................................ 33
17 VLAN trunking ........................................................................................................................ 35
18 Source Network Address Translation (SNAT) ....................................................................... 36
SNAT at customer site ....................................................................................................... 36
SNAT at Telstra Cloud Gateway ........................................................................................ 38
19 Destination Network Address Translation (DNAT)................................................................. 39
20 Service availability target ....................................................................................................... 39
21 Latency performance objectives ............................................................................................ 40
22 24x7 technical support ........................................................................................................... 40
23 Customer reporting ................................................................................................................ 40
CUSTOMER PORTALS ........................................................................................................................ 41
APPENDIX 1: MICROSOFT PEERING SAMPLE CONFIG .................................................................. 42
APPENDIX 2: GLOSSARY.................................................................................................................... 52

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 2 of 52

WELCOME TO CLOUD GATEWAY™
For sales, account set-up enquiries and technical support, contact your Telstra representative or choose
from our other support options.

You can access Cloud Gateway directly here or via Telstra’s Cloud Services Portal (either way, you’ll
need your login details).

Cloud Gateway™ Technical Guide, Version 4.0

© Telstra Corporation Limited (ABN 33 051 775 556) 2017. All rights reserved.

This work is confidential to Telstra and copyright. Apart from any use as permitted under the Copyright Act 1968,
information contained within this manual cannot be used for any other purpose other than the purpose for which
it was released. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the written
permission of Telstra Corporation Limited.
Words mentioned in this book that are known to be trademarks, whether registered or unregistered, have been
capitalised or use initial capitals. Terms identified as trademarks include Microsoft ® , IBM Cloud ® , vCloud ® Air™ and
NetApp ® .

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 3 of 52

INTRODUCTION
1 Why Cloud Gateway?

As you adopt more cloud services, your networking infrastructure becomes a vital link between the cloud
and your business. As a result, it can significantly impact your business performance and end-user
application experience.

Within your cloud environment, it’s essential to have access to secure and reliable high-bandwidth private
connectivity. This will enable you to achieve the levels of security, quality of service, latency and
performance required for business-critical workloads and applications. Furthermore, if you require support
for a hybrid and multicloud strategy, it won’t be enough to have simple point-to-point connectivity from your
premises. You’ll need an agile, flexible and cost-efficient way to connect to your hybrid and multicloud
deployments.

Telstra’s Cloud Gateway service has been carefully developed to meet these needs. It delivers connectivity
to your cloud environments though a private connection, is extremely secure and reliable, and gives you
dedicated high-speed access to your cloud deployments. You’ll get one simple connection from your Telstra
virtual private network (VPN) so you can seamlessly connect to a range of compatible cloud and storage
providers.

2 Why us?

National public
We provide one of the largest national coverages with our IP VPN network,
cloud access for
enabling you to connect your locations/branches and providing them with access
your
to compatible public clouds from multiple locations.
locations/branches

Low latency and

Telstra Cloud Gateway provides you with private connectivity between our IP VPN
secure access to
network and public clouds – enabling low latency and secure access.
public clouds

Access to a range Cloud Gateway provides you with the flexibility of connecting to multiple cloud
of clouds through providers and sharing resources across them – enabling smooth transition towards
one connection many cloud adoption strategies.

3 Telstra Cloud Gateway overview

We’ll provide you with a simple one-stop solution for private, secure and reliable connectivity from your

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 4 of 52

Telstra IP VPN into a range of cloud providers. You’ll be able to enjoy a seamless experience with a scalable
and flexible approach.

Need to connect to multiple clouds, or adopt a hybrid cloud strategy? With this solution, it couldn’t be easier.
Simply choose your bandwidth allocation to individual cloud connections, and then adjust them according
to your workloads – with plenty of room for future business growth.

A seamless end-to-end solution that includes:

 An online portal for connection and management
For one or multiple cloud connections from your wide area network (using the
Telstra IP network/Layer 3 IP VPN)
 Single point of contact for your Cloud Gateway service
For service provisioning and assurance; including data carriage from your IP VPN; cross
connects in respective data centres; activation of direct connectivity; configuration and support.
 Connect to a wide range clouds
Whether purchased through Telstra, or directly from the respective cloud providers including:
Amazon Web Services® (AWS), Microsoft Azure/Office 365®, vCloud Air® and IBM Cloud.
 Wide range of available bandwidth options
You can easily change allocation of bandwidth for individual cloud connections, as required.
 Monthly (pay as you go) or fixed-term pricing options
Ask our team about discounts for once-off installs and monthly recurring charges.
 Upfront deterministic charges
With unlimited usage of data volume options providing ease of budgeting and control of cloud
spend.
 Superior SLAs

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 5 of 52

 High availability and geographical redundancy options (where supported by the cloud provider).
 Access Control List (ACL) – optional add-on
Create a set of routing rules to permit or deny traffic between your Telstra IP network and Cloud
Gateway connection(s), and between cloud services.
 Consulting services – optional
Our experts can help you establish and manage your cloud account. We can also design and
implement customised routing.

4 Network connectivity and bandwidth tiers

Cloud Gateway provides Layer 3 (IP VPN or using the Telstra IP network) connectivity from your wide
area network. You’ll be able to connect to cloud data centres available in Sydney and Melbourne for the
same Cloud Gateway connection. Layer 3 is a national service and offers high availability and excellent
geo-redundancy.

You can choose from a range of bandwidth tiers from 10Mbps to 10Gbps to suit your requirements.
This will be your selected bandwidth tier for all clouds connected through your Telstra Cloud Gateway.

Bandwidth tiers
(Aggregate bandwidth for all clouds connected through your Cloud Gateway)

Layer 3
Cloud 10M 50M 100M 200M 300M 400M 500M 700M 1G 2G 3G 5G 7G 10G
Gateway

Your bandwidth tier and charges for Layer-3 Cloud Gateway are independent of location, i.e. once you
specify the bandwidth tier for the gateway – you can then allocate that bandwidth across supported
cloud providers in either Sydney or Melbourne. You can be assured that total allocated bandwidth
across Clouds can’t exceed Cloud Gateway bandwidth (for your peace of mind, we don’t oversubscribe
these connections).
Please bear in mind that your bandwidth tier is specific to your provider for each cloud. You can group
all your clouds purchased from us into one tier – but you’ll need another separate tier for clouds
purchased from other providers.
For example, if your chosen clouds are:

Cloud Bandwidth Purchased from

Microsoft Azure 100M Telstra

vCloud Air 100M Telstra

AWS 100M AWS

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 6 of 52

You’ll need to purchase:

Cloud Gateway Bandwidth tier For

Telstra cloud bandwidth tier 200M Clouds purchased from Telstra

Non Telstra cloud bandwidth tier 100M Clouds purchased from other
providers

5 Cloud service and data storage providers and locations

Cloud Gateway supports connectivity to the following cloud service and data storage providers. You can
buy your cloud services through us or directly from the providers.
We’ll configure your cloud connections according to speeds supported by their respective providers, as
follows:

Virtual
Amazon Microsoft Virtual
Server
Web Azure and IBM Cloud VMware Storage
(Dedicated)
Services Office 365 (NetApp)
Gen2

Data centre - Sydney Sydney Sydney Melbourne Melbourne Sydney

location A

Data centre Sydney Melbourne Melbourne N/A Sydney Melbourne

- location B

Supported  50Mbit/s  50Mbit/s  10Mbit/s  10Mbit/s  10Mbit/s  10Mbit/s

bandwidth
options  100 Mbit/s  100 Mbit/s  50Mbit/s  50 Mbit/s  50Mbit/s  50Mbit/s

 200Mbit/s  200 Mbit/s  100Mbit/s  100 Mbit/s  100 Mbit/s  100Mbit/s

 300Mbit/s  500 Mbit/s  500Mbit/s  500 Mbit/s  500 Mbit/s  500Mbit/s

 400Mbit/s  1Gbit/s  1Gbit/s  1Gbit/s  1Gbit/s  1Gbit/s

 500Mbit/s

Your choice of bandwidth options for interconnection to individual cloud and data storage providers will
depend on your services or applications being used within that cloud environment. You’re responsible for
determining the right bandwidth option for your individual cloud services.
Amazon Web Services
 Sydney data centre - Equinix
 Sydney data centre – Global Switch
 Note: once your network is connected via the AWS Direct Connect service, you’ll have access to

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 7 of 52

 services in all availability zones (AZs) within the geographical region.
Microsoft Azure, including Office 365
 Sydney / Australia east data centre
 Melbourne / Australia southeast data centre
 Geo-redundancy across Sydney and Melbourne is available
VMWare vCloudAir
 Melbourne data centre
IBM Cloud
 Sydney data centre, SYD02
 Melbourne data centre, MEL02
Virtual Storage (NetApp)
 Melbourne data centre
 Sydney data centre
Virtual Server (Dedicated) Gen2
 Melbourne data centre
 Sydney data centre

ACCESS CONTROL LIST (ACL)

An Access Control List (ACL) lets you create a set of routing rules to permit or deny traffic between your
Telstra IP network and Cloud Gateway connection(s).
You can also filter traffic from cloud service to cloud service e.g. if you have Microsoft Azure and AWS
cloud connections, you can prevent certain addresses in one cloud service from accessing workloads in
the other.
While ACL lets you filter traffic in either or both directions, it does not replace the functionality provided
by a firewall.

Having an ACL(s) is an optional add-on in Cloud Gateway. To access this feature, you need to
purchase and enable it before configuration can occur.
Once you’ve added an ACL subscription(s), you can add your requirements and apply these to any of
your active Cloud Gateway connections.
Each ACL can have between 1-100 rules (row entries).
Note: There are no subnet or IP address limitations or exclusions for use of the ACL feature, so it’s
important that whoever completes your rule table(s) has a clear understanding of what is hosted in your
IP VPN network and Cloud Gateway connections (cloud providers) – the data added to the rule table
will be used to build the ACLs (egress and ingress).
An ACL can be deployed for the following Cloud Gateway connections:

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 8 of 52

 Availability
Type Description AWS Microsoft VMware IBM Cloud Virtual Virtual
Azure vCloud Storage Server
Air (Dedicated)
Gen2

Access You can deploy ACL with a Cloud Gateway      

Control connection when you add the ACL feature in
List the Cloud Gateway management console.

You can also create/modify/delete the ACL in

this console.

CLOUD GATEWAY CONNECTIONS

6 Amazon Web Services (AWS) Cloud Gateway connection

If you’re a Telstra IP VPN customer, your Cloud Gateway connection for Amazon Web Services (AWS),
provides you with direct connections to AWS. In addition, Telstra Cloud Gateway routers will also peer
with AWS devices on your behalf.

How direct AWS connection works

Your services hosted in AWS will be available to your VPN users as follows:
High availability
connections

Telstra IP VPN Telstra Cloud Amazon Web

Your site
service Gateway Services

Cloud Gateway AWS Direct Connect devices

Edge Routers

You can configure public, private (or both) peering options depending on the AWS services you use.
Please note: public and private peering services are discrete services from AWS, and connections from
Cloud Gateway need to be established separately.

AWS connection via private peering

An example of a private AWS service is EC2 (Elastic Cloud Computing) – also known as virtual private
interface. In this service, you’ll provide two lots of /31 subnet blocks. Each /31 block is then used to
provide used to configure each peering pair.
This diagram shows the private connection model:

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 9 of 52

 802.1Q trunk

PRIVATE AWS

Telstra IP
AWS private services: e.g.
VPN
EC2
service 802.1Q trunk

PRIVATE AWS

Telstra Cloud Gateway AWS Direct AWS availability zone

Connect (Sydney)
Sydney Equinix
For this service, you’ll need:

 An IP VPN service (ideally with your premises or sites connected to the IP VPN), should be in
place with an allocated and known Telstra Full National Number (FNN).
 An AWS Direct Connect purchased and established by you.
 One /30 network for interconnect addressing. This is subnetted into two /31 blocks of IPv4
addresses and must be unique across your sites; IP VPN and AWS service for AWS Private
Service. Public or private IP addressing can be used to establish BGP peering, but typically you
should provide private IP addressing for a Virtual Private Interface.
 No BGP ASN is required from you for peering with Amazon, as we’re providing a Direct Connect
Service connection and will use private ASNs 65530 and 65422 (Australia East)
 Once provisioned, any sites must have routing configuration enabled to receive routing
information about AWS IP subnets
Key steps and responsibilities:

# Stage Activity Responsibility

1 Prerequisite Established AWS tenancy with Direct Connect Customer

2 Prerequisite Provide /30 I.P subnet block for interconnect subnet Customer

3 Prerequisite Provide Telstra IP network FNN and account ID Customer

4 Prerequisite Choose route summarisation mechanism Customer

5 Prerequisite Design VPC addressing scheme Customer

6 Prerequisite Complete online Cloud Gateway order form Customer

7 Setup Provision Cloud Gateway connection Telstra

8 Setup Send email with instructions to complete connection at AWS portal Telstra

9 Post setup Configure Virtual Private Gateway (VPG) Customer

10 Post setup Configure Virtual Private Cloud (VPC) Customer

11 Post setup Link VPG to VPC Customer

12 Post setup Test end-to-end connectivity from Telstra IP network to AWS Customer

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 10 of 52

Example:

192.168.1.1 / 31 VLAN-22 192.168.1.2 / 31

PRIVATE PRIVATE

Telstra Cloud Amazon AWS

Gateway Direct Connect

192.168.1.3 / 31 VLAN-22 192.168.1.4 / 31

PRIVATE PRIVATE

Rules and limitations:

 Private peering may use either private or public IPv4 addresses, which you’re to provide.
 Each BGP peer has a limit of 100 routing entries (i.e.100 entries for the private peering)
 To minimise the number of entries advertised, you can summarise a contiguous block of
addresses – thus two contiguous blocks of /28 could be super-netted to become one /27 within
the Telstra IP network, to reduce the number of prefixes in the table.
 In addition, for the private address (RFC1918) blocks, there is also the possibility of advertising
the blocks themselves. Thus:
o 10.0.0.0 / 8
o 172.16.0.0 / 12
o 192.168.0.0 / 16
 The prefixes not covered by the above are then advertised individually or where possible, in a
summarised block – taking care to keep the total number of prefixes to be below 100.
 Identical routes must be advertised from both sides across multiple circuit pairs belonging to the
same customer.
 As BGP is utilised between the cloud edge and AWS, BGP outputs will show prefixes with the
follow ASNs in the AS Path: 65530, 65422 and 7224. If existing networks running BGP are using
these ASNs, routes may not be accepted without additional configuration.
 IP addresses must not overlap with these ranges: 0.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16,
224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32

Routes that cannot be advertised from your cloud tenancy to the Telstra IP network:
The following three RFC 1918 summary routes may not be advertised from your cloud tenancy into your
Telstra IP network.

If your cloud tenancy advertises these summary ranges towards the Telstra IP network they will be
filtered out by Telstra’s Cloud Gateway.

 10.0.0.0/8

 172.16.0.0/12

 192.168.0.0/16

Any subset or supernet of these summary routes can be advertised. For example:

 You can advertise 192.168.0.0/17 and 192.168.128.0/17 from your cloud tenancy towards the
Telstra IP network instead of 192.168.0.0/16.

 You can advertise 172.16.0.0/13 and 172.24.0.0/13 instead of 172.16.0.0/12.

 You can advertise 10.0.0.0/9 and 10.128.0.0/9 instead of 10.0.0.0/8.

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 11 of 52

Route summarisation:

 AWS routing tables have a 100-route limit per Virtual Private Cloud (VPC), as documented by
Amazon at http://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
Please note if you also establish AWS Public peering, your route limit maybe affected. Please
check with your network designer.

 So you can limit the number of routes advertised into your VPC on your virtual private interface,
we give you the following options when provisioning your Cloud Gateway service:

Types of route summarisation

RFC1918 Telstra’s IP network service RFC1918 route summarisation: summarises all private
(with public IP routes into three summary routes as follows:
addresses) 10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

Routes that don’t fall into these ranges are not summarised and will be advertised into
your Virtual Private Cloud (VPC) without change. If you have more than 97 non-RFC
1918 VPN routes, then BGP peering will not establish to your AWS VPC. This limit is
imposed by AWS.

You’re free to use RFC 1918 address space inside your Amazon VPC. RFC 1918.
Route summarisation is only performed in the outbound direction (from your Telstra IP
network service in the direction of your AWS cloud services). Subsets of these
RFC1918 ranges can still be configured in AWS and advertised into your Telstra IP
network service VPN.

This is the default configuration we recommend for establishing BGP peering to your
AWS VPC (if you primarily use RFC1918 addressing within your Telstra IP network
service).

Choosing this option will also suppress the default route (0.0.0.0/0) from being
advertised from your Telstra IP network service to your AWS cloud services. This will
allow you to use the AWS internet gateway for internet bound traffic from your AWS
cloud services while also routing traffic destined for your Telstra IP network service via
your AWS Virtual Private Interface.

If you wish to advertise a default route (0.0.0.0/0) from your Telstra IP network service
into your AWS cloud services, then it’s best to choose ‘Default Route Summarisation’

RFC1918 Similar to above option except that public IP routes are not advertised through the
(No public IP peering. This is applicable for customers who have large numbers of both public and
addresses) private routes in their BGP routing table.
Summarises all 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 routes into three
summary routes.

Default route Default route summarisation: only advertises a default route from your Telstra IP
summarisation network service to your AWS VPC, so all traffic from your VPC will be routed back into
your VPN.

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 12 of 52

 Types of route summarisation

Please refer to documentation on AWS’ route tables if you intend on using the AWS
internet gateway in conjunction with this option.

No route No route summarisation is performed and all routes from your VPN will be advertised
summarisation into your VPC. Only choose this if you’re sure that there are less than 100 routes in your
VPN.

AWS connection via public peering

As AWS public Peering requires SNAT of all traffic to public IP addressing Telstra’s recommended
approach is to use AWS Private Link / VPC Endpoint Services if possible to expose the AWS Public
Services you wish to consume via Direct connect to your VPC. In this way you can access AWS Public
Services via Private Peering with requirement for on premise SNAT.
As AWS via Public Peering does not accept traffic from Private RFC1918 IP addresses, Telstra
recommends that you do not attempt to provision AWS Public Peering into an existing Telstra IPVPN that
contains RFC1918 private IP addresses.
Telstra recommends that AWS Public Peering should be connected to a dedicated DMZ/Extranet VPN
(i.e. a separate IP VPN that contains public IP addressing only) which is connected to your perimeter
firewall. Telstra recommends this due to the complexity involved in configuring and managing Source
Network Address Translation (SNAT) in an existing IP VPN I.e. this is due to the default routing behaviour
to transmit all traffic directly from source IP to destination IP, without traversing an intermediary device
performing SNAT. If you allow your IP VPN with RFC1918 private IP addressing to communicate directly
with public routes advertised by AWS Public Peering, connectivity to those public networks will fail resulting
in potential loss of AWS services.

AWS public and private peering are discrete connections that need to be ordered and configured
separately. An example of an AWS public service is S3 (Simple Storage Service). In the AWS console
you will need to configure two Public Virtual Interfaces. To provision this service, you’ll need to have at
least one public /29. This /29 will be broken down as follows
 One /30 is used to establish BGP Peering. This /30 is subnetted into two /31 networks by Telstra
to create a HA pair of connections between your Telstra IPVPN and AWS for Public Peering
traffic.
 One /30 is advertised to AWS as the source IP range for customer traffic. This is known as the
Advertised Public Prefix.

This diagram shows the public peering connection model:

802.1Q trunk

PUBLIC AWS

Telstra
AWS public services: e.g. S3
IPVPN
Service 802.1Q trunk

PUBLIC AWS

Telstra Cloud Gateway AWS Direct AWS availability zone

Connect Sydney
Sydney Equinix
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 13 of 52

If you don’t have at least one /29 public IP range available, you will not be able to order AWS Public
Peering. AWS will check/verify ownership of the public IP range as part of their provisioning process.
For this service, you’ll need:

 An IP VPN service must be in place with a known Telstra Full National Number (FNN). IF your
IPVPN contains private IP addressing, those private IPs will not be able to communicate with
AWS public peering networks without extensive/complex SNAT configuration within your IPVPN.
For this reason Telstra does not support provisioning of AWS Public Peering into an IPVPN that
contains private IP addressing. AWS Public Peering needs to be connected to a dedicated IPVPN
that is connected to an Extranet/DMZ segment which is separated from your core network via
device (perimeter firewall) performing SNAT.
 AWS Direct Connect purchased and established by you.
 One /30 public network for interconnect addressing. This is sub-netted into two /31 blocks of
public IPv4 address. The addressing provided must be unique/dedicated to AWS Public Peering
and not in use elsewhere.
 One /30 network for transit traffic. Smaller masks will be accepted if you have larger public
address ranges that you want to advertise to AWS. This prefix/prefixes is advertised through the
BGP session to AWS. All customer traffic must be sourced from this range. You cannot send
traffic sourced from private IP addresses to your AWS Public Virtual Interface. In practice this
means that traffic to an AWS Public Virtual Interface must either originate from a device with a
public IP address, or be Source NAT’ed (SNAT) to a public IP address by you within your Telstra
IP network.
 No BGP ASN is required from you for peering with Amazon, as we’re providing a Direct Connect
connection and will use private ASNs 65530 and 65422 (Australia East).
 Once provisioned, your IPVPN will receive approximately 2,000 AWS public subnets via BGP.
Key steps and responsibilities:

# Stage Activity Responsibility

1 Prerequisite Established AWS tenancy with Direct Connect Customer

2 Prerequisite Provide Telstra IP network FNN and AWS account ID Customer

3 Prerequisite /30 Public IP range for interconnect transit (yes/no) Customer

4 Prerequisite Minimum /30 for SNAT (yes/no) Customer

5 Prerequisite Prepare a network design for Source NAT of all AWS Public Customer
Peering traffic
6 Prerequisite Confirm that no Private IP ranges on Telstra side will have Customer
access to AWS Public Peering routes without first traversing
a customer managed SNAT device.
7 Setup Complete online Cloud Gateway order form Customer

8 Setup Provision AWS public peering Telstra

9 Setup Send email to customer containing configuration Telstra

instructions for the AWS portal

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 14 of 52

 # Stage Activity Responsibility

10 Post setup Advertise SNAT prefix(es) into Telstra IPVPN Customer

Implement customer side SNAT configuration to 2,000
public prefixes advertised by AWS
11 Post setup Configure Public Virtual Interfaces at AWS portal Customer

12 Post setup Test end-to-end connectivity from Telstra IP network to Customer

AWS
Example:

203.1.1.1 / 31 VLAN-11 203.1.1.2 / 31

PUBLIC PUBLIC

Telstra Cloud Amazon AWS

Gateway Direct Connect

203.1.1.3 / 31 VLAN-11 203.1.1.4 / 31

PUBLIC PUBLIC

Note the use of /31 interface addresses per interface (as a result, only one /31 subnet block required
per peer).

Rules and limitations:

 Public peering requires public IPv4 addresses, which must be provided by you.
 Each BGP peer has a limit of 1,000 routing entries on AWS side (i.e. Telstra customer can
advertise up to 1,000 public routes to AWS via public peering).

 For public peering, only the specific public prefixes provided in the Cloud Gateway order form
are advertised to AWS. These public prefixes must be advertised into the Telstra IPVPN by the
customer/onprem side.
 For the public peering Advertised Public Prefixes, the minimum acceptable subnet mask is /30
for advertised networks (in other words, a public route with a /31 or /32 subnet mask will not be
accepted by AWS)

 As BGP is utilised between the cloud edge and AWS, BGP outputs will show prefixes with the
follow ASNs in the AS Path: 65530, 65422 and 7224. If existing networks running BGP are using
these ASNs, routes may not be accepted without additional configuration.
 IP addresses must not overlap with these ranges: 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8,
169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 15 of 52

 7 Microsoft Azure Cloud Gateway connection

If you’re a Telstra IP VPN customer, the Telstra Cloud Gateway connection for Microsoft Azure Express
Route provides you with direct connections to the Microsoft Azure service using Network Service Provider
(NSP) connection model. As a result, service performance levels are more predictable, reliable and
secure.

This diagram shows the direct connection of your IP VPN into Microsoft Azure without traversing the
internet:

Azure compute services

Telstra Cloud Fibre-optics Azure public services and

Telstra Access Network Telstra IP VPN service Gateway Office 365

Your site
Microsoft Azure Services

Microsoft Azure through Cloud Gateway is available in the following regions in Australia:
Australia east NSW
Australia southeast VIC

Australia east

Australia southeast

For high availability, there are two connections between Telstra Cloud Gateway and Microsoft Service
Enterprise Edge (MSEE) routers as shown in the following diagram:

MSEE-1
Fibre optics

Telstra Cloud Microsoft Azure Australia east

Gateway (Sydney)
MSEE-2
Fibre optics

Telstra IP VPN service

MSEE-1
Fibre optics

Microsoft Azure Australia southeast

Telstra Cloud (Melbourne)
Gateway
MSEE-2
Fibre optics

You can choose to connect to one region or both regions.

ExpressRoute facilitates connectivity between your premise/data centre and the Microsoft cloud on two

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 16 of 52

distinct peering options/routing domains. All two peering models are carried by the same Telstra Cloud
Gateway. You’re free to choose to establish one or two peering types.
This diagram (from Microsoft) shows the two peering types:

You can find more details about Microsoft Express Route at: http://azure.microsoft.com/en-
us/documentation/services/expressroute/

A list of services and peering type required is provided below. For the most up to date information, please
refer to: https://azure.microsoft.com/en-us/documentation/articles/expressroute-circuit-peerings/

A summary of Azure services and the Cloud connection peering types required:

Azure service type Azure service Peering type required

Storage Microsoft
Data

SQL database Microsoft

App
Media services Microsoft

Network
Virtual network Private

Virtual machines Private

Compute

Websites Microsoft

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 17 of 52

 Azure service type Azure service Peering type required

Mobile Microsoft

In the current Cloud Gateway construct, private peering is established by default while Azure Microsoft
peering is optional. You can choose to provision one or two peering types through the Cloud Gateway
connection for Microsoft Azure.
Note:
 You’ll be able to connect to all supported Azure services through the interconnect (and
consequently your VPN) only if you request and configure all three peering types
 Microsoft Azure ExpressRoute supports IPv4 only
 The nominated bandwidth is shared by all three peering connections
 You will cause disruption if you attempt to modify your ExpressRoute BGP peering connection
parameters in the Microsoft Azure portal, once Telstra provisions the Cloud Gateway service.

Azure connection via private peering

Private peering enables connectivity over private IP addresses to services hosted within virtual networks.
This connectivity is available to Azure Compute Services (IaaS/PaaS) hosted using private IP addresses.
The traffic between your site(s) and Azure Compute Service traverses Telstra IP VPN, Cloud Gateway
and Microsoft ExpressRoute.

For this service, you’ll need:

 An IP VPN service (ideally with your premises or sites connected to the IP VPN), should be in
place with an allocated & known Full National Number (FNN).
 One /28 block of IPv4 address is needed which is unique across your sites, IP VPN services and
Azure Services.
 An Azure subscription with Azure ExpressRoute requested against it. This request provides a
Service Key (S-Key) which provides us with provisioning information. You must apply and obtain
this S-Key as a mandatory input to the Telstra Cloud Gateway provisioning process.
 If you connect to both regions, a total of two lots of /29 blocks are required (one for Australia East
and one for Australia Southeast) for the Private Peering.

 No BGP ASN is required from you for peering with Microsoft as we’re providing a Network Service
provider connection and will use private ASNs 65530, 65422 (Australia East) and 133931
(Australia Southeast)
Key steps and responsibilities:

S.No Stage Activity Responsibility

1 Prerequisite Purchase SKEY (Only required when Cloud is purchased Customer

outside of Telstra Cloud Store/directly from Microsoft)
2 Prerequisite Provide Telstra IP FNN and account ID Customer

3 Prerequisite Allocate /28 IP block for interconnect subnet Customer

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 18 of 52

S.No Stage Activity Responsibility

4 Prerequisite Complete online Cloud Gateway order form Customer

5 Prerequisite Allocate vNet addressing Customer

6 Setup Provision Cloud Gateway connection Telstra

7 Setup Send connection ready email Telstra

8 Post setup Configure vNet in Azure Customer

9 Post setup Link vNet Customer

10 Post setup Test end-to-end connectivity from Telstra IP network to Customer

Azure

Rules and limitations:

 Microsoft Azure supports up to 4,000 prefixes advertised to it through Azure private peering.
 This number can be increased to 10,000 prefixes if the ExpressRoute premium add-on is
purchased and enabled by you.
 The BGP sessions will be dropped by Microsoft if the number of advertised prefixes exceeds
the limit.
 Microsoft Azure accepts default routes on the private peering.
 You can request default route suppression with your Cloud Gateway into Azure connection.
Default route suppression is an option where the default route (0.0.0.0/0) is filtered and dropped
at Telstra Cloud Gateway before being advertised into Azure. If you have 0.0.0.0/0 in your
Telstra IP network and you want to use Azure as your public internet gateway, choose this
option.
 Both RFC1918 and public IP addresses are supported with Azure private peering.
 Telstra uses MD5 authentication for all Cloud Gateway connections to Azure. If you change this
parameter in your Azure portal you will break the connection provisioned by Telstra. Cloud
Gateway customers should never attempt to edit any of the BGP peering parameters in their
Azure portal (for example interconnect subnet or MD5 key), these parameters are created and
managed by Telstra. Any modification to these parameters needs to be requested from Telstra.
 Fully redundant service provides a primary and secondary link. As a result, load balancing isn’t
available.
 Once provisioned, any sites must have routing configuration enabled to receive routing
information about Azure Services IP subnets.
 Bandwidth downgrades are not currently treated by Microsoft as a modification – this requires a
deletion and re-creation on the Microsoft end of the service (and subsequently the Telstra end).
 Bandwidth upgrades don’t require deletion and re-creation of the Azure service and we support
bandwidth upgrades as a modify request.
 IP addresses must not overlap with these ranges: 0.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16,
224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32
 Please use the following link to find IP address ranges utilised by Azure:
http://www.microsoft.com/en-us/download/confirmation.aspx?id=41653

Routes that cannot be advertised from your cloud tenancy to the Telstra IP network:

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 19 of 52

The following three RFC 1918 summary routes may not be advertised from your cloud tenancy into your
Telstra IP network.

If your cloud tenancy advertises these summary ranges towards the Telstra IP network they will be
filtered out by Telstra’s Cloud Gateway.

 10.0.0.0/8

 172.16.0.0/12

 192.168.0.0/16

Any subset or supernet of these summary routes can be advertised. For example:

 You can advertise 192.168.0.0/17 and 192.168.128.0/17 from your cloud tenancy towards the
Telstra IP network instead of 192.168.0.0/16.

 You can advertise 172.16.0.0/13 and 172.24.0.0/13 instead of 172.16.0.0/12.

 You can advertise 10.0.0.0/9 and 10.128.0.0/9 instead of 10.0.0.0/8.

Azure connection via Public Peering (Legacy services only)

As of 31st March 2018, Azure Public Peering is deprecated by Microsoft and no new Public Peering
connections can be provisioned by Telstra. Existing Public Peering connections are not impacted by this
change and are still fully supported by both Telstra and Microsoft.
From April 1st 2108 onwards, Cloud Gateway Customers requiring Public Peering functionality will now
need to provision Microsoft Peering instead. (I.e. Public and Microsoft peering are being merged into one
peering). Please refer to section below (Azure connection via Microsoft peering):

Public Peering enables connectivity to Azure services available on public IP addresses (for example,
Azure storage services or SaaS and PaaS services hosted on Azure). This connectivity is available to
Azure services hosted on public IP addresses, such as Azure SQL Database, Storage and Website
services.
There are two types of Azure Public Peering available depending on your Microsoft SKEY
 Standard SKU – Australian Azure public IP ranges are advertised into your Telstra IPVPN.
(approx. 60 routes)
 Premium SKU – Global Azure public IP ranges are advertised into your Telstra IPVPN (approx.
1,100 routes)
No change is required on Telstra side if a Cloud Gateway customer wants to change from Standard to
Premium.

Azure connection via Microsoft peering

Microsoft peering enables connectivity to Office 365 services (Exchange Online, SharePoint Online, and
Skype for Business) and Dynamics CRM. This connectivity is also available to Azure Microsoft services
hosted on public IP addresses, such as Office 365, CRM Online, etc.
From April 1st 2018 Microsoft Peering also provides access to Azure PaaS services that were previously
provided by Public Peering. (I.e. Public and Microsoft peering are being merged into one peering)

Please refer to Microsoft’s website on process and implementation process before embarking on

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 20 of 52

connectivity to Office 365: https://support.office.com/en-us/article/Azure-ExpressRoute-for-Office-365-
6d2534a2-c19c-4a99-be5e-33a0cee5d3bd

For this service, you’ll need:

 As Microsoft Peering does not accept traffic from Private RFC1918 IP addresses, Telstra
recommends that you do not attempt to provision Microsoft Peering into an existing Telstra
IPVPN that contains RFC1918 private IP addresses.
Telstra recommends that Microsoft Peering should be connected to a dedicated DMZ/Extranet
VPN (i.e. a separate IP VPN that contains public IP addressing only) which is connected to your
perimeter firewall. Telstra recommends this due to the complexity involved in configuring and
managing Source Network Address Translation (SNAT) in an existing IP VPN I.e. this is due to the
default routing behaviour to transmit all traffic directly from source IP to destination IP, without
traversing an intermediary device performing SNAT. If you allow your IP VPN with RFC1918 private
IP addressing to communicate directly with public routes advertised by Microsoft peering,
connectivity to those public networks will fail resulting in potential loss of Microsoft services.
 A pre-requisite is a provisioned Cloud Gateway Azure Private Peering connection. Order your
Private Peering connection via the Cloud Gateway Portal, then submit application form to your
Telstra Account Executive to add Microsoft Peering
 An IP VPN service (ideally with your premises or sites connected to the IP VPN), should be in
place with an allocated and known Full National Number (FNN). This VPN should not contain any
Private IP addresses that need to communicate with Microsoft Peering.
 One /29 public IP subnet is needed for each High-Availability (HA) connection between the
Cloud Gateway and MSEE routers – you can either provide a Microsoft approved public IP
subnet as part of ordering this service or lease pre-approved public IP addresses from us. Eight
public IP addresses are required to establish Azure public peering.
 No BGP ASN is required from you for peering with Azure as we provide a direct connection to
Azure using use private ASNs 65530, 65422 (Australia East) and 133931 (Australia Southeast).
Only Azure PaaS and Dynamics CRM can be used without completing Microsoft’s network
assessment and approvals process
 Please note there is a Microsoft led network assessment process. Microsoft mandates to use
Microsoft peering for applications such as Office 365. Please refer to Microsoft’s website for more
information: https://support.office.com/en-us/article/implementing-expressroute-for-office-365-
77735c9d-8b80-4d2f-890e-a8598547dea6

Key steps and responsibilities:

# Stage Activity Responsibility

1 Prerequisite Purchase Microsoft SKEY Customer

2 Prerequisite Successful private peering connection (Azure private peering Customer

through Cloud Gateway)
3 Prerequisite Determine number of SNAT addresses required Customer

4 Prerequisite Can customer supply /29 Public IP range available for BGP Customer
interconnect (yes/no)
If no then Customer must lease /29 public interconnect range
from Telstra

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 21 of 52

 # Stage Activity Responsibility

5 Prerequisite Can customer supply public IP range for SNAT? If no, then Customer
customer must lease either one or a range of public IP
addresses from Telstra (min 1 and max 4 source NAT IPs).
6 Prerequisite Network Design for source NAT of Microsoft peering traffic. Customer
Please refer to Telstra recommendation above not to mix
private RFC1918 addressing with Microsoft peering routes
7 Prerequisite Obtain Microsoft Peering order form from your Telstra Account Customer
Executive
8 Setup Provision Microsoft Peering Telstra

9 Setup Send connection ready email containing source NAT IPs to Telstra
setup customer-side source NAT configuration.

10 Setup Advertise SNAT prefixes into Telstra IPVPN Customer

11 Post setup Selectively advertise routes from your Azure portal Customer

12 Post setup Test end-to-end connectivity from Telstra IP network to Azure Customer

Rules and limitations

 Private (RFC1918) IP addresses are not supported with Microsoft peering. All traffic from private
IP addressing, you’ll be required to use SNAT (Source Network Address Translation). Please
refer to section 4.6 and further information can be found at https://azure.microsoft.com/en-
us/documentation/articles/expressroute-nat/
Microsoft supports up to 200 advertised public prefixes per BGP session through Microsoft
peering. Please note if you also establish AWS peering in the same IP VPN, your route limit
maybe affected. Please check with your network designer.

 Microsoft supports public IP v4 addresses owned by you (once validated by Microsoft) or leased
from us (which are already pre-validated).
 The BGP sessions will be dropped if the number of prefixes exceeds the limit. Microsoft Azure
accepts default routes on the private peering only.
 IP addresses must not overlap with these ranges: 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8,
169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32
 Default route 0.0.0.0/0 cannot be advertised over Microsoft Peering.
 None of your private routes will be advertised to Microsoft over your Microsoft peering. Telstra
implements private network prefix filtering on all Microsoft Peering connections.

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 22 of 52

8 VMware vCloud Air Cloud Gateway connection

If you’re a Telstra IP VPN customer, your Telstra Cloud Gateway will provide you with a direct connection
to the VMware vCloud Air service. The diagram below shows the direct connection of your IP VPN into
VMware vCloud Air without traversing the internet. As a result, service performance levels are more
predictable, reliable and secure.

Telstra Cloud Fibre-Optics

Telstra Access Network Telstra IPVPN Service Gateway VMware vCloud Air

Your site
VMware vCloud Air

VMware vCloud Air infrastructure is hosted in Melbourne. For high availability, there are two sets of
connections between Telstra Cloud Gateway and VMware vCloud Air routers. Static routes are
implemented by both peers at the provider edge routers.
Each single service is set up in an HSRP/VRRP mode between the two Cloud Gateway routers and one
VMware vCloud Air router as shown in the following diagram for VMware router #1:

Router 1

Telstra Cloud VMware vCloud Air infrastructure

Telstra IPVPN Service
Gateway Telstra Melbourne data centre

For each Ethernet segment above, a /29 block of address is requested from your pool of addresses. This
/29 block provides six IP addresses – of which three are used by Cloud Gateway routers, and one by
VMware vCloud Air router. Note that this link subnet address will show up in traceroute outputs.

For this service, you’ll need:

 An IP VPN network (ideally with your premises or sites connected to the IP VPN), should be in
place with an allocated and known Full National Number (FNN).
 One /29 block of IPv4 address is needed which is unique across your sites, IP VPN services and
VMware vCloud Air services.
 Ensure that AS number 133931 isn’t in use already by you in your own IP VPN network (if this
AS number is in use, then it needs to be renumbered for that site that is using it).
 An activated vCloud Air service and its corresponding Service ID.
 A VMware vCloud Air Direct Connect add-on purchased for your vCloud Air subscription.
Key steps and responsibilities:

# Stage Activity Responsibility

1 Prerequisite Purchase cloud subscription to vCloud Air Customer

2 Prerequisite Purchase Direct Connect add-on from vCloud Air Customer

3 Prerequisite Provide Telstra IP network FNN and account ID Customer

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 23 of 52

 # Stage Activity Responsibility

4 Prerequisite Allocate /29 IP block for interconnect subnet Customer

5 Prerequisite Allocate compute subnets for vCloudAir tenancy Customer

6 Prerequisite Configure compute subnets within vCloudAir tenancy Customer

7 Prerequisite Complete online Cloud Gateway application form Customer

8 Setup Provision Cloud Gateway connection - Telstra Edge Telstra

9 Setup Provision Cloud Gateway connection - Cloud Edge vCloud Air

10 Setup Send connection-ready email Telstra

11 Post setup Configure Telstra IP network static routes on vCloudAir edge Customer
gateway
12 Post setup Test end-to-end connectivity from Telstra IP network to Customer
vCloudAir

Rules and limitations:

 Once the connection between Telstra Cloud Gateway and VMware is provisioned, the routing
information is propagated via the Cloud Gateway and Telstra IP VPN network to your VPN sites.
These sites will then have reachability to the VMware vCloud Air networks.
 Only the Telstra Cloud Gateway side runs HSRP/VRRP.
 Only static routing available at this stage.
 Rate-limiting is a bulk-rate policer without CoS implementation at this stage.
 IP addresses must not overlap with these ranges: 0.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16,
224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32
Example:

In this typical connection to the VMware vCloud Air service, the customer has provided a block of
addresses to be used for this interconnection of 10.35.7.0 / 29 as follows:

10.35.7.2 /29
Router 1

VMware vCloud Air Infrastructure

Telstra IPVPN Service Telstra Cloud Telstra Clayton Data Centre
Gateway HSRP : 10.35.7.1 /29
10.35.7.6 /29

10.35.7.3 /29

In the example above, the interface IP addresses of the two Telstra Cloud Gateway PE routers are
10.35.7.2 and 10.35.7.3, respectively. These two PE routers run HSRP/VRRP between them and the
HSRP/VRRP IP address in the example is 10.35.7.1.
The interface IP address of the VMware vCloud Air router is 10.35.7.6 /29.
Next, static addresses are configured on the two sets of routers. For each of the two Telstra Cloud PE
routers, the static routes are configured using the following rule:
 For the IP subnets in VMware vCloud Air network that need to be accessed, the next-hop IP
address is 10.35.7.6

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 24 of 52

For the VMware vCloud Air router, the static routes are configured using the following rule:
 For the IP subnets in the IP VPN that need to be accessed, the next-hop IP address is 10.35.7.1
Note: if this VMware vCloud Air site is a stub network (i.e. an end-point), a default route could also be
used. In this case, the static route is configured using the following rule:
 For all IP subnets that are not known locally, send the packets to the next-hop IP address
10.35.7.1

Routes that cannot be advertised from your cloud tenancy to the Telstra IP network:
The following three RFC 1918 summary routes may not be advertised from your cloud tenancy into your
Telstra IP network.

If your cloud tenancy advertises these summary ranges towards the Telstra IP network they will be
filtered out by Telstra’s Cloud Gateway.

 10.0.0.0/8

 172.16.0.0/12

 192.168.0.0/16

Any subset or supernet of these summary routes can be advertised. For example:

 You can advertise 192.168.0.0/17 and 192.168.128.0/17 from your cloud tenancy towards the
Telstra IP network instead of 192.168.0.0/16.

 You can advertise 172.16.0.0/13 and 172.24.0.0/13 instead of 172.16.0.0/12.

 You can advertise 10.0.0.0/9 and 10.128.0.0/9 instead of 10.0.0.0/8.

9 IBM Cloud Gateway connection

If you’re a Telstra IP VPN customer, your Telstra Cloud Gateway will provide you with direct connections
to IBM Cloud data centres using the Direct Link Cloud Exchange Provider connection model. As a result,
service performance levels are more predictable, reliable and secure.

This diagram shows the direct connection of your IP VPN into IBM Cloud without traversing the internet:

Routing of your subnets between Telstra Cloud Gateway and IBM is done dynamically via eBGP.
For this service, you’ll need:

 An IP VPN service (ideally with your premises or sites connected to the IP VPN), should be in
place with an allocated and known Full National Number (FNN).
 An IBM Cloud account with at least one server or VM provisioned in any IBM Cloud data centre
to create at least one of the required private networks.

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 25 of 52

  One /30 block of IPv4 address is needed which is unique across your sites, IP VPN services and
IBM Cloud Services.
 List of Telstra IP VPN network subnets that need to be accessible from IBM Cloud confirming
that there are no overlap issues (please see limitations).
 List of IBM Cloud private network subnets that need to be accessible from Telstra IP VPN
networks.
Key steps and responsibilities:

# Stage Activity Responsibility

1 Prerequisite Purchase cloud tenancy from Telstra Customer

2 Prerequisite Provide Telstra IP FNN Customer

3 Prerequisite Network design and analysis regarding IBM Cloud restricted Customer
private IP ranges
4 Prerequisite Allocate /30 I.P block for interconnect subnet Customer

5 Prerequisite Configure IBM Cloud tenancy and obtain IBM Cloud compute Customer
subnets from IBM Cloud
6 Prerequisite Choose Telstra IP subnets to access IBM Cloud tenancy Customer

7 Prerequisite Complete online Cloud Gateway order form Customer

8 Setup Provision Cloud Gateway connection – Telstra Edge Telstra

9 Setup Provision Cloud Gateway connection - Cloud Edge IBM

10 Setup Send connection ready email Telstra

11 Post setup Test end-to-end connectivity from Telstra IP network to IBM Customer
Cloud

Rules and limitations:

 Once provisioned, depending on the network subnets added at either side of the connection,
routes may need to be added to individual servers and virtual machines in IBM Cloud.
 IBM Cloud reserves several IP ranges for their own use. If your Telstra IP VPN network ranges
overlap with these restricted ranges, it won’t be possible to route these across. These ranges
are:
o 10.0.0.0/14
o 10.200.0.0/14
o 10.198.0.0/15
o 0.0.0.0/8
o 127.0.0.0/8
o 169.254.0.0/16
o 224.0.0.0/4
o 240.0.0.0/4
o 255.255.255.255/32
o Any IP ranges assigned to your VLAN’s on the IBM Cloud platform

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 26 of 52

  IBM Cloud prescribes the IP addressing of your private networks within your environment. These
private subnets will be somewhere in the 10.0.0.0/8 range but not in the above mentioned
restricted range. Therefore, if a prescribed IBM Cloud private network overlaps with a Telstra IP
VPN network that needs to be accessed, this will not be routed across the connection either. It’s
possible to request a different subnet for a private network from IBM Cloud via an ad-hoc ticket
request to try and alleviate the conflict. There are two work-arounds for this restriction:
o Re-addressing – either in your Telstra IP VPN network space or requesting IBM Cloud
for new address ranges for any prescribed private network allocated.

o NAT/Tunnel – a solution offered by IBM Cloud is to use the network appliance, Vyatta.
Available in the IBM Cloud product catalogue, it creates network tunnels and/or network
address translation (NAT) to overcome conflicts. This is treated as your designed and
owned solution and not part of the Telstra Cloud Gateway service.
 The IBM Direct Link Cloud Exchange solution is available in Sydney and Melbourne
 Identical routes must be advertised from both sides across multiple circuit pairs belonging to the
same customer.
 Bandwidth controls are not currently implemented from IBM. The policing of the connection is
only performed on the Telstra Cloud Gateway routers.

Routes that cannot be advertised from your cloud tenancy to the Telstra IP network:
The following three RFC 1918 summary routes may not be advertised from your cloud tenancy into your
Telstra IP network.

If your cloud tenancy advertises these summary ranges towards the Telstra IP network they will be
filtered out by Telstra’s Cloud Gateway.

 10.0.0.0/8

 172.16.0.0/12

 192.168.0.0/16

Any subset or supernet of these summary routes can be advertised. For example:

 You can advertise 192.168.0.0/17 and 192.168.128.0/17 from your cloud tenancy towards the
Telstra IP network instead of 192.168.0.0/16.

 You can advertise 172.16.0.0/13 and 172.24.0.0/13 instead of 172.16.0.0/12.

 You can advertise 10.0.0.0/9 and 10.128.0.0/9 instead of 10.0.0.0/8.

10 Telstra Cloud Infrastructure Cloud Gateway connection

Your Telstra Cloud Gateway will provide you with direct connections to your Virtual Server (Dedicated)
Gen2 data centres. As a result, service performance levels are more predictable, reliable and secure.
This service is only available in Sydney and Melbourne data centres.

This diagram shows the direct connection of your IP VPN into Virtual Server (Dedicated) Gen2

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 27 of 52

For this service, you’ll need:

 An IP VPN service (ideally with your premises or sites connected to the IP VPN), should be in
place with an allocated and known Full National Number (FNN).
 One /29 block of IPv4 address space is needed which is unique across your IP VPN sites.

Key steps and responsibilities

# Stage Activity Responsibility

1 Prerequisite Purchase Virtual Server (Dedicated) Gen2 tenancy from Customer

Telstra
4 Prerequisite Allocate /29 I.P block for interconnect subnet Customer

2 Prerequisite Provide Telstra IP FNN Customer

2 Prerequisite Complete online Cloud Gateway connection request through Customer

the Cloud Gateway management console
3 Setup Provision Cloud Gateway connection – Telstra Edge Telstra

4 Setup Send connection ready email Telstra

5 Post setup Test end-to-end connectivity from Telstra IP network to Virtual Customer
Server (Dedicated) Gen2

Rules and limitations:

 You can only have one Cloud Gateway connection per Virtual Server (Dedicated) Gen2 location.
 Once provisioned, depending on the network subnets added at either side of the connection,
routes may need to be added to individual servers and virtual machines in Virtual Server
(Dedicated) Gen2.
 Virtual Server (Dedicated) Gen2 reserves several IP ranges for their own use. If your Telstra IP
VPN network ranges overlap with these restricted ranges, it won’t be possible to route these
across. These ranges are:
o 0.0.0.0/8
o 127.0.0.0/8
o 169.254.0.0/16
o 224.0.0.0/4
o 240.0.0.0/4
o 255.255.255.255/32
o Any IP ranges assigned to your VLAN’s on the Virtual Server (Dedicated) Gen2
platform

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 28 of 52

Routes that cannot be advertised from your cloud tenancy to the Telstra IP network:
The following three RFC 1918 summary routes may not be advertised from your cloud tenancy into your
Telstra IP network.

If your cloud tenancy advertises these summary ranges towards the Telstra IP network they will be
filtered out by Telstra’s Cloud Gateway.

 10.0.0.0/8

 172.16.0.0/12

 192.168.0.0/16

Any subset or supernet of these summary routes can be advertised. For example:

 You can advertise 192.168.0.0/17 and 192.168.128.0/17 from your cloud tenancy towards the
Telstra IP network instead of 192.168.0.0/16.

 You can advertise 172.16.0.0/13 and 172.24.0.0/13 instead of 172.16.0.0/12.

 You can advertise 10.0.0.0/9 and 10.128.0.0/9 instead of 10.0.0.0/8.

11 Virtual Storage (powered by NetApp) Cloud Gateway connection

Virtual Storage is an enterprise-class storage service with advanced data management abilities. It gives
you the freedom to connect to the clouds you want to use and makes controlling your data easy.

Virtual Storage lets you keep your data in Telstra secure data centres, where data is stored next to
(rather than inside) multiple clouds.

Using Telstra’s Cloud Gateway, you can connect to one or many cloud providers quickly and easily
change the speed of connectivity. This delivers a single operational environment for all your cloud
storage environments. If you already use NetApp storage in-house, you get a single operational model
or your data management.

As an operating system instance-initiated storage via CIFS, ISCSI or NFS, you can use Virtual Storage
to extend your data environment into the cloud and leverage its storage and data management functions
to multiple clouds. The Virtual Storage NetApp portal lets you provision and self-manage virtual storage
arrays and access storage groups on your arrays.

Virtual Storage offers four performance tiers:

Ultra – suitable for high-performance applications and latency-sensitive, write-intensive applications.

Enterprise – suitable for databases and virtualised applications.
Value – suitable for high-capacity applications, including email, web content and file shares.

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 29 of 52

Capacity - suitable for backup, replication and archiving.

Bandwidth required

There are a number of factors that influence this. To estimate the bandwidth, we can provide you with
some guidance based on a typical 8 kilobyte (KB) block, which is the most common size
NetApp® customers use. Of course, this is our guidance and not an exact figure. You can change this
figure depending on the application(s) you use.

The formula we use is:

((IOPs* x 8KB block)/1024 bytes) x 8 bits = bandwidth required per second per terabyte (TB)

*IOPs are inputs/outputs per second

For example, for the Ultra tier:

((4000 IOPs x 8KB block)/1024 bytes) x 8 bits = 250Mbps per TB

Typically, you wouldn’t use 100% of your storage at once; so assuming you’d use 10% at any given
time:

250Mbps/10% concurrency = 25Mbps per TB

Estimated network bandwidth required with 8KB block

IOPs
Storage tier /TB 100% usage 10% concurrent usage
provisioned

Ultra 4000 IOPs/TB 250Mbps per TB 25Mbps per TB

Enterprise 2000 IOPs/TB 125Mbps per TB 12.5Mbps per TB

Value N/A 8Mbps per TB 0.8Mbps per TB

Capacity N/A 2Mbps 0.2Mbps per TB

The Storage Networking Industry Association’s guidelines on workload design might help you further.

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 30 of 52

TECHNICAL SPECIFICATIONS
12 End-to-end network architecture

Telstra IP VPN customers with Cloud Gateway will have their IP VPN extended to a Telstra cloud edge
router, connected to one or more cloud service providers (CSPs). Connected CSPs will appear as another
site/node on their private network (IP VPN).

This diagram shows connections to currently available cloud providers through Telstra Cloud Gateway:

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 31 of 52

Cloud connections are built and configured as fully redundant from the Telstra IP network to supported
cloud provider network edges. Multiple high-capacity (Nx10G) links are configured as active/backup –
so any router or link failure along the path triggers failover without impacting cloud connectivity.
As part of the service, tails are provided to redundant POPs and both paths are routed through separate
hardware/physical links within Cloud Gateway infrastructure. Geographical separation is maintained
from Telstra IP VPN PoPs all the way up to cross-links at respective cloud data centres. The service will
withstand failure of any single router or single link in the path.
In the case of complete failure of a cloud data centre, redundancy can only be provided if you have
tenancy and links to both data centres for the same cloud provider (currently applicable for Azure and
AWS only).
High availability for end-to-end service will be determined by connectivity of your sites to Telstra IP VN
(protected or unprotected); and networking infrastructure within respective Cloud providers. Load
balancing across active/backup links isn’t available.

13 Bandwidth management

We manage the capacity of links between Cloud Gateway and cloud edge routers to help ensure available
bandwidth is sufficient for peak utilisation of all the configured connections. A bandwidth policer is applied
corresponding to the subscribed rate. All traffic is treated equally and any traffic exceeding the subscribed
bandwidth is dropped.

14 Service modifications (moves, adds and changes)

Cloud Gateway supports multiple moves, adds and changes (MACs) for Cloud Gateway attributes as well
as individual cloud connections.

Please bear in mind that there is a lead time to process these requests and some changes may cause
an outage to your existing cloud connection as outlined in the table below. You’ll need to ensure you
complete cloud provider portal configuration in a timely manner so we can complete this modification
within the target time.

To manage such outages, please speak with your Telstra representative before requesting these
changes.

Availability and outage impact

MAC type Description AWS Azure vCloud IBM Cloud Virtual Virtual
Air Storage Server
(Dedicated)
Gen2

Bandwidth You can upgrade your bandwidth within      

upgrade the available bandwidth tiers. 1 hour No No No No No outage
Upgrading bandwidth will not incur outage outage outage outage
modification or early termination fees.
If you exceed the Cloud Gateway
bandwidth due to an increase on an
individual cloud connection, we’ll ask
you to upgrade to the next Cloud
Gateway tier.
If you have a fixed-term contract, you’ll
have your contract term restarted at the
new (higher) bandwidth.

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 32 of 52

Bandwidth You can downgrade your bandwidth      
downgrade within the available bandwidth tiers for 1 hour 1 hour No No No No outage
a one-off modification fee and, if you (customer outage outage outage
dependent
have a fixed-term contract, an early )
termination fee.
For Microsoft Azure, you’ll have to
delete your S-Key and create a new
Cloud Gateway, as mandated by
Microsoft.

Compute Only applicable to VMware vCloud® NA NA  NA NA NA

subnet Air™. No
You can change your compute subnets outage
on Cloud Gateway services for a one-
off modification fee.

Interconnect You can change your interconnect     NA 

subnet subnets on Cloud Gateway services for 1 hour 1 hour 11 days 1 3 days
a one-off modification fee. (customer (customer hour(custo
dependent dependent mer
An interconnect subnet change will also ) ) dependent)
incur an outage in the service.

Route Only applicable for AWS private  NA NA NA NA NA

summarisation peering; non-disruptive for other cloud 1 hour
connections.

Default route Only available for Azure private and NA  NA NA NA NA

suppression public peering. No
outage

Cancellations Disconnection of Cloud Gateway may      

attract a one-off early termination fee if
you have a fixed-term contract.

15 Security

Connectivity through Telstra Cloud Gateway is more secure than many other options because it provides
end-to-end separation for each customer’s traffic.
Each Cloud Gateway service is mapped to your unique VPN routing and forwarding (VRF) instance –
thereby ensuring Layer 3 separation, while connectivity to Cloud edge is carried inside a customer-
specific 802.1Q or Q-in-Q VLAN set up ensuring Layer 2 separation for your traffic.

16 IP routing protocols

We use BGP routing to interconnect with cloud edge routers where supported by cloud providers. When
BPG peering isn’t available, we use static IP routing through manual provisioning to configure the cloud
connection through the same Cloud Gateway.

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 33 of 52

Cloud provider Supported IP routing

Amazon Web Services eBGP

Microsoft Azure eBGP

VMWare vCloud Air Static routing

IBM Cloud eBGP

Virtual Server (Dedicated) Gen2 eBGP

Virtual Storage Static routing

Cloud Gateway edge routers peer with the AWS and Azure edge devices on behalf of the customers
using BGP. As a result, the following BGP Autonomous System Numbers (ASNs) cannot be used by you
in your own IP VPN service. Furthermore, these ASNs will also be visible within your IP VPN routing
table.
The eBGP between the two Autonomous Systems is configured as active-active. The eBGP protocol will
then pick the primary and secondary paths between the two peers.

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 34 of 52

 Network Peering point ASN (autonomous system number)

Cloud Gateway Australia east (Sydney) 65422

Cloud Gateway Australia southeast (Melbourne) 133931

Telstra IP VPN Australia-wide 65530

Amazon Web Services Private/public peering 7224

Microsoft Azure Private/public services 12076

VMware vCloud Air Melbourne 55048 (future)

IBM Cloud IBM (SoftLayer) tenancy 13884

Virtual Server Sydney 65422, 65432

(Dedicated) Gen2

Virtual Server Melbourne 133931, 65433

(Dedicated) Gen2

Virtual Storage Sydney 65424

Virtual Storage Melbourne 65423

Please note that you must not use any of the above AS numbers in your own IP VPN.

17 VLAN trunking

Links between Cloud Gateway and CSP edges support both IEEE 802.1Q and IEEE 802.1ad (Q-in-Q)
encapsulation methods

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 35 of 52

 Cloud provider Supported VLAN encapsulation

Amazon Web Services

802.1Q Encapsulation
vCloud Air
VLAN-IDs are used for your service identifier, a separate VLAN-ID is
used for each customer connection.
IBM Cloud

Q-in-Q Encapsulation uses outer-tag as customer-ID and the inner-

Microsoft Azure tags to map traffic to separate logical interfaces. This model is used for
Microsoft Azure private, public and Microsoft peering options.

18 Source Network Address Translation (SNAT)

If you’re using private IP addressing (RFC1918) and wish to consume AWS Public Peering or Microsoft
Peering (for Office 365 or Azure PaaS services) – network address translation has to be applied for all
private IP addresses. All source network address translation (SNAT) must be implemented at your sites
before enters the Telstra IP VPN that has the AWS Public or Microsoft peering connected to it.

Because both AWS Public Peering and Microsoft Peering to do not accept traffic private IP addresses –
Telstra recommends that these peerings should not be connected to a Telstra NextIP VPN that contains
private IP addresses.

The recommended approach for both AWS Public Peering and Microsoft Peering is to provision a
separate dedicated IPVPN to carry your AWS Public Peering and Microsoft Peering traffic, This VPN
should be terminated in a DMZ/Extranet segment outside your perimeter firewall (ideally it should
connect via the same device that announces the default route 0.0.0.0/0 into your corporate VPN), with
all corporate traffic being SNAT’ed to a public IP address as it transits the perimeter firewall destined for
AWS Public Peering or Microsoft Peering.

Ideally your perimeter firewall needs to be able to receive routes from Microsoft Peering and/or AWS
Public Peering via BGP. Each peering can advertise around 2,000 prefixes and these prefixes will be
continually changing over time by the advertising providers (AWS and Microsoft), so implementing and
maintaining your perimeter firewall destination routing using static routes is not practical.

SNAT at customer site

For the current release of Cloud Gateway, you’re responsible for carrying out all SNAT for AWS Public
Peering and Microsoft Peering traffic. You can configure NAT feature on your customer edge routers.
The diagram below shows the location of NAT function in an end-to-end cloud connection.

Your site
Fibre-Optics Cloud Service Provider
Telstra Access Telstra IP VPN Service Telstra Cloud
Gateway Public Peering
Network

Private IP Addresses Public IP Address

Network Address Translation

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 36 of 52

How to configure SNAT at your site (for Office 365):

The following section describes a sample NAT configuration for a customer site-based NAT for Microsoft
peering (Office 365) connection with the following assumptions and fictitious IP subnets:

 Assuming you use RFC 1918 private addresses within its IP VPN (most dominant use case).

 In the diagram below, 203.41.9.80/28 represents a Microsoft peering destination prefix. The full
list of Microsoft peering/Office 365 destination addresses will be supplied to you as part of the
provisioning process.

 NAT is only required from your IP VPN to Office 365 – that is, Source NAT (SNAT). NAT isn’t
required in the Office 365 to you network direction – that is, Destination NAT (DNAT) isn’t
required.

 Assuming you have requested to lease a block of Microsoft-approved public IP addresses from
Telstra – you’ll be supplied your allocated SNAT public IP addresses during provisioning.

Public addressing limits:

 Due to exhaustion of the public IPv4 address pool Telstra has strict limits on number of public
IPs that can be allocated to any customer for SNAT purposes.

 Up to 4 public IP addresses can be allocated in the initial application, and if a customer can
demonstrate a requirement for more SNAT addresses then that number can be increased up to
8 via a change request.

 If you have a requirement for more than 8 public IP address for SNAT purposes, you must
provide them.

 Your supplied public IP addresses will need to be validated by Microsoft as being owned by you
and authorised for use with Microsoft peering.

It is a requirement of Microsoft peering that public addresses are advertised to Microsoft over the
peering are not also advertised through the internet.

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 37 of 52

Example NAT Outbound configuration at your site (for Office 365):

The following sample configuration provides the ability to NAT traffic destined for Office 365 and exclude
the intra-VPN traffic from being NAT’ed:

! ----------------------------------
! Sample NAT configuration
! ----------------------------------
Microsoft O 365
203.41.9.80 /28 interface fa0/0
description – WAN interface –
ip address 192.168.5.2 255.255.255.252
ip nat outside
!
Cloud Gateway interface fa0/1
description – LAN interface –
ip address 192.168.184.1 255.255.255.0
ip nat inside
!
Telstra IP VPN
interface Loopback 0
description – Assigned public IP addr to use for NAT –
ip address 144.133.21.56 255.255.255.255

! -------------------------------------------------------
! Define the SOURCE and DESTINATION pair to be NAT’ed
192.168.5.1 /30 ! -------------------------------------------------------

ip access-list extended NAT_SOURCE_DEST

192.168.5.2 /30 permit ip any <Microsoft_Peering_Destination_Prefixes>
deny ip any any
NAT
! ------------------------------------------------------
Lo0: 144.133.21.56 /32 ! NAT the INSIDE for the allowable devices specified
! by List 7, use the NAT pool called MYPOOL and
LAN: 192.168.184.1 /24 ! overload using one IP address
! ------------------------------------------------------
Customer site
ip nat inside source list NAT_SOURCE_DEST interface
Loopback0 overload

 If a Microsoft peering customer wishes to restrict the LAN ranges at their site that can access
Microsoft peering, then substitute ‘any’ with the LAN segments they wish to permit as the
source range for the NAT_SOURCE_DEST access-list.

 Due to the large number of destination prefixes required (600+) the recommendation is to use
either ‘any’ or else a single summary range that encompasses the allowed customer ranges for
the NAT_SOURCE_DEST access list.

See Appendix 1 for a full sample configuration of Microsoft peering SNAT.

Note: this configuration is a sample only; you’ll need to review your network requirements.

SNAT at Telstra Cloud Gateway

We acknowledge that the solution to deploy NAT at your sites can have limitations in terms of number of
supported sites or creating a central point to funnel users to the cloud resources (and hence inefficient
use of bandwidth). Therefore, as part of Telstra Cloud Gateway, we intend to introduce NAT functions to
be offered as a service. This feature is not currently available. Please contact your Telstra representative
for a launch date.

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 38 of 52

19 Destination Network Address Translation (DNAT)

Destination Network Address Translation (DNAT) may be needed if you use private RFC1918 addresses
in your network and servers in the public cloud networks need to access these private-addressed devices.

If you require DNAT, it has to be implemented on your own CE routers and advertise this pool of
prefixes to Telstra IP network and Cloud Gateway. These prefixes are then advertised to the cloud
provider by Cloud Gateway.

20 Service availability target

Cloud connections are built and configured as fully redundant from the Telstra IP network to supported
cloud provider network edges. Multiple high-capacity (Nx10G) links are configured as active/backup.
Any router or link failure along the path triggers failover without impact to cloud connectivity.

Service availability
Cloud connection type
target
Cloud Gateway (Layer 3 / Telstra IP network connectivity)
Available for AWS, Microsoft Azure; IBM Cloud, Virtual Server 99.95%
(Dedicated) Gen2 and VMware

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 39 of 52

21 Latency performance objectives

The performance figures below show round-trip response times measured from various inter- and intra-
state Telstra cloud centres to the gateway routers (last egress point within Telstra network).

Round-trip time (RTT)

Amazon Web Services

Sydney
Telstra IP VPN Service Telstra Cloud
 Perth, WA Gateway
 Adelaide, SA
 Melbourne, VIC
 Sydney, NSW

Note: these are indicative test results only.

Telstra cloud router at: RTT (round-trip time)

Perth, WA 57 milliseconds

Adelaide, SA 25 to 30 milliseconds

Melbourne, VIC 22 to 25 milliseconds

Sydney, NSW 3 to 4 milliseconds

22 24x7 technical support

Our Cloud Gateway service provides you with four comprehensive levels of support to resolve any issues
that may occur during ordering, provisioning or ongoing operations with your Cloud Gateway service.
In an unlikely event of service issues or an outage, you can log your fault with the following target service
level agreements:

Cloud Gateway connectivity Service Coverage Response Restore time

option level hours time target target

Cloud Gateway with Layer 3/ Business 24 x 7 60 mins 12 hrs

Telstra IP Plus

You can also contact us 24x7 via:

Email: [email protected]
Phone: 1800 620 345 Opt 1

23 Customer reporting

Customer reporting for the Telstra Cloud Gateway isn’t available for the initial release of this service.
Please note Microsoft Azure can provide utilisation reporting on the ExpressRoute link within the Azure
portal by using Azure Network Performance Monitor.

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 40 of 52

CUSTOMER PORTALS
Telstra Cloud Gateway provides comprehensive online tools/portals for you to browse, buy/activate,
manage and access support for the product.

BROWSE/QUOTE Telstra website www.telstra.com/cloudgateway

BUY/ACTIVATE Telstra Cloud Store https://buycloud.telstra.com

Telstra Cloud Portal https://mycloud.telstra.com/

CONFIGURE/MANAGE

For faults, you can contact us 24x7 by:

SUPPORT Logging a support ticket

Email: [email protected]
Phone: 1800 620 345 Opt 1

All Telstra portals support IE8.0 and above, Google Chrome and Firefox.
You can also refer to respective cloud service provider portals (e.g. AWS, Azure, vCloudAir, IBM Cloud)
to configure/manage your networking within the cloud environment.

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 41 of 52

APPENDIX 1: MICROSOFT PEERING SAMPLE CONFIG
conf t
!
interface Loopback100
description NAT for access to Azure and Office 365
ip address 203.38.79.x 255.255.255.255
!
ip access-list extended nat-azure-direct-acl
remark Azure IP Address ranges to NAT
permit ip any 13.67.50.224 0.0.0.7
permit ip any 13.69.187.20 0.0.0.0
permit ip any 13.71.155.176 0.0.0.0
permit ip any 13.75.48.16 0.0.0.7
permit ip any 13.75.80.16 0.0.0.7
permit ip any 13.92.126.26 0.0.0.0
permit ip any 13.107.6.150 0.0.0.1
permit ip any 13.107.6.152 0.0.0.0
permit ip any 13.107.6.153 0.0.0.0
permit ip any 13.107.6.156 0.0.0.0
permit ip any 13.107.6.157 0.0.0.0
permit ip any 13.107.6.160 0.0.0.0
permit ip any 13.107.7.156 0.0.0.0
permit ip any 13.107.7.190 0.0.0.0
permit ip any 13.107.7.191 0.0.0.0
permit ip any 13.107.8.0 0.0.0.255
permit ip any 13.107.9.150 0.0.0.1
permit ip any 13.107.9.152 0.0.0.0
permit ip any 13.107.9.153 0.0.0.0
permit ip any 13.107.9.156 0.0.0.0
permit ip any 13.107.9.157 0.0.0.0
permit ip any 13.107.9.160 0.0.0.0
permit ip any 23.96.208.238 0.0.0.0
permit ip any 23.97.64.252 0.0.0.0
permit ip any 23.97.66.55 0.0.0.0
permit ip any 23.97.66.110 0.0.0.0
permit ip any 23.97.68.113 0.0.0.0
permit ip any 23.97.70.147 0.0.0.0
permit ip any 23.97.72.158 0.0.0.0
permit ip any 23.97.72.161 0.0.0.0
permit ip any 23.97.72.165 0.0.0.0
permit ip any 23.97.98.128 0.0.0.0
permit ip any 23.97.99.4 0.0.0.0
permit ip any 23.97.100.76 0.0.0.0
permit ip any 23.97.100.92 0.0.0.0
permit ip any 23.97.100.105 0.0.0.0
permit ip any 23.97.100.152 0.0.0.0
permit ip any 23.97.103.118 0.0.0.0
permit ip any 23.97.145.9 0.0.0.0
permit ip any 23.97.148.36 0.0.0.0
permit ip any 23.97.148.228 0.0.0.0
permit ip any 23.98.66.168 0.0.0.0
permit ip any 23.98.69.116 0.0.0.0
permit ip any 23.98.70.90 0.0.0.0
permit ip any 23.99.128.120 0.0.0.0
permit ip any 23.99.129.26 0.0.0.0
permit ip any 23.99.129.173 0.0.0.0
permit ip any 23.99.193.105 0.0.0.0
permit ip any 23.99.194.77 0.0.0.0
permit ip any 23.99.196.232 0.0.0.0
permit ip any 23.99.226.167 0.0.0.0
permit ip any 23.99.227.124 0.0.0.0
permit ip any 23.100.16.168 0.0.0.7
permit ip any 23.100.32.136 0.0.0.7
permit ip any 23.100.64.24 0.0.0.7
permit ip any 23.100.72.32 0.0.0.7
permit ip any 23.100.80.64 0.0.0.7
permit ip any 23.100.88.32 0.0.0.7
permit ip any 23.100.101.112 0.0.0.15
permit ip any 23.100.104.16 0.0.0.15
permit ip any 23.100.112.64 0.0.0.7

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 42 of 52

permit ip any 23.100.120.64 0.0.0.7
permit ip any 23.101.5.104 0.0.0.7
permit ip any 23.101.19.99 0.0.0.0
permit ip any 23.101.25.224 0.0.0.0
permit ip any 23.101.144.136 0.0.0.7
permit ip any 23.101.165.168 0.0.0.7
permit ip any 23.101.178.227 0.0.0.0
permit ip any 23.101.181.128 0.0.0.7
permit ip any 23.101.187.91 0.0.0.0
permit ip any 23.101.210.24 0.0.0.7
permit ip any 23.101.222.240 0.0.0.15
permit ip any 23.101.224.16 0.0.0.7
permit ip any 23.101.226.16 0.0.0.15
permit ip any 23.102.64.138 0.0.0.0
permit ip any 23.102.64.255 0.0.0.0
permit ip any 23.102.65.203 0.0.0.0
permit ip any 23.102.65.221 0.0.0.0
permit ip any 23.102.157.61 0.0.0.0
permit ip any 23.103.128.0 0.0.0.127
permit ip any 23.103.128.128 0.0.0.127
permit ip any 23.103.129.0 0.0.0.127
permit ip any 23.103.129.128 0.0.0.127
permit ip any 23.103.130.0 0.0.0.63
permit ip any 23.103.130.64 0.0.0.63
permit ip any 23.103.130.128 0.0.0.63
permit ip any 23.103.130.192 0.0.0.63
permit ip any 23.103.132.0 0.0.3.255
permit ip any 23.103.136.0 0.0.7.255
permit ip any 23.103.144.0 0.0.15.255
permit ip any 23.103.160.0 0.0.15.255
permit ip any 23.103.176.128 0.0.0.63
permit ip any 23.103.176.192 0.0.0.31
permit ip any 23.103.178.128 0.0.0.63
permit ip any 23.103.178.192 0.0.0.31
permit ip any 23.103.183.0 0.0.0.63
permit ip any 23.103.183.15 0.0.0.0
permit ip any 23.103.191.0 0.0.0.255
permit ip any 23.103.198.0 0.0.1.255
permit ip any 23.103.200.0 0.0.7.255
permit ip any 23.103.224.0 0.0.31.255
permit ip any 40.74.130.243 0.0.0.0
permit ip any 40.83.185.155 0.0.0.0
permit ip any 40.83.185.230 0.0.0.0
permit ip any 40.83.187.76 0.0.0.0
permit ip any 40.83.190.168 0.0.0.0
permit ip any 40.84.145.72 0.0.0.0
permit ip any 40.96.0.0 0.0.255.255
permit ip any 40.97.0.0 0.0.255.255
permit ip any 40.98.0.0 0.0.255.255
permit ip any 40.99.0.0 0.0.255.255
permit ip any 40.100.0.0 0.0.255.255
permit ip any 40.101.0.0 0.0.255.255
permit ip any 40.102.0.0 0.0.255.255
permit ip any 40.103.0.0 0.0.255.255
permit ip any 40.104.0.0 0.0.255.255
permit ip any 40.105.0.0 0.0.255.255
permit ip any 40.107.0.0 0.0.255.255
permit ip any 40.108.0.0 0.0.31.255
permit ip any 40.108.128.0 0.0.127.255
permit ip any 40.112.64.16 0.0.0.15
permit ip any 40.112.187.89 0.0.0.0
permit ip any 40.112.215.106 0.0.0.0
permit ip any 40.113.192.16 0.0.0.7
permit ip any 40.114.92.213 0.0.0.0
permit ip any 40.114.120.16 0.0.0.7
permit ip any 40.115.48.147 0.0.0.0
permit ip any 40.115.52.169 0.0.0.0
permit ip any 40.115.54.55 0.0.0.0
permit ip any 40.115.54.162 0.0.0.0
permit ip any 40.115.55.208 0.0.0.0
permit ip any 40.115.152.16 0.0.0.15
permit ip any 40.117.96.104 0.0.0.0

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 43 of 52

permit ip any 40.117.100.187 0.0.0.0
permit ip any 40.117.226.146 0.0.0.0
permit ip any 40.117.229.133 0.0.0.0
permit ip any 40.117.229.194 0.0.0.0
permit ip any 40.121.80.219 0.0.0.0
permit ip any 40.126.236.216 0.0.0.0
permit ip any 40.127.67.24 0.0.0.7
permit ip any 40.127.79.139 0.0.0.0
permit ip any 52.172.144.16 0.0.0.15
permit ip any 64.4.19.0 0.0.0.255
permit ip any 64.4.22.64 0.0.0.63
permit ip any 65.52.1.16 0.0.0.7
permit ip any 65.52.64.61 0.0.0.0
permit ip any 65.52.64.230 0.0.0.0
permit ip any 65.52.136.224 0.0.0.0
permit ip any 65.52.144.125 0.0.0.0
permit ip any 65.52.193.136 0.0.0.7
permit ip any 65.52.228.75 0.0.0.0
permit ip any 65.52.228.99 0.0.0.0
permit ip any 65.52.228.100 0.0.0.0
permit ip any 65.52.232.52 0.0.0.0
permit ip any 65.52.233.128 0.0.0.0
permit ip any 65.52.236.160 0.0.0.0
permit ip any 65.52.240.73 0.0.0.0
permit ip any 65.52.240.200 0.0.0.0
permit ip any 65.52.244.66 0.0.0.0
permit ip any 65.54.54.32 0.0.0.31
permit ip any 65.54.55.201 0.0.0.0
permit ip any 65.54.62.0 0.0.0.127
permit ip any 65.54.74.0 0.0.1.255
permit ip any 65.54.80.0 0.0.15.255
permit ip any 65.54.165.0 0.0.0.127
permit ip any 65.54.170.128 0.0.0.127
permit ip any 65.55.39.128 0.0.0.127
permit ip any 65.55.78.128 0.0.0.127
permit ip any 65.55.79.128 0.0.0.127
permit ip any 65.55.83.128 0.0.0.31
permit ip any 65.55.86.0 0.0.1.255
permit ip any 65.55.88.0 0.0.0.255
permit ip any 65.55.94.0 0.0.0.127
permit ip any 65.55.113.64 0.0.0.63
permit ip any 65.55.114.64 0.0.0.63
permit ip any 65.55.123.32 0.0.0.31
permit ip any 65.55.126.0 0.0.0.127
permit ip any 65.55.127.0 0.0.0.255
permit ip any 65.55.132.0 0.0.0.255
permit ip any 65.55.135.0 0.0.0.255
permit ip any 65.55.169.0 0.0.0.255
permit ip any 65.55.174.0 0.0.0.127
permit ip any 65.55.181.128 0.0.0.127
permit ip any 65.55.183.192 0.0.0.63
permit ip any 65.55.233.0 0.0.0.31
permit ip any 65.55.239.168 0.0.0.0
permit ip any 66.119.148.0 0.0.0.255
permit ip any 66.119.154.0 0.0.0.255
permit ip any 66.119.155.0 0.0.0.255
permit ip any 66.119.156.0 0.0.0.255
permit ip any 66.119.157.0 0.0.0.127
permit ip any 66.119.157.192 0.0.0.63
permit ip any 66.119.158.0 0.0.0.127
permit ip any 70.37.56.152 0.0.0.0
permit ip any 70.37.128.0 0.0.1.255
permit ip any 70.37.142.0 0.0.1.255
permit ip any 70.37.150.128 0.0.0.127
permit ip any 70.37.151.128 0.0.0.127
permit ip any 70.37.159.0 0.0.0.255
permit ip any 70.37.160.72 0.0.0.0
permit ip any 70.37.160.202 0.0.0.0
permit ip any 94.245.68.0 0.0.3.255
permit ip any 94.245.82.0 0.0.1.255
permit ip any 94.245.84.0 0.0.0.255
permit ip any 94.245.86.0 0.0.0.255

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 44 of 52

permit ip any 94.245.88.194 0.0.0.0
permit ip any 94.245.88.223 0.0.0.0
permit ip any 94.245.112.224 0.0.0.31
permit ip any 94.245.117.53 0.0.0.0
permit ip any 94.245.117.128 0.0.0.127
permit ip any 94.245.120.0 0.0.0.31
permit ip any 94.245.120.64 0.0.0.63
permit ip any 104.40.225.204 0.0.0.0
permit ip any 104.40.240.48 0.0.0.15
permit ip any 104.41.1.233 0.0.0.0
permit ip any 104.41.13.120 0.0.0.7
permit ip any 104.41.62.54 0.0.0.0
permit ip any 104.41.216.16 0.0.0.15
permit ip any 104.42.72.16 0.0.0.7
permit ip any 104.43.208.16 0.0.0.7
permit ip any 104.43.240.16 0.0.0.7
permit ip any 104.44.102.0 0.0.0.255
permit ip any 104.44.103.0 0.0.0.255
permit ip any 104.44.104.0 0.0.0.255
permit ip any 104.44.105.0 0.0.0.255
permit ip any 104.44.113.0 0.0.0.255
permit ip any 104.44.114.0 0.0.0.255
permit ip any 104.44.115.0 0.0.0.255
permit ip any 104.44.116.0 0.0.0.255
permit ip any 104.44.117.0 0.0.0.255
permit ip any 104.44.118.0 0.0.0.255
permit ip any 104.44.195.0 0.0.0.255
permit ip any 104.44.200.0 0.0.0.255
permit ip any 104.44.201.0 0.0.0.255
permit ip any 104.44.218.128 0.0.0.127
permit ip any 104.45.0.16 0.0.0.15
permit ip any 104.45.208.104 0.0.0.7
permit ip any 104.46.112.8 0.0.0.7
permit ip any 104.46.224.64 0.0.0.15
permit ip any 104.47.0.0 0.0.127.255
permit ip any 104.47.143.47 0.0.0.0
permit ip any 104.47.146.37 0.0.0.0
permit ip any 104.146.0.0 0.0.31.255
permit ip any 104.146.128.0 0.0.127.255
permit ip any 104.209.144.16 0.0.0.7
permit ip any 104.210.48.8 0.0.0.7
permit ip any 104.210.83.160 0.0.0.7
permit ip any 104.210.208.16 0.0.0.7
permit ip any 104.211.16.16 0.0.0.7
permit ip any 104.211.48.16 0.0.0.7
permit ip any 104.211.88.16 0.0.0.15
permit ip any 104.211.98.2 0.0.0.0
permit ip any 104.211.98.6 0.0.0.0
permit ip any 104.211.98.138 0.0.0.0
permit ip any 104.211.98.146 0.0.0.0
permit ip any 104.211.98.194 0.0.0.0
permit ip any 104.211.98.246 0.0.0.0
permit ip any 104.211.99.88 0.0.0.0
permit ip any 104.211.99.127 0.0.0.0
permit ip any 104.211.99.181 0.0.0.0
permit ip any 104.211.99.236 0.0.0.0
permit ip any 104.211.100.160 0.0.0.0
permit ip any 104.211.100.170 0.0.0.0
permit ip any 104.211.100.196 0.0.0.0
permit ip any 104.211.100.204 0.0.0.0
permit ip any 104.211.102.225 0.0.0.0
permit ip any 104.211.103.207 0.0.0.0
permit ip any 104.211.152.32 0.0.0.31
permit ip any 104.211.160.36 0.0.0.0
permit ip any 104.211.161.31 0.0.0.0
permit ip any 104.211.161.69 0.0.0.0
permit ip any 104.211.161.150 0.0.0.0
permit ip any 104.211.161.165 0.0.0.0
permit ip any 104.211.161.170 0.0.0.0
permit ip any 104.211.161.171 0.0.0.0
permit ip any 104.211.161.185 0.0.0.0
permit ip any 104.211.162.33 0.0.0.0

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 45 of 52

permit ip any 104.211.162.51 0.0.0.0
permit ip any 104.211.162.180 0.0.0.0
permit ip any 104.211.164.26 0.0.0.0
permit ip any 104.211.165.35 0.0.0.0
permit ip any 104.211.165.64 0.0.0.0
permit ip any 104.211.166.139 0.0.0.0
permit ip any 104.211.216.32 0.0.0.31
permit ip any 104.211.224.71 0.0.0.0
permit ip any 104.211.224.118 0.0.0.0
permit ip any 104.211.225.135 0.0.0.0
permit ip any 104.211.225.215 0.0.0.0
permit ip any 104.211.226.231 0.0.0.0
permit ip any 104.211.226.240 0.0.0.0
permit ip any 104.211.227.110 0.0.0.0
permit ip any 104.211.227.238 0.0.0.0
permit ip any 104.211.229.0 0.0.0.0
permit ip any 104.211.229.230 0.0.0.0
permit ip any 104.211.230.178 0.0.0.0
permit ip any 104.211.230.245 0.0.0.0
permit ip any 104.211.231.147 0.0.0.0
permit ip any 104.211.231.218 0.0.0.0
permit ip any 104.211.231.219 0.0.0.0
permit ip any 104.211.231.248 0.0.0.0
permit ip any 104.214.38.136 0.0.0.0
permit ip any 104.215.96.24 0.0.0.7
permit ip any 104.215.144.64 0.0.0.7
permit ip any 104.215.184.16 0.0.0.7
permit ip any 104.215.194.17 0.0.0.0
permit ip any 111.221.16.0 0.0.7.255
permit ip any 111.221.17.96 0.0.0.31
permit ip any 111.221.17.128 0.0.0.31
permit ip any 111.221.22.64 0.0.0.63
permit ip any 111.221.22.128 0.0.0.63
permit ip any 111.221.23.128 0.0.0.127
permit ip any 111.221.24.0 0.0.7.255
permit ip any 111.221.66.0 0.0.0.127
permit ip any 111.221.69.128 0.0.0.127
permit ip any 111.221.70.0 0.0.0.127
permit ip any 111.221.71.0 0.0.0.127
permit ip any 111.221.76.128 0.0.0.127
permit ip any 111.221.77.0 0.0.0.63
permit ip any 111.221.104.43 0.0.0.0
permit ip any 111.221.112.0 0.0.7.255
permit ip any 111.221.120.0 0.0.0.255
permit ip any 111.221.122.192 0.0.0.63
permit ip any 111.221.127.112 0.0.0.15
permit ip any 131.253.33.215 0.0.0.0
permit ip any 131.253.120.128 0.0.0.0
permit ip any 131.253.128.0 0.0.31.255
permit ip any 131.253.128.0 0.0.0.127
permit ip any 131.253.128.128 0.0.0.127
permit ip any 131.253.129.0 0.0.0.127
permit ip any 131.253.129.128 0.0.0.63
permit ip any 131.253.129.143 0.0.0.0
permit ip any 131.253.130.0 0.0.0.127
permit ip any 131.253.130.128 0.0.0.63
permit ip any 131.253.130.192 0.0.0.63
permit ip any 131.253.131.0 0.0.0.127
permit ip any 131.253.131.128 0.0.0.63
permit ip any 131.253.132.0 0.0.0.127
permit ip any 131.253.133.0 0.0.0.127
permit ip any 131.253.134.0 0.0.0.127
permit ip any 131.253.134.128 0.0.0.127
permit ip any 131.253.135.128 0.0.0.127
permit ip any 131.253.136.0 0.0.0.127
permit ip any 131.253.136.128 0.0.0.127
permit ip any 131.253.137.0 0.0.0.127
permit ip any 131.253.137.128 0.0.0.127
permit ip any 131.253.138.0 0.0.0.127
permit ip any 131.253.138.128 0.0.0.127
permit ip any 131.253.139.128 0.0.0.127
permit ip any 131.253.140.0 0.0.0.127

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 46 of 52

permit ip any 131.253.140.128 0.0.0.127
permit ip any 131.253.141.0 0.0.0.127
permit ip any 131.253.141.128 0.0.0.127
permit ip any 131.253.142.128 0.0.0.127
permit ip any 131.253.144.128 0.0.0.127
permit ip any 131.253.145.0 0.0.0.127
permit ip any 131.253.145.128 0.0.0.127
permit ip any 131.253.160.0 0.0.15.255
permit ip any 131.253.160.0 0.0.0.63
permit ip any 131.253.160.64 0.0.0.63
permit ip any 131.253.160.128 0.0.0.63
permit ip any 131.253.161.128 0.0.0.63
permit ip any 131.253.161.192 0.0.0.63
permit ip any 131.253.162.0 0.0.0.63
permit ip any 131.253.162.64 0.0.0.63
permit ip any 131.253.162.128 0.0.0.63
permit ip any 131.253.162.192 0.0.0.63
permit ip any 131.253.163.0 0.0.0.63
permit ip any 131.253.163.64 0.0.0.63
permit ip any 131.253.163.128 0.0.0.63
permit ip any 131.253.163.192 0.0.0.63
permit ip any 131.253.164.0 0.0.0.63
permit ip any 131.253.164.192 0.0.0.63
permit ip any 131.253.165.0 0.0.0.63
permit ip any 131.253.166.64 0.0.0.63
permit ip any 131.253.166.128 0.0.0.63
permit ip any 131.253.166.192 0.0.0.63
permit ip any 132.245.0.0 0.0.255.255
permit ip any 132.245.0.0 0.0.0.255
permit ip any 132.245.1.0 0.0.0.127
permit ip any 132.245.112.0 0.0.0.255
permit ip any 132.245.113.0 0.0.0.127
permit ip any 132.245.128.0 0.0.0.255
permit ip any 132.245.129.0 0.0.0.127
permit ip any 132.245.161.0 0.0.0.255
permit ip any 132.245.162.0 0.0.0.127
permit ip any 132.245.165.0 0.0.0.127
permit ip any 132.245.192.0 0.0.0.255
permit ip any 132.245.193.0 0.0.0.127
permit ip any 132.245.208.0 0.0.0.255
permit ip any 132.245.209.0 0.0.0.127
permit ip any 134.170.0.0 0.0.255.255
permit ip any 134.170.0.0 0.0.0.127
permit ip any 134.170.26.0 0.0.0.255
permit ip any 134.170.27.64 0.0.0.63
permit ip any 134.170.27.86 0.0.0.0
permit ip any 134.170.48.0 0.0.0.63
permit ip any 134.170.48.20 0.0.0.0
permit ip any 134.170.48.22 0.0.0.0
permit ip any 134.170.54.0 0.0.0.63
permit ip any 134.170.54.128 0.0.0.127
permit ip any 134.170.65.64 0.0.0.63
permit ip any 134.170.65.86 0.0.0.0
permit ip any 134.170.67.0 0.0.0.127
permit ip any 134.170.68.0 0.0.1.255
permit ip any 134.170.70.0 0.0.0.255
permit ip any 134.170.98.0 0.0.0.255
permit ip any 134.170.101.0 0.0.0.255
permit ip any 134.170.113.192 0.0.0.63
permit ip any 134.170.115.128 0.0.0.127
permit ip any 134.170.129.0 0.0.0.255
permit ip any 134.170.132.0 0.0.0.255
permit ip any 134.170.137.0 0.0.0.255
permit ip any 134.170.140.0 0.0.0.255
permit ip any 134.170.170.64 0.0.0.63
permit ip any 134.170.170.86 0.0.0.0
permit ip any 134.170.171.0 0.0.0.255
permit ip any 134.170.172.128 0.0.0.127
permit ip any 134.170.200.0 0.0.7.255
permit ip any 134.170.208.0 0.0.7.255
permit ip any 134.170.217.160 0.0.0.31
permit ip any 137.116.32.61 0.0.0.0

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 47 of 52

permit ip any 137.116.32.101 0.0.0.0
permit ip any 137.116.48.66 0.0.0.0
permit ip any 137.116.48.69 0.0.0.0
permit ip any 137.116.49.27 0.0.0.0
permit ip any 137.116.64.162 0.0.0.0
permit ip any 137.116.80.106 0.0.0.0
permit ip any 137.116.172.39 0.0.0.0
permit ip any 137.116.200.108 0.0.0.0
permit ip any 137.116.242.169 0.0.0.0
permit ip any 137.117.99.175 0.0.0.0
permit ip any 137.117.103.21 0.0.0.0
permit ip any 137.135.42.195 0.0.0.0
permit ip any 137.135.43.100 0.0.0.0
permit ip any 137.135.44.73 0.0.0.0
permit ip any 137.135.47.4 0.0.0.0
permit ip any 137.135.47.6 0.0.0.0
permit ip any 137.135.47.28 0.0.0.0
permit ip any 137.135.48.128 0.0.0.0
permit ip any 138.91.1.59 0.0.0.0
permit ip any 138.91.2.208 0.0.0.0
permit ip any 138.91.2.210 0.0.0.0
permit ip any 138.91.2.212 0.0.0.0
permit ip any 138.91.17.43 0.0.0.0
permit ip any 138.91.17.108 0.0.0.0
permit ip any 138.91.18.52 0.0.0.0
permit ip any 138.91.56.78 0.0.0.0
permit ip any 138.91.56.97 0.0.0.0
permit ip any 138.91.58.210 0.0.0.0
permit ip any 138.91.59.78 0.0.0.0
permit ip any 138.91.59.239 0.0.0.0
permit ip any 138.91.60.177 0.0.0.0
permit ip any 138.91.61.35 0.0.0.0
permit ip any 138.91.61.153 0.0.0.0
permit ip any 157.55.9.128 0.0.0.127
permit ip any 157.55.11.0 0.0.0.127
permit ip any 157.55.40.128 0.0.0.127
permit ip any 157.55.44.224 0.0.0.31
permit ip any 157.55.45.128 0.0.0.127
permit ip any 157.55.46.64 0.0.0.63
permit ip any 157.55.47.0 0.0.0.255
permit ip any 157.55.49.0 0.0.0.255
permit ip any 157.55.59.128 0.0.0.127
permit ip any 157.55.61.0 0.0.0.255
permit ip any 157.55.80.175 0.0.0.0
permit ip any 157.55.80.182 0.0.0.0
permit ip any 157.55.84.19 0.0.0.0
permit ip any 157.55.84.237 0.0.0.0
permit ip any 157.55.130.0 0.0.0.127
permit ip any 157.55.131.0 0.0.0.127
permit ip any 157.55.133.0 0.0.0.127
permit ip any 157.55.145.0 0.0.0.127
permit ip any 157.55.155.0 0.0.0.127
permit ip any 157.55.157.128 0.0.0.127
permit ip any 157.55.158.0 0.0.1.255
permit ip any 157.55.161.59 0.0.0.0
permit ip any 157.55.161.75 0.0.0.0
permit ip any 157.55.168.18 0.0.0.0
permit ip any 157.55.176.63 0.0.0.0
permit ip any 157.55.185.100 0.0.0.0
permit ip any 157.55.194.46 0.0.0.0
permit ip any 157.55.206.0 0.0.1.255
permit ip any 157.55.208.58 0.0.0.0
permit ip any 157.55.208.198 0.0.0.0
permit ip any 157.55.208.218 0.0.0.0
permit ip any 157.55.224.128 0.0.0.127
permit ip any 157.55.225.0 0.0.0.127
permit ip any 157.55.227.192 0.0.0.63
permit ip any 157.55.230.0 0.0.0.127
permit ip any 157.55.232.128 0.0.0.63
permit ip any 157.55.234.0 0.0.0.255
permit ip any 157.55.238.0 0.0.0.127
permit ip any 157.55.252.101 0.0.0.0

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 48 of 52

permit ip any 157.56.0.0 0.0.255.255
permit ip any 157.56.8.78 0.0.0.0
permit ip any 157.56.12.18 0.0.0.0
permit ip any 157.56.24.0 0.0.0.127
permit ip any 157.56.28.192 0.0.0.0
permit ip any 157.56.48.128 0.0.0.127
permit ip any 157.56.53.128 0.0.0.127
permit ip any 157.56.55.0 0.0.0.127
permit ip any 157.56.58.0 0.0.0.127
permit ip any 157.56.58.192 0.0.0.63
permit ip any 157.56.73.0 0.0.0.255
permit ip any 157.56.87.192 0.0.0.63
permit ip any 157.56.96.16 0.0.0.15
permit ip any 157.56.96.224 0.0.0.7
permit ip any 157.56.96.232 0.0.0.7
permit ip any 157.56.106.128 0.0.0.15
permit ip any 157.56.108.0 0.0.0.255
permit ip any 157.56.110.0 0.0.1.255
permit ip any 157.56.111.0 0.0.0.255
permit ip any 157.56.112.0 0.0.0.255
permit ip any 157.56.115.0 0.0.0.255
permit ip any 157.56.116.0 0.0.0.127
permit ip any 157.56.120.0 0.0.0.127
permit ip any 157.56.135.64 0.0.0.63
permit ip any 157.56.151.0 0.0.0.127
permit ip any 157.56.174.160 0.0.0.31
permit ip any 157.56.185.0 0.0.0.63
permit ip any 157.56.199.0 0.0.0.255
permit ip any 157.56.206.0 0.0.0.255
permit ip any 157.56.208.0 0.0.3.255
permit ip any 157.56.232.0 0.0.7.255
permit ip any 157.56.240.0 0.0.15.255
permit ip any 168.61.32.214 0.0.0.0
permit ip any 168.61.35.252 0.0.0.0
permit ip any 168.61.36.121 0.0.0.0
permit ip any 168.61.37.63 0.0.0.0
permit ip any 168.61.38.105 0.0.0.0
permit ip any 168.61.82.81 0.0.0.0
permit ip any 168.61.85.180 0.0.0.0
permit ip any 168.62.4.28 0.0.0.0
permit ip any 168.62.11.24 0.0.0.0
permit ip any 168.62.11.117 0.0.0.0
permit ip any 168.62.16.112 0.0.0.0
permit ip any 168.62.16.140 0.0.0.0
permit ip any 168.62.16.149 0.0.0.0
permit ip any 168.62.16.252 0.0.0.0
permit ip any 168.62.24.38 0.0.0.0
permit ip any 168.62.24.104 0.0.0.0
permit ip any 168.62.24.114 0.0.0.0
permit ip any 168.62.24.150 0.0.0.0
permit ip any 168.62.41.25 0.0.0.0
permit ip any 168.62.42.89 0.0.0.0
permit ip any 168.62.52.198 0.0.0.0
permit ip any 168.62.52.203 0.0.0.0
permit ip any 168.62.56.108 0.0.0.0
permit ip any 168.62.60.71 0.0.0.0
permit ip any 168.62.60.80 0.0.0.0
permit ip any 168.62.104.146 0.0.0.0
permit ip any 168.62.105.126 0.0.0.0
permit ip any 168.62.105.217 0.0.0.0
permit ip any 168.62.176.34 0.0.0.0
permit ip any 168.62.179.4 0.0.0.0
permit ip any 168.62.180.151 0.0.0.0
permit ip any 168.63.16.112 0.0.0.0
permit ip any 168.63.16.114 0.0.0.0
permit ip any 168.63.17.221 0.0.0.0
permit ip any 168.63.25.227 0.0.0.0
permit ip any 168.63.27.2 0.0.0.0
permit ip any 168.63.92.133 0.0.0.0
permit ip any 168.63.99.250 0.0.0.0
permit ip any 168.63.164.177 0.0.0.0
permit ip any 168.63.165.67 0.0.0.0

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 49 of 52

permit ip any 168.63.166.200 0.0.0.0
permit ip any 168.63.208.73 0.0.0.0
permit ip any 168.63.214.35 0.0.0.0
permit ip any 168.63.250.173 0.0.0.0
permit ip any 168.63.252.39 0.0.0.0
permit ip any 191.232.0.0 0.0.1.255
permit ip any 191.232.2.128 0.0.0.127
permit ip any 191.233.37.141 0.0.0.0
permit ip any 191.234.6.0 0.0.0.255
permit ip any 191.234.6.152 0.0.0.0
permit ip any 191.234.8.0 0.0.7.255
permit ip any 191.234.76.0 0.0.1.255
permit ip any 191.234.128.0 0.0.7.255
permit ip any 191.234.140.0 0.0.3.255
permit ip any 191.234.144.0 0.0.15.255
permit ip any 191.234.192.0 0.0.31.255
permit ip any 191.234.224.0 0.0.3.255
permit ip any 191.235.0.0 0.0.15.255
permit ip any 191.235.135.139 0.0.0.0
permit ip any 191.235.135.222 0.0.0.0
permit ip any 191.236.192.179 0.0.0.0
permit ip any 191.237.248.32 0.0.0.7
permit ip any 191.237.252.192 0.0.0.15
permit ip any 191.238.80.160 0.0.0.0
permit ip any 191.238.80.241 0.0.0.0
permit ip any 191.238.81.69 0.0.0.0
permit ip any 191.238.83.220 0.0.0.0
permit ip any 191.238.160.173 0.0.0.0
permit ip any 191.239.64.124 0.0.0.0
permit ip any 191.239.64.125 0.0.0.0
permit ip any 191.239.64.129 0.0.0.0
permit ip any 191.239.64.130 0.0.0.0
permit ip any 191.239.64.131 0.0.0.0
permit ip any 191.239.64.132 0.0.0.0
permit ip any 191.239.64.133 0.0.0.0
permit ip any 191.239.64.134 0.0.0.0
permit ip any 191.239.160.4 0.0.0.0
permit ip any 191.239.160.93 0.0.0.0
permit ip any 191.239.160.140 0.0.0.0
permit ip any 191.239.160.141 0.0.0.0
permit ip any 191.239.160.142 0.0.0.0
permit ip any 191.239.160.143 0.0.0.0
permit ip any 191.239.160.144 0.0.0.0
permit ip any 191.239.160.145 0.0.0.0
permit ip any 204.79.197.204 0.0.0.0
permit ip any 204.79.197.205 0.0.0.0
permit ip any 204.79.197.215 0.0.0.0
permit ip any 206.191.224.0 0.0.31.255
permit ip any 207.46.4.128 0.0.0.127
permit ip any 207.46.5.0 0.0.0.255
permit ip any 207.46.51.64 0.0.0.63
permit ip any 207.46.57.0 0.0.0.127
permit ip any 207.46.57.128 0.0.0.127
permit ip any 207.46.58.128 0.0.0.127
permit ip any 207.46.70.0 0.0.0.255
permit ip any 207.46.73.250 0.0.0.0
permit ip any 207.46.100.0 0.0.0.255
permit ip any 207.46.101.128 0.0.0.63
permit ip any 207.46.108.0 0.0.0.127
permit ip any 207.46.150.128 0.0.0.127
permit ip any 207.46.163.0 0.0.0.255
permit ip any 207.46.164.0 0.0.0.255
permit ip any 207.46.198.0 0.0.0.127
permit ip any 207.46.206.0 0.0.1.255
permit ip any 207.46.216.54 0.0.0.0
permit ip any 213.199.128.58 0.0.0.0
permit ip any 213.199.128.91 0.0.0.0
permit ip any 213.199.128.119 0.0.0.0
permit ip any 213.199.132.97 0.0.0.0
permit ip any 213.199.148.0 0.0.1.255
permit ip any 213.199.154.0 0.0.0.255
permit ip any 213.199.174.0 0.0.0.127

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 50 of 52

permit ip any 213.199.177.0 0.0.0.63
permit ip any 213.199.180.128 0.0.0.63
permit ip any 216.32.180.0 0.0.0.255
permit ip any 216.32.181.0 0.0.0.255
deny ip any any
!
!
ip nat inside source list nat-azure-direct-acl interface Loopback100 overload
!
!
interface GigabitEthernet0/0
description *** Customer WAN Interface ***
ip nat outside
!
interface GigabitEthernet0/1
dewcription *** Customer LAN Interface ***
ip nat inside
!
end

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 51 of 52

APPENDIX 2: GLOSSARY

Term Definition

ASN Autonomous System Number

AWS Amazon Web Services

BGP Border Gateway Protocol

BYO Bring Your Own (not purchased from Telstra)

eBGP External Broder Gateway Protocol

ETC Early Termination Charges

FNN Full National Number

HSRP Hot Standby Routing Protocol

I/C Interconnect

iBGP Internal Border Gateway Protocol

IP VPN IP Virtual Private Network (Telstra IP network service) e.g. Telstra IP MAN and IP WAN
services

MAC Moves, Adds and Changes (modification to your service or product)

SNAT Source Network Address Translation

VLAN Virtual Local Area Network

VM Virtual Machine

VRRP Virtual Router Redundancy Protocol

TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | Printed 1 MAY 2018

Cloud Gateway Technical Guide Page 52 of 52