Chapter 4. Cloud Technologies
4.3 Site-to-Site VPN between Palo Alto on Premise and Palo Alto in the Azure
Learning Objectives
- Configure a Virtual Network in Microsoft Azure
- Set up and configure the Azure VPN Gateway for IPsec VPN
- Implement Network Security Groups (NSGs) in Azure for traffic control
- Monitor and troubleshoot IPsec VPN connections on Palo Alto
Scenario: In this lab, we will create a site-to-site VPN from Palo Alto on-premise to Palo Alto in the Azure. Knowing the configuration of section 4.2 is necessary for this lab. I have created management and ethernet1/1 as a DHCP, so they will receive an IP address from Cloud.
On-Premise Palo Alto Configuration
Devices | Interface | IP address |
---|---|---|
Palo Alto | Management | DHCP Client |
Ethernet 1/1 | DHCP Client | |
Ethernet 1/2 | 192.168.10.1/24 | |
WebTerm | Eth0 | 192.168.10.2/24 |
- Configure the interfaces of the firewall. Set Ethernet1/1 as a Untrust Zone and Ethernet1/2 as a Trust Zone.
- Create a tunnel.1 and set the tunnel as Untrust zone.
- Create two static routes, one pointing to 142.232.197.254 (on-Prem Default Gateway) and the other one sending the traffic of Azure through the tunnel.
- For setting up, site-to-site VPN we will use default IKE Crypto, IPsec Crypto profiles and we will only set IKE Gateway and IPsec Tunnel as following figures. You have to configure local and peer identification.
- Finally, create two security policies, one from Trust to Untrust zone and the other from Untrust to Trust zone.
Azure Configuration
- Create a Palo Alto firewall in Azure and configure the interfaces. You need to do all steps in section 4.1 and assign public IP address to Ethernet 1 (Untrust Zone).
- Create a route in Azure pointing to Trust interface.
- Set static routes as figures 4.83 and 4.84.
- For setting up, site-to-site VPN we will use default IKE Crypto, IPsec Crypto profiles and we will only set IKE Gateway and IPsec Tunnel as figures 4.85 and 4.86.
- Finally, create two security policies, one from Trust to Untrust zone and the other from Untrust to Trust zone.
- Add windows or Linux VM to Trust Subnet. This VM is for testing ping from Azure side to on-prem. We will not create a public IP address for the VM.
- Now, you should be able to ping and your tunnel should be green.