As a new system administrator, I am responsible for managing the network firewall. Our firewalls are Palo Alto Networks 3020 and 200 devices located in multiple locations. One of the most interesting communication methods I’ve configured over the past year is to set up IPsec tunnels with our partner companies. All IPsec tunnel configurations of our company are located between two firewalls, some of which have different brands and models.
To test and train myself without affecting my work environment, I registered with Comcast Business at home (including 5 static ips), purchased a used Palo Alto 200 device from eBay (not supported) and installed it in my home network environment.
Since then, I’ve been able to test a number of situations and was interested in creating a site-to-site IPsec tunnel from my Palo Alto 200 device and Azure. This post will show me the steps and results of this configuration.
These comments were compiled after my configuration was complete to give a general direction and do require a degree of ambiguity. IPSec Settings may vary depending on your environment. The purpose of this article is to provide an example of a successful connection configuration.
The prerequisites for this configuration are as follows:
Palo Alto 200 (PA-200) equipment
Public static IP assigned to PA-200
Azure subscription or trial
1. AZURE CONFIGURATION
I used this excellent Microsoft article that provides a guide through the Azure configuration: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
Created my virtual network according to Microsoft article guideline.
NOTE: I tried to stay consistent with Microsoft example naming conventions for simplicity.
The next step is to create an IPSec policy including parameters and also a local network gateway connection that is to represent your IPSec connection from your Azure network to your on premise network and Palo Alto firewall.
NOTE: Since the creation of these notes, it is not possible to create the IPSec policy and parameters via Azure portal directly. It was necessary to use Azure PowerShell to finish this configuration.
Installed and configured Azure PowerShell modules on my local desktop device according to this Microsoft article: https://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps?view=azurermps-5.6.0
Launched Microsoft PowerShell and execute the following command to connect to Azure.
After connecting to Azure, I followed the link provided in the Azure general guideline article for IPSec and IKE settings: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell
NOTE: This article does describe a start to finish configuration using PowerShell. However, after following the general guideline, several items are already configured. I did have to maneuver through, define only a subset of variables to eventually define my IPsec policy, create and assign a network gateway connection to my virtual network gateway. These are subset examples of these commands that I had to run to create the IPSec policy, create and assign to the virtual network gateway connection. There would be some effort to customize these commands for your configuration.
$ipsecpolicy6 = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA384 -DhGroup DHGroup24 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup None -SALifeTimeSeconds 14400 -SADataSizeKilobytes 102400000
$vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
$lng6 = Get-AzureRmLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1
New-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng6 -Location $Location1 -ConnectionType IPsec -IpsecPolicies $ipsecpolicy6 -SharedKey ‘AzureA1b2C3’
Using the Azure Cloud Shell interface, accessible in the Azure portal you could review your IPSec parameters.
Virtual network gateway connection is created and visible in the Azure portal after created from PowerShell.
2. PALO ALTO CONFIGURATION
3. CONNECTING TO AZURE RESOURCES
After this self-learning project, I felt very accomplished and ended up creating and using a meaningful feature in Azure. Now, this site-to-site connection will allow me to formally expand my test data center to Azure and explore the next set of Azure features I’m interested in. Now that my data center network is connected to Azure, I can create a secondary domain controller VM in Azure as if it were residing on my local network. This will help demonstrate disaster recovery and further expand my data center presence in Azure. In addition, I wanted to install a Palo Alto VM appliance firewall in the Azure environment to provide the same enterprise-level security as the data center.