I'm sure I'm not the first one to do this, but since I wasn't able to find a document on how exactly to do it, I figured I'd contribute one. I'd appreciate any corrections or optimizations.
The Azure side documentation is pretty clear online and honestly there aren't many options available to configure. But here are is my Azure address space for clarification.
And my defined local networks, with a gateway address of my PAN VPN endpoint.
Next I configured the Tunnel interface, which is pretty vanilla, just have to assign an IP on the same subnet as the Azure Gateway Subnet (I used the last usable IP on the subnet), select a virtual router and the appropriate security zone (the zone I selected is the same as the one my other servers are on, so I don't need new policies).
The settings of my default IKE Crypto profile were the same as for Azure, but here they are just in case.
I had to create a new IPSec Crypto Profile for Azure due to the 3600 lifetime instead of lifetime on my other tunnels (you can modify the default if this is your only tunnel or if your other tunnels use the same settings).
Create an IKE Gateway selecting the external interface of your PAN and the IP of that interface for "Local IP Address" (this will match the VPN Gateway Address configured on the Local Address in Azure that you're tunneling to). The Peer IP Address can be obtained from the Azure Virtual Network Dashboard of the same Azure Virtual Network. The Local Identification IP Address should match the Local IP Address on the same screen. The Pre-shared Key can be obtained by clicking "Manage Key" on the Azure Virtual network Dashboard of the Azure Network, then copy and paste it
Now create a new IPSec Tunnel with the newly created Tunnel Interface, IKE Gateway and IPsec Crypto Profile.
Go to the Proxy IDs tab and create at least one ID with the appropriate local and remote subnets (Local should matched the defined "Local Networks" you configured in Azure with the appropriate gateway address of your PAN IPSec tunnel endpoint and remote should match the configured Azure address space).
Finally create a route to direct traffic via the tunnel interface to the Auzre Virtual Network.
At this point a ping to the Azure Virtual Network should bring the tunnel up, if not, check the System log to troubleshoot (at this time no ping responses are received, but other traffic is working, need to figure that one out).
Thanks for the doc. Just an addition, when you setup the gateway on the Azure side you need to make sure you chose the "static routing" option. With "dynamic routing" selected Azure will default to using IKE v2 which the PA does not appear to understand and hence will not complete Phase 1 negotiation (Notify Message Type: NO-PROPOSAL-CHOSEN (14)).
I have seen an incident where the only change to make VPN stable is we disabled Dead Peer Detection, which is not supported per Microsoft's doc and not found in Azure ASA template configuration.
For the Phase 2 Security Association (SA) Lifetime (Throughput), Azure uses 102,400,000 KB. However we are not able to use this value on PA. I think this is not significant. However, I can have this field blank in my lab. My PANOS version is 6.0.6.
Just adding the official PA document for Azure VPN to the thread.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!