site to site vpn using a PA inside Azure

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

site to site vpn using a PA inside Azure

L4 Transporter

I'm trying to get an ipsec vpn working with a Palo gateway instance inside of Azure.  Because Azure handles the public IP, and the Palo has no awareness of it, i expect NAT traversal will factor heavily.  Has anyone got such a topology working?

 

An old thread on this subject suggests that this is not the recommended approach - that Azure native vpn should be used instead. Heres a post from that discussion:

 

In our reference architecture and companion deployment guide, we do not typically recommend terminating the VPNs on the Virtual Appliance running in Azure.  This is b/c you will need to use SNAT to enforce return path routing through the proper firewall to prevent asymmetric routing as we cannot extend BGP from the firewalls to the Azure Route Table.  Instead, you may consider terminating the VPN on the Azure VPN Gateway and use our backhaul routing design to force all traffic to and from the Gateway subnet through the firewall utilizing UDRs and the Load Balancer.

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

If you have a static IP on the Azure external IP side. You should be able to get this going. Just remember on the Azure PAN on the IKE gateway setting, make sure to use the Local IP Address of the untrust interface in the local IP address. Then on the other PAN in the IKE gateway setting, make sure to add the Peer Identification IP address of the Azure PAN.

 

Hope that makes sense.

L1 Bithead

We are about to setup two active/active VM-Series Firewalls in Azure and having similar question.

We have an internal load balancer to handle outgoing traffic from VNETs to the Transit VNET where the Firewalls reside.

We also have an external load balancer to handle incoming traffic from the Internet.

One of these is the IPSec VPN Tunnels from a third party vendor. Can we setup the VPN tunnel for this vendor on the VM-Series or can we use a VPN Gateway to handle VPN tunnels? If we want to use the VPN gateway, where would it be residing? In the Transit VNET and in the same subnet as the external load balancer or on the subnet for the trust interface of the firewalls?

L0 Member

Hello,

 

Please check this doc: https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resour... (Pg.57) here you can see that the VPN Gateway is configured in the transit VNET in a separate gateway subnet. You can also use VM-series instead of VPN Gateway. 

  • 2970 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!