In an effort to test and train myself without affecting my work environment, I signed up for Comcast Business (5 static IPs included) at home, purchased a used Palo Alto 200 device from eBay (no support), and installed it in my home network environment. 

Since then, I have been able to test many situations and became interested in creating a site-to-site IPsec tunnel from my Palo Alto 200 device and Azure. This blog post will demonstrate my steps and results for that configuration.

These notes are compiled after my configuration was complete, and are meant to give a general direction and do require some level of ambiguity. The IPSec settings could vary depending upon environmental requirements. This article is meant to provide one example of a successfully connected configuration.

Prerequisites for this configuration are as follows:

1. Palo Alto 200 (PA-200) device
2. Public Static IP to assign to PA-200
3. Azure subscription or trial 

1. Azure Configuration

1. I used this excellent Microsoft article that provides a guide through the Azure configuration: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
2. Created my virtual network according to Microsoft article guideline.
   NOTE: I tried to stay consistent with Microsoft example naming conventions for simplicity.
3. Created FrontEnd and Gateway subnets.
   
4. Created Virtual Network Gateway.
5. NOTE: An Azure public IP address is assigned at this point and should be noted and used during the Palo Alto IKE Gateway configuration.
6. Created a local network gateway according to Azure configuration guidelines.
   NOTE: The IP address field in this Local Network gateway configuration represents the public IP address of your Palo Alto firewall. 
7. The next step is to create an IPSec policy including parameters and also a local network gateway connection that is to represent your IPSec connection from your Azure network to your on premise network and Palo Alto firewall.
   NOTE: Since the creation of these notes, it is not possible to create the IPSec policy and parameters via Azure portal directly. It was necessary to use Azure PowerShell to finish this configuration.
8. Installed and configured Azure PowerShell modules on my local desktop device according to this Microsoft article: https://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps?view=azurermps-5.6.0
9. Launched Microsoft PowerShell and execute the following command to connect to Azure. 
10. After connecting to Azure, I followed the link provided in the Azure general guideline article for IPSec and IKE settings: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell
    NOTE: This article does describe a start to finish configuration using PowerShell. However, after following the general guideline, several items are already configured. I did have to maneuver through, define only a subset of variables to eventually define my IPsec policy, create and assign a network gateway connection to my virtual network gateway. These are subset examples of these commands that I had to run to create the IPSec policy, create and assign to the virtual network gateway connection. There would be some effort to customize these commands for your configuration.
    
    $ipsecpolicy6 = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA384 -DhGroup DHGroup24 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup None -SALifeTimeSeconds 14400 -SADataSizeKilobytes 102400000
    
    $vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
    $lng6 = Get-AzureRmLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1
    
    New-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng6 -Location $Location1 -ConnectionType IPsec -IpsecPolicies $ipsecpolicy6 -SharedKey 'AzureA1b2C3'
11. Using the Azure Cloud Shell interface, accessible in the Azure portal you could review your IPSec parameters.
    
    

    https://docs.microsoft.com/en-us/cli/azure/network/vpn-connection/ipsec-policy?view=azure-cli-latest#az-network-vpn-connection-ipsec-policy-list 

12. Virtual network gateway connection is created and visible in the Azure portal after created from PowerShell. 

2.  Palo Alto Configuration

3. Connecting to Azure resources

1. After establishing a site-to-site connection to Azure network, I am able to connect to resources that are created on my Azure Frontend network.
   For example: I’ve created a new Windows Server 2012 R2 server and able to RDP to using ONLY its private IP address directly from my home network.
   

Conclusion

I feel accomplished after this self-study project, finally creating and using a meaningful feature in Azure. This site-to-site connection will now allow me to officially extend my test data center into Azure and explore the next set of Azure features in which I am interested. Now that my data center network is connected to Azure, I can create a secondary domain controller VM in Azure as if it resides in my local network. This will be useful for demonstrating disaster recovery and further extend my data center presence in Azure. Furthermore, I would also like to install a Palo Alto VM appliance firewall in my Azure environment to provide the same enterprise class security as I have in my data center. 

Have thoughts or comments? We want to hear from you. Start a discussion with other Fuel members below.