>
    Onboard an Azure Virtual Network
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Secure Public Cloud Deployments with Prisma Access
    4. Onboard an Azure Virtual Network
    Download PDF
    Prisma Access

    Onboard an Azure Virtual Network

    Table of Contents

    Onboard an Azure Virtual Network

    Onboard an Azure virtual network (VNet) to Prisma Access and secure access to it for mobile users and remote networks.
    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Cloud Management)
    • Prisma Access (Panorama Managed)
    When you deploy your organization’s resources using a Microsoft Azure virtual network (VNet), you can secure these resources with Prisma Access. To do so, you onboard an existing or new VNet to Prisma Access as a remote network. You also configure settings for a remote network tunnel (a site-to-site tunnel between Prisma Access and the Azure VNet) and use BGP to dynamically route traffic between them.
    The following diagram shows the topology used to secure an Azure instance with Prisma Access.
    For Azure-specific information about creating a site-to-site connection, see the Microsoft Azure document Create a Site-to-Site connection in the Azure portal.

    Cloud Management

    Onboard an Azure virtual network (VNet) to Prisma Access and secure access to it for mobile users and remote networks.

    Configure a Virtual Network and Virtual Network Gateway on Azure

    The Azure virtual network uses a virtual network gateway for its side of the VPN tunnel to Prisma Access. This gateway uses a subnet called GatewaySubnet. The GatewaySubnet contains IP addresses used for virtual network gateway resources and services and is part of the virtual network IP address range that you specify when you configure your virtual network on Azure.
    Each Azure VPN gateway incorporates high availability by having two instances per gateway in an active-standby configuration. If an active instance goes down for planned maintenance or an unplanned outage, the instance automatically fails over to the standby instance and resumes the site-to-site VPN connections. For a planned maintenance, Azure restores the connectivity in approximately 10 to 15 seconds. For an unplanned outage, Azure restores the connectivity in approximately 1 minute to 90 seconds.
    Create the virtual network and virtual network gateway using the following task.
    By default, Azure will not direct internet traffic to the VPN tunnel you create in this task. To secure internet-bound traffic with Prisma Access, enable forced tunneling on Azure using PowerShell commands.
    1. In Azure, create your virtual network, if you have not already created it. See the Microsoft Azure documentation for details.
    2. Create a subnet for the gateway.
      You must name the subnet
      GatewaySubnet
       to let Azure deploy its gateway resources and Azure does not allow the use of another subnet name. Without a subnet named
      GatewaySubnet
      , gateway creation fails.
      1. In the Azure portal, navigate to the virtual network where you want to create a virtual network gateway.
      2. On your virtual network page, click
        Subnets
        to expand the Subnets page for the virtual network you created.
      3. Click
        +Gateway subnet
         at the top to open the Add subnet page.
      4. Add the address and click
        OK
        .
    3. Add a virtual network gateway.
      1. On the left side of the portal page, click
        +Create a resource
         and type
        Virtual Network Gateway
         in the search box, then press
        Enter
        .
      2. In
        Results
        , locate and click
        Virtual network gateways
        .
      3. At the bottom of the
        Virtual network gateway
         page, click
        Create virtual network gateway
        .
      4. Enter values similar to the values on the following screenshot and click
        Create
        .
        It may take up to 30 minutes to create the virtual network gateway.
    4. After Azure creates the virtual network gateway, select the virtual network gateway you created, click
      Overview
      , and make a note of the
      Public IP address
       assigned to the virtual network gateway.
    5. Click
      Configuration
       and make a note of the
      BGP ASN
       and
      BGP peer IP address(es)
       fields.

    Configure IKE, IPSec, and BGP and Onboard the Azure VNet in Prisma Access

    After you perform the initial configuration on Azure, create IKE and IPSec security profiles and policies and a remote network connection in Prisma Access.
    For assistance with configuring security parameters on Azure, see the Microsoft Azure documents About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections and About cryptographic requirements and Azure VPN gateways.
    1. In Strata Cloud Manager, select
      Workflows
      Prisma Access Setup
      Remote Networks
      .
    2. (
      Optional
      ) If you have not already, allocate bandwidth for the remote network under
      Bandwidth Management
      .
      You allocate bandwidth by selecting bandwidth for the remote network’s compute location. Select an
      Assigned Bandwidth
       for the remote network’s compute location.
    3. Go to
      Remote Networks
       and
      Add Remote Networks
      .
      1. Give the remote network a descriptive
        Site Name
        .
      2. Select the
        Prisma Access Location
         that is closest to your Azure VNet.
      3. Select the
        IPSec Termination Node
         to use for the remote network.
      4. Enable
        ECMP Load Balancing
        .
    4. Set up the IPSec tunnel for the Azure gateway.
      1. Set Up
         the primary tunnel.
      2. Select an existing tunnel, or select
        Create New
         to create a new tunnel.
      3. Give the tunnel a descriptive
        Name
        .
      4. Select the
        Branch Device Type
         for the IPSec device at the remote network site that you’re using to establish the tunnel with Prisma Access.
      5. Specify a
        Pre-Shared Key
        .
      6. Specify a
        Branch Device IP Address
         of either
        Static IP
         or
        Dynamic IP
        .
        Setting up an
        IKE Peer Identification
         is required if you use a dynamic IP address. If you select
        Static IP
        , enter a static IP address.
      7. Select
        IKE Advanced Options
        , create an IPSec crypto profile for the IPSec tunnel, and
        Save
         the changes.
        The IPSec crypto settings you specify here must match the settings you specify on Azure. To set IKE and IPSec policies in Azure, see the Microsoft Azure documentation.
      8. Select
        IPSec Advanced Options
        , create an IKEv1 crypto profile for the gateway, and
        Save
         the changes.
    5. Set Up
       BGP routing.
      1. Enable BGP for Dynamic Routing
        .
      2. Enter the
        Peer Address
         value from Azure in the
        Peer IP address
         field and enter the
        Autonomous system number (ASN)
         value from Azure in the
        Peer AS
         field.
      1. (
        Optional
        ) Enter an address that Prisma Access uses as its
        Local IP Address
         for BGP.
        Make sure that the address you specify does not conflict or overlap with IP addresses in the Infrastructure Subnet or subnets in the remote network.
        You must configure a static route on your CPE to the BGP local address.
      2. Save
         the changes.
    6. Commit
       and
      Push
       your configuration.
    7. After the onboarding process completes, and make a note of the value in the
      Service IP
      field.

    Set up Network Connectivity from your Azure Virtual Network

    After you configure the remote network in Prisma Access, complete the configuration on Azure by performing the following task.
    For additional information about configuring BGP on Azure, see the Microsoft Azure document Overview of BGP with Azure VPN Gateways.
    1. In Azure, create a local network gateway.
      1. In the
        Search resources, services, and docs
         search box, type
        local network gateways
        .
      2. Click
        +Add
        .
      3. Enter the following values in the text box that displays.
        • Enter a
          Name
           for the gateway.
        • Enter an
          IP address
          . Use the
          Service IP Address
           from the remote network in Prisma Access in step 7.
        • Check
          Configure BGP settings
           and enter a unique
          Autonomous system number (ASN)
           and
          BGP peer IP address
          .
        • Enter a
          Subscription
          ,
          Resource group
          , and
          Location
           for the gateway.
      4. Click
        Create
        .
    2. Create a virtual network connection.
      1. Navigate to and open the page for the virtual network gateway you created when you configured a virtual network and virtual network gateway on Azure.
        See the Microsoft Azure documentation for details.
      2. On the page for the virtual network gateway, click
        Connections
        . At the top of the Connections page, click
        +Add
         to open the Add connection page.
      3. Enter values for the new connection, then click
        OK
        .
        In the
        Shared key (PSK)
         field, use the same
        Pre-shared Key
         that you used when you created the IKE gateway in Prisma Access.
      4. Click
        OK
        .
    3. Add a new route table to use for BGP routing.
      1. Select
        +Create a resource
         on the upper left corner of the Azure portal.
      2. Select
        Networking
        , then select
        Route table
        .
      3. Add a
        Name
        ,
        Subscription
        ,
        Resource Group
        , and
        Location
        .
      4. Set
        BGP route propagation
         to
        Enabled
        .
      5. Click
        Create
        .
    4. Associate a subnet to the route table you created.
      1. Open the route table you created.
      2. Select
        Settings
        Subnets
        .
      3. Click
        Associate
         to add a subnet.
      4. In the
        Associate subnet
         column, click
        Virtual network
        .
      5. Select the virtual network you created when you configured a virtual network and virtual network gateway on Azure.
      6. Click
        OK
        .

    Verify Remote Network Connectivity

    To verify that the IPSec tunnel between Azure and Prisma Access is operational, perform the following steps:
    • In Azure, select the
      Connection
       you created and click
      Overview
      .
      The tunnel should show a status of
      Connected
      .
    • Verify that the BGP routes are being advertised on Azure.
      1. Open the route table you just created.
      2. Select
        Networking
        Settings
        .
      3. Select the name of a network interface.
      4. Select
        Support + troubleshooting
        Effective routes
        .
      5. Verify that the BGP routes are being advertised.
    • Check the remote network and BGP status in Prisma Access.
      In Strata Cloud Manager, select
      Workflows
      Prisma Access Setup
      Remote Networks
      .
      The
      Config Status
       should be
      In Sync
       and verify the BGP Status in
      Routing Information
      .

    Secure Internet-Bound Traffic with Prisma Access

    If you enable BGP, the virtual network gateway does not use static routes and uses only the routes it learns from BGP advertisements.
    To secure all traffic to and from Azure, you must force traffic to pass through Prisma Access. You do this by enabling the forced tunneling feature on Azure.
    Enabling forced tunneling may result in a loss of connectivity to virtual network instances over the internet. Make sure that you use another connection method (for example, a bastion host) to connect to instances over the internet.
    You configure forced tunneling by using PowerShell CLI commands in your Azure account as described in the following task. For more details about forced tunneling, see the Microsoft Azure document Configure forced tunneling using the Azure Resource Manager deployment model.
    To enable the feature, complete the following workflow.
    These commands are examples. If you use different variables for your route tables, virtual network gateways, subnets, or resource groups, substitute those values in the commands provided in this task.
    1. Log into your PowerShell console with elevated privileges, and connect to your account.
    2. Create a new route table by entering the following commands:
      > 
      New-AzureRmRouteTable -Name "DefRouteTable" -ResourceGroupName "GPCS-PM-TME" -Location "WEST US"
      > 
      $rt = Get-AzureRmRouteTable -Name "DefRouteTable" -ResourceGroupName "GPCS-PM-TME"
      > 
      Add-AzureRmRouteConfig -Name "DefaultRoute" -AddressPrefix "0.0.0.0/0" -NextHopType VirtualNetworkGateway -RouteTable $rt
      > 
      Set-AzureRmRouteTable -RouteTable $rt
    3. Modify the subnet configuration by entering the following commands:
      > 
      $vnet = Get-AzureRmVirtualNetwork -Name "GPCS-Onboarding-VMNET" -ResourceGroupName "GPCS-PM-TME"
      > 
      Set-AzureRmVirtualNetworkSubnetConfig -Name "GPCS-O-Subnet-1" -VirtualNetwork $vnet -AddressPrefix "10.200.1.0/24" -RouteTable $rt
      > 
      Set-AzureRmVirtualNetwork -VirtualNetwork $vnet
    4. Enable the default route for the network gateway default site by entering the following commands.
      > 
      $LocalGateway = Get-AzureRmLocalNetworkGateway -Name "GPCS-Gateway-US-WEST" -ResourceGroupName "GPCS-PM-TME"
      > 
      $VirtualGateway = Get-AzureRmVirtualNetworkGateway -Name "GPCS-Onboarding-Gateway" -ResourceGroupName "GPCS-PM-TME"
      > 
      Set-AzureRmVirtualNetworkGatewayDefaultSite -GatewayDefaultSite $LocalGateway -VirtualNetworkGateway $VirtualGateway

    Panorama

    Onboard an Azure virtual network (VNet) to Prisma Access and secure access to it for mobile users and remote networks.

    Configure a Virtual Network and Virtual Network Gateway on Azure

    The Azure virtual network uses a virtual network gateway for its side of the VPN tunnel to Prisma Access. This gateway uses a subnet called GatewaySubnet. The GatewaySubnet contains IP addresses used for virtual network gateway resources and services and is part of the virtual network IP address range that you specify when you configure your virtual network on Azure.
    Each Azure VPN gateway incorporates high availability by having two instances per gateway in an active-standby configuration. If an active instance goes down for planned maintenance or an unplanned outage, the instance automatically fails over to the standby instance and resumes the site-to-site VPN connections. For a planned maintenance, Azure restores the connectivity in approximately 10 to 15 seconds. For an unplanned outage, Azure restores the connectivity in approximately 1 minute to 90 seconds.
    Create the virtual network and virtual network gateway using the following task.
    By default, Azure will not direct internet traffic to the VPN tunnel you create in this task. To secure internet-bound traffic with Prisma Access, enable forced tunneling on Azure using PowerShell commands.
    1. In Azure, create your virtual network, if you have not already created it. See the Microsoft Azure documentation for details.
    2. Create a subnet for the gateway.
      You must name the subnet
      GatewaySubnet
       to let Azure deploy its gateway resources and Azure does not allow the use of another subnet name. Without a subnet named
      GatewaySubnet
      , gateway creation fails.
      1. In the Azure portal, navigate to the virtual network where you want to create a virtual network gateway.
      2. On your virtual network page, click
        Subnets
        to expand the Subnets page for the virtual network you created.
      3. Click
        +Gateway subnet
         at the top to open the Add subnet page.
      4. Add the address and click
        OK
        .
    3. Add a virtual network gateway.
      1. On the left side of the portal page, click
        +Create a resource
         and type
        Virtual Network Gateway
         in the search box, then press
        Enter
        .
      2. In
        Results
        , locate and click
        Virtual network gateways
        .
      3. At the bottom of the
        Virtual network gateway
         page, click
        Create virtual network gateway
        .
      4. Enter values similar to the values on the following screenshot and click
        Create
        .
        It may take up to 30 minutes to create the virtual network gateway.
    4. After Azure creates the virtual network gateway, select the virtual network gateway you created, click
      Overview
      , and make a note of the
      Public IP address
       assigned to the virtual network gateway.
    5. Click
      Configuration
       and make a note of the
      BGP ASN
       and
      BGP peer IP address(es)
       fields.

    Configure IKE, IPSec, and BGP and Onboard the Azure VNet in Prisma Access

    After you perform the initial configuration on Azure, create IKE and IPSec security profiles and policies and then create a remote network connection in Prisma Access using Panorama.
    For assistance with configuring security parameters on Azure, see the Microsoft Azure documents About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections and About cryptographic requirements and Azure VPN gateways.
    1. In Panorama, select
      Remote_Network_Template
       from the
      Template
       drop-down.
    2. Select
      Network
      Network Profiles
      IKE Crypto
       and
      Add
       an IKE crypto profile for the gateway.
      Make a note of these settings; the IKE crypto settings you specify here must match the settings you specify on Azure. To set IKE and IPSec policies in Azure, see the Microsoft Azure documentation. The screenshot in the following figure uses the following settings:
      • DH Group
        :
        group2
      • Encryption
        :
        aes-256-cbc
      • Authentication
        :
        sha1
      • Key Lifetime
        :
        8 Hours
    3. Select
      Network
      Network Profiles
      IPSec Crypto
       and
      Add
       an IPSec crypto profile for the IPSec tunnel.
      The IPSec crypto settings you specify here must match the settings you specify on Azure; to set IKE and IPSec policies in Azure, see the Microsoft Azure documentation. The screenshot in the following figure uses the following settings:
      • IPSec Protocol
        :
        ESP
      • DH Group
        :
        no-pfs
      • Lifetime
        :
        8 Hours
      • Encryption
        :
        aes-256-gcm
      • Authentication
        :
        none
    4. Select
      Network
      Network Profiles
      IKE Gateways
       and
      Add
       an IKE gateway.
      1. In the
        General
         tab, change the
        Peer ID Address Type
         to
        IP
        .
      2. In the
        Peer Address
         field, enter the
        Public IP address
         from the
        Overview
         screen on Azure.
      3. Enter a
        Pre-shared Key
        .
        Make a note of this key. You use it later when you Set up Network Connectivity from your Azure Virtual Network.
      4. Click
        OK
        .
    5. Select
      Network
      IPSec Tunnels
       and
      Add
       an IPSec tunnel for the Azure gateway, specifying the
      IKE gateway
       and
      IPSec Crypto Profile
       that you created earlier in this task.
    6. Select
      Panorama
      Cloud Services
      Configuration
      Remote Networks
       and
      Add
       the Azure VPN as a remote network.
      Specify the following choices:
      • Select a
        Location
         that is closest to your Azure VNet.
      • Select the
        IPSec Termination Node
         that you want to use for this remote network.
        Prisma Access uses this node to associate remote network locations with compute locations.
      • Specify the IPSec primary tunnel that you just created in the
        IPSec Tunnel
         field.
    7. Configure BGP routing.
      1. Click the
        BGP
         tab.
      2. Enter the
        Autonomous system number (ASN)
         value from Azure in the
        Peer AS
         field and enter the
        Peer Address
         value from Azure in the
        BGP peer IP address(es)
         field.
      3. (
        Optional
        ) Enter an address that Prisma Access uses as its
        Local Address
         for BGP.
        Make sure that the address you specify does not conflict or overlap with IP addresses in the Infrastructure Subnet or subnets in the remote network.
        You must configure a static route on your CPE to the BGP
        Local Address
        .
      4. Click
        OK
        .
    8. Commit
       and
      Push
       your configuration.
    9. After the onboarding process completes, select
      Panorama
      Cloud Service
      Status
      Network Details
      Remote Networks
       and make a note of the value in the
      Service IP Address
       field.

    Set up Network Connectivity from your Azure Virtual Network

    After you configure the remote network in Prisma Access, complete the configuration on Azure by performing the following task.
    For additional information about configuring BGP on Azure, see the Microsoft Azure document Overview of BGP with Azure VPN Gateways.
    1. In Azure, create a local network gateway.
      1. In the
        Search resources, services, and docs
         search box, type
        local network gateways
        .
      2. Click
        +Add
        .
      3. Enter the following values in the text box that displays.
        • Enter a
          Name
           for the gateway.
        • Enter an
          IP address
          . Use the
          Service IP Address
           from the remote network in Prisma Access (
          Panorama
          Cloud Service
          Status
          Network Details
          Remote Networks
          ).
        • Check
          Configure BGP settings
           and enter a unique
          Autonomous system number (ASN)
           and
          BGP peer IP address
          .
        • Enter a
          Subscription
          ,
          Resource group
          , and
          Location
           for the gateway.
      4. Click
        Create
        .
    2. Create a virtual network connection.
      1. Navigate to and open the page for the virtual network gateway you created when you configured a virtual network and virtual network gateway on Azure.
        See the Microsoft Azure documentation for details.
      2. On the page for the virtual network gateway, click
        Connections
        . At the top of the Connections page, click
        +Add
         to open the Add connection page.
      3. Enter values for the new connection, then click
        OK
        .
        In the
        Shared key (PSK)
         field, use the same
        Pre-shared Key
         that you used when you created the IKE gateway in Prisma Access.
      4. Click
        OK
        .
    3. Add a new route table to use for BGP routing.
      1. Select
        +Create a resource
         on the upper left corner of the Azure portal.
      2. Select
        Networking
        , then select
        Route table
        .
      3. Add a
        Name
        ,
        Subscription
        ,
        Resource Group
        , and
        Location
        .
      4. Set
        BGP route propagation
         to
        Enabled
        .
      5. Click
        Create
        .
    4. Associate a subnet to the route table you created.
      1. Open the route table you created.
      2. Select
        Settings
        Subnets
        .
      3. Click
        Associate
         to add a subnet.
      4. In the
        Associate subnet
         column, click
        Virtual network
        .
      5. Select the virtual network you created when you configured a virtual network and virtual network gateway on Azure.
      6. Click
        OK
        .

    Verify Remote Network Connectivity

    To verify that the IPSec tunnel between Azure and Prisma Access is operational, perform the following steps:
    • In Azure, select the
      Connection
       you created and click
      Overview
      .
      The tunnel should show a status of
      Connected
      .
    • Verify that the BGP routes are being advertised on Azure.
      1. Open the route table you just created.
      2. Select
        Networking
        Settings
        .
      3. Select the name of a network interface.
      4. Select
        Support + troubleshooting
        Effective routes
        .
      5. Verify that the BGP routes are being advertised.
    • Check the remote network and BGP status in Prisma Access.
      In Panorama, select
      Panorama
      Cloud Services
      Status
      Monitor
      Remote Networks
      Status
      .
      The
      Config Status
       should be
      In Sync
       and the
      BGP Status
       should be
      Established
      .

    Secure Internet-Bound Traffic with Prisma Access

    If you enable BGP, the virtual network gateway does not use static routes and uses only the routes it learns from BGP advertisements.
    To secure all traffic to and from Azure, you must force traffic to pass through Prisma Access. You do this by enabling the forced tunneling feature on Azure.
    Enabling forced tunneling may result in a loss of connectivity to virtual network instances over the internet. Make sure that you use another connection method (for example, a bastion host) to connect to instances over the internet.
    You configure forced tunneling by using PowerShell CLI commands in your Azure account as described in the following task. For more details about forced tunneling, see the Microsoft Azure document Configure forced tunneling using the Azure Resource Manager deployment model.
    To enable the feature, complete the following workflow.
    These commands are examples. If you use different variables for your route tables, virtual network gateways, subnets, or resource groups, substitute those values in the commands provided in this task.
    1. Log into your PowerShell console with elevated privileges, and connect to your account.
    2. Create a new route table by entering the following commands:
      > 
      New-AzureRmRouteTable -Name "DefRouteTable" -ResourceGroupName "GPCS-PM-TME" -Location "WEST US"
      > 
      $rt = Get-AzureRmRouteTable -Name "DefRouteTable" -ResourceGroupName "GPCS-PM-TME"
      > 
      Add-AzureRmRouteConfig -Name "DefaultRoute" -AddressPrefix "0.0.0.0/0" -NextHopType VirtualNetworkGateway -RouteTable $rt
      > 
      Set-AzureRmRouteTable -RouteTable $rt
    3. Modify the subnet configuration by entering the following commands:
      > 
      $vnet = Get-AzureRmVirtualNetwork -Name "GPCS-Onboarding-VMNET" -ResourceGroupName "GPCS-PM-TME"
      > 
      Set-AzureRmVirtualNetworkSubnetConfig -Name "GPCS-O-Subnet-1" -VirtualNetwork $vnet -AddressPrefix "10.200.1.0/24" -RouteTable $rt
      > 
      Set-AzureRmVirtualNetwork -VirtualNetwork $vnet
    4. Enable the default route for the network gateway default site by entering the following commands.
      > 
      $LocalGateway = Get-AzureRmLocalNetworkGateway -Name "GPCS-Gateway-US-WEST" -ResourceGroupName "GPCS-PM-TME"
      > 
      $VirtualGateway = Get-AzureRmVirtualNetworkGateway -Name "GPCS-Onboarding-Gateway" -ResourceGroupName "GPCS-PM-TME"
      > 
      Set-AzureRmVirtualNetworkGatewayDefaultSite -GatewayDefaultSite $LocalGateway -VirtualNetworkGateway $VirtualGateway

    Troubleshoot the Site-to-Site Connection

    Use the procedures in this section to troubleshoot any issues you have with tunnel creation.
    • To troubleshoot the site-to-site connection in Prisma Access, log in to Panorama and select
      Logs
      System
      , then enter
      (subtype eq vpn)
       in the
      Filter
       field to view messages related to VPN tunnel creation.
    • To troubleshoot the site-to-site connection on Azure, you can download the VPN gateway configuration on Azure by selecting
      Networking
      Settings
      , selecting the name of a network interface. selecting
      Support + troubleshooting
      Effective routes
      , and clicking
      Download
      .

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.