Lets see how to validate the Prisma SD-WAN configurations.
The Azure vWAN CloudBlade provisions the VPN
sites, BGP peering configuration, and vWAN Hub association on Azure.
On the Prisma SD-WAN ION device, two Standard IPSEC VPN tunnel interfaces,
BGP peer configuration, and a static route to facilitate the BGP
peering will be created. In addition, at a Prisma SD-WAN system
level a Standard endpoint and service group will be created which
can be used in path policies to direct the desired application traffic
to Azure.
The following steps can be used to validate if the
CloudBlade is working as intended:
Check the status indicator on the CloudBlade window.
Once enabled and deployed correctly, the status indicator should
turn green.
If the access credentials are invalid, the status indicator
will throw an
Azure auth failure
error message.
The
Monitor
tab on the CloudBlade
shows the deployment status of the integration.
The below example is from the Azure portal deployment
for the Branch site in the previous section. The CloudBlade creates
a single VPN site object with the public IP address of the demo
Branch ION. This is associated with the vWAN hub in the East US
region, which was created earlier when the tag was applied to interface
1. The VPN site has BGP enabled with the AS# configured on the ION,
and the peering address is the Standard inner tunnel IP.
If no previous BGP AS# is available on the ION, a
BGP AS number is automatically assigned from the private AS range
by the CloudBlade.
The below example is the CloudBlade configuration from
the Prisma SD-WAN portal (Standard tunnel interface, static route,
BGP peer, Standard endpoint & group).
Once the
configuration is validated and the tunnel and BGP session is up,
the administrator can modify the path policy applied to the site
to direct the appropriate application traffic toward Azure.