Onboard an Azure Virtual Network
Onboard an Azure virtual network (VNet) to Prisma Access
and secure access to it for mobile users and remote networks.
When you deploy your organization’s resources
using a Microsoft Azure virtual network (VNet), you can secure these
resources with Prisma Access. To do so, you onboard an existing
or new VNet to Prisma Access as a remote network. You also configure
settings for a remote network tunnel (a site-to-site tunnel between
Prisma Access and the Azure VNet) and use BGP to dynamically route
traffic between them.
The following diagram shows the topology
used to secure an Azure instance with Prisma Access.
The
following tasks show how to secure an Azure virtual network with
Prisma Access:
For
Azure-specific information about creating a site-to-site connection,
see the Microsoft Azure document Create a Site-to-Site connection
in the Azure portal.
Configure a Virtual Network and Virtual Network Gateway on
Azure
The Azure virtual network uses a virtual network
gateway for its side of the VPN tunnel to Prisma Access. This gateway
uses a subnet called GatewaySubnet. The GatewaySubnet contains IP
addresses used for virtual network gateway resources and services
and is part of the virtual network IP address range that you specify
when you configure your virtual network on Azure.
Each Azure
VPN gateway incorporates high availability by having two instances
per gateway in an active-standby configuration. If an active instance
goes down for planned maintenance or an unplanned outage, the instance
automatically fails over to the standby instance and resumes the
site-to-site VPN connections. For a planned maintenance, Azure restores
the connectivity in approximately 10 to 15 seconds. For an unplanned
outage, Azure restores the connectivity in approximately 1 minute
to 90 seconds.
Create the virtual network and virtual network
gateway using the following task.
By default, Azure
will not direct internet traffic to the VPN tunnel you create in
this task. To secure internet-bound
traffic with Prisma Access, enable forced tunneling on Azure
using PowerShell commands.
- In Azure, create your virtual network, if you have not already created it. See the Microsoft Azure documentation for details.
- Create a subnet for the gateway.You must name the subnetGatewaySubnetto let Azure deploy its gateway resources and Azure does not allow the use of another subnet name. Without a subnet namedGatewaySubnet, gateway creation fails.
- In the Azure portal, navigate to the virtual network where you want to create a virtual network gateway.
- On your virtual network page, clickSubnetsto expand the Subnets page for the virtual network you created.
- Click+Gateway subnetat the top to open the Add subnet page.
- Add the address and clickOK.
- Add a virtual network gateway.
- On the left side of the portal page, click+Create a resourceand typeVirtual Network Gatewayin the search box, then pressEnter.
- InResults, locate and clickVirtual network gateways.
- At the bottom of theVirtual network gatewaypage, clickCreate virtual network gateway.
- Enter values similar to the values on the following screenshot and clickCreate.
It may take up to 30 minutes to create the virtual network gateway.
- After Azure creates the virtual network gateway, select the virtual network gateway you created, clickOverview, and make a note of thePublic IP addressassigned to the virtual network gateway.
- ClickConfigurationand make a note of theBGP ASNandBGP peer IP address(es)fields.
Configure IKE, IPSec, and BGP and Onboard the Azure VNet
in Prisma Access
After you perform the initial configuration
on Azure, create IKE and IPSec security profiles and policies and
then create a remote network connection in Prisma Access using Panorama.
For
assistance with configuring security parameters on Azure, see the
Microsoft Azure documents About VPN devices and IPsec/IKE
parameters for Site-to-Site VPN Gateway connections and About cryptographic requirements
and Azure VPN gateways.
- In Panorama, selectRemote_Network_Templatefrom theTemplatedrop-down.
- Select andAddan IKE crypto profile for the gateway.Make a note of these settings; the IKE crypto settings you specify here must match the settings you specify on Azure. To set IKE and IPSec policies in Azure, see the Microsoft Azure documentation. The screenshot in the following figure uses the following settings:
- DH Group:group2
- Encryption:aes-256-cbc
- Authentication:sha1
- Key Lifetime:8 Hours
- Select andAddan IPSec crypto profile for the IPSec tunnel.The IPSec crypto settings you specify here must match the settings you specify on Azure; to set IKE and IPSec policies in Azure, see the Microsoft Azure documentation. The screenshot in the following figure uses the following settings:
- IPSec Protocol:ESP
- DH Group:no-pfs
- Lifetime:8 Hours
- Encryption:aes-256-gcm
- Authentication:none
- Select andAddan IKE gateway.
- In theGeneraltab, change thePeer ID Address TypetoIP.
- In thePeer Addressfield, enter thePublic IP addressfrom theOverviewscreen on Azure.
- Enter aPre-shared Key.Make a note of this key. You use it later when you Set up Network Connectivity from your Azure Virtual Network.
- ClickOK.
- Select andAddan IPSec tunnel for the Azure gateway, specifying theIKE gatewayandIPSec Crypto Profilethat you created earlier in this task.
- Select andAddthe Azure VPN as a remote network.Specify the following choices:
- Select aLocationthat is closest to your Azure VNet.
- Select theIPSec Termination Nodethat you want to use for this remote network.Prisma Access uses this node to associate remote network locations with compute locations.
- Specify the IPSec primary tunnel that you just created in theIPSec Tunnelfield.
- Configure BGP routing.
- Click theBGPtab.
- Enter theAutonomous system number (ASN)value from Azure in thePeer ASfield and enter thePeer Addressvalue from Azure in theBGP peer IP address(es)field.
- (Optional) Enter an address that Prisma Access uses as itsLocal Addressfor BGP.Make sure that the address you specify does not conflict or overlap with IP addresses in the Infrastructure Subnet or subnets in the remote network.You must configure a static route on your CPE to the BGPLocal Address.
- ClickOK.
- CommitandPushyour configuration.
- After the onboarding process completes, select and make a note of the value in theService IP Addressfield.
Set up Network Connectivity from your Azure Virtual Network
After you configure the remote network in
Prisma Access, complete the configuration on Azure by performing
the following task.
For additional information about configuring
BGP on Azure, see the Microsoft Azure document Overview of BGP with Azure VPN
Gateways.
- In Azure, create a local network gateway.
- In theSearch resources, services, and docssearch box, typelocal network gateways.
- Click+Add.
- Enter the following values in the text box that displays.
- Enter aNamefor the gateway.
- Enter anIP address. Use theService IP Addressfrom the remote network in Prisma Access ().
- CheckConfigure BGP settingsand enter a uniqueAutonomous system number (ASN)andBGP peer IP address.
- Enter aSubscription,Resource group, andLocationfor the gateway.
- ClickCreate.
- Create a virtual network connection.
- Navigate to and open the page for the virtual network gateway you created when you configured a virtual network and virtual network gateway on Azure.See the Microsoft Azure documentation for details.
- On the page for the virtual network gateway, clickConnections. At the top of the Connections page, click+Addto open the Add connection page.
- Enter values for the new connection, then clickOK.In theShared key (PSK)field, use the samePre-shared Keythat you used when you created the IKE gateway in Prisma Access.
- ClickOK.
- Add a new route table to use for BGP routing.
- Select+Create a resourceon the upper left corner of the Azure portal.
- SelectNetworking, then selectRoute table.
- Add aName,Subscription,Resource Group, andLocation.
- SetBGP route propagationtoEnabled.
- ClickCreate.
- Associate a subnet to the route table you created.
- Open the route table you created.
- Select .
- ClickAssociateto add a subnet.
- In theAssociate subnetcolumn, clickVirtual network.
- Select the virtual network you created when you configured a virtual network and virtual network gateway on Azure.
- ClickOK.
Verify Remote Network Connectivity
To verify that the IPSec tunnel between Azure
and Prisma Access is operational, perform the following steps:
- In Azure, select theConnectionyou created and clickOverview.The tunnel should show a status ofConnected.
- Verify that the BGP routes are being advertised on Azure.
- Open the route table you just created.
- Select .
- Select the name of a network interface.
- Select .
- Verify that the BGP routes are being advertised.
- Check the remote network and BGP status in Prisma Access.In Panorama, select .TheConfig Statusshould beIn Syncand theBGP Statusshould beEstablished.
Secure Internet-Bound Traffic with Prisma Access
If you enable BGP, the virtual network gateway
does not use static routes and uses only the routes it learns from
BGP advertisements.
To secure all traffic to and from Azure,
you must force traffic to pass through Prisma Access. You do this
by enabling the forced tunneling feature on Azure.
Enabling forced tunneling may result in
a loss of connectivity to virtual network instances over the internet.
Make sure that you use another connection method (for example, a
bastion host) to connect to instances over the internet.
You
configure forced tunneling by using PowerShell CLI commands in your
Azure account as described in the following task. For more details
about forced tunneling, see the Microsoft Azure document Configure forced tunneling using
the Azure Resource Manager deployment model.
To enable
the feature, complete the following workflow.
These
commands are examples. If you use different variables for your route
tables, virtual network gateways, subnets, or resource groups, substitute those
values in the commands provided in this task.
- Log into your PowerShell console with elevated privileges, and connect to your account.
- Create a new route table by entering the following commands:>New-AzureRmRouteTable -Name "DefRouteTable" -ResourceGroupName "GPCS-PM-TME" -Location "WEST US">$rt = Get-AzureRmRouteTable -Name "DefRouteTable" -ResourceGroupName "GPCS-PM-TME">Add-AzureRmRouteConfig -Name "DefaultRoute" -AddressPrefix "0.0.0.0/0" -NextHopType VirtualNetworkGateway -RouteTable $rt>Set-AzureRmRouteTable -RouteTable $rt
- Modify the subnet configuration by entering the following commands:>$vnet = Get-AzureRmVirtualNetwork -Name "GPCS-Onboarding-VMNET" -ResourceGroupName "GPCS-PM-TME">Set-AzureRmVirtualNetworkSubnetConfig -Name "GPCS-O-Subnet-1" -VirtualNetwork $vnet -AddressPrefix "10.200.1.0/24" -RouteTable $rt>Set-AzureRmVirtualNetwork -VirtualNetwork $vnet
- Enable the default route for the network gateway default site by entering the following commands.>$LocalGateway = Get-AzureRmLocalNetworkGateway -Name "GPCS-Gateway-US-WEST" -ResourceGroupName "GPCS-PM-TME">$VirtualGateway = Get-AzureRmVirtualNetworkGateway -Name "GPCS-Onboarding-Gateway" -ResourceGroupName "GPCS-PM-TME">Set-AzureRmVirtualNetworkGatewayDefaultSite -GatewayDefaultSite $LocalGateway -VirtualNetworkGateway $VirtualGateway
Troubleshoot the Site-to-Site Connection
Use the procedures in this section to troubleshoot
any issues you have with tunnel creation.
- To troubleshoot the site-to-site connection in Prisma Access, log in to Panorama and select , then enter(subtype eq vpn)in theFilterfield to view messages related to VPN tunnel creation.
- To troubleshoot the site-to-site connection on Azure, you can download the VPN gateway configuration on Azure by selecting , selecting the name of a network interface. selecting , and clickingDownload.
