Onboard an Azure Virtual Network
Onboard an Azure virtual network (VNet) to Prisma Access and secure access to it for mobile users and remote networks.
When you deploy your organization’s resources using a Microsoft Azure virtual network (VNet), you can secure these resources with Prisma Access. To do so, you onboard an existing or new VNet to Prisma Access as a remote network. You also configure settings for a remote network tunnel (a site-to-site tunnel between Prisma Access and the Azure VNet) and use BGP to dynamically route traffic between them.
The following diagram shows the topology used to secure an Azure instance with Prisma Access.
The following tasks show how to secure an Azure virtual network with Prisma Access:
For Azure-specific information about creating a site-to-site connection, see the Microsoft Azure document Create a Site-to-Site connection in the Azure portal.
Configure a Virtual Network and Virtual Network Gateway on
The Azure virtual network uses a virtual network gateway for its side of the VPN tunnel to Prisma Access. This gateway uses a subnet called GatewaySubnet. The GatewaySubnet contains IP addresses used for virtual network gateway resources and services and is part of the virtual network IP address range that you specify when you configure your virtual network on Azure.
Each Azure VPN gateway incorporates high availability by having two instances per gateway in an active-standby configuration. If an active instance goes down for planned maintenance or an unplanned outage, the instance automatically fails over to the standby instance and resumes the site-to-site VPN connections. For a planned maintenance, Azure restores the connectivity in approximately 10 to 15 seconds. For an unplanned outage, Azure restores the connectivity in approximately 1 minute to 90 seconds.
Create the virtual network and virtual network gateway using the following task.
By default, Azure will not direct internet traffic to the VPN tunnel you create in this task. To secure internet-bound traffic with Prisma Access, enable forced tunneling on Azure using PowerShell commands.
- In Azure, create your virtual network, if you have not already created it. See the Microsoft Azure documentation for details.
- Create a subnet for the gateway.You must name the subnetGatewaySubnetto let Azure deploy its gateway resources and Azure does not allow the use of another subnet name. Without a subnet namedGatewaySubnet, gateway creation fails.
- In the Azure portal, navigate to the virtual network where you want to create a virtual network gateway.
- On your virtual network page, clickSubnetsto expand the Subnets page for the virtual network you created.
- Click+Gateway subnetat the top to open the Add subnet page.
- Add the address and clickOK.
- Add a virtual network gateway.
- On the left side of the portal page, click+Create a resourceand typeVirtual Network Gatewayin the search box, then pressEnter.
- InResults, locate and clickVirtual network gateways.
- At the bottom of theVirtual network gatewaypage, clickCreate virtual network gateway.
- Enter values similar to the values on the following screenshot and clickCreate.It may take up to 30 minutes to create the virtual network gateway.
- After Azure creates the virtual network gateway, select the virtual network gateway you created, clickOverview, and make a note of thePublic IP addressassigned to the virtual network gateway.
- ClickConfigurationand make a note of theBGP ASNandBGP peer IP address(es)fields.
Configure IKE, IPSec, and BGP and Onboard the Azure VNet
in Prisma Access
After you perform the initial configuration on Azure, create IKE and IPSec security profiles and policies and then create a remote network connection in Prisma Access using Panorama.
For assistance with configuring security parameters on Azure, see the Microsoft Azure documents About VPN devices and IPsec/IKE parameters for Site-to-Site VPN Gateway connections and About cryptographic requirements and Azure VPN gateways.
- In Panorama, selectRemote_Network_Templatefrom theTemplatedrop-down.
- SelectandNetworkNetwork ProfilesIKE CryptoAddan IKE crypto profile for the gateway.Make a note of these settings; the IKE crypto settings you specify here must match the settings you specify on Azure. To set IKE and IPSec policies in Azure, see the Microsoft Azure documentation. The screenshot in the following figure uses the following settings:
- DH Group:group2
- Key Lifetime:8 Hours
- SelectandNetworkNetwork ProfilesIPSec CryptoAddan IPSec crypto profile for the IPSec tunnel.The IPSec crypto settings you specify here must match the settings you specify on Azure; to set IKE and IPSec policies in Azure, see the Microsoft Azure documentation. The screenshot in the following figure uses the following settings:
- IPSec Protocol:ESP
- DH Group:no-pfs
- Lifetime:8 Hours
- SelectandNetworkNetwork ProfilesIKE GatewaysAddan IKE gateway.
- In theGeneraltab, change thePeer ID Address TypetoIP.
- In thePeer Addressfield, enter thePublic IP addressfrom theOverviewscreen on Azure.
- Enter aPre-shared Key.Make a note of this key. You use it later when you Set up Network Connectivity from your Azure Virtual Network.
- SelectandNetworkIPSec TunnelsAddan IPSec tunnel for the Azure gateway, specifying theIKE gatewayandIPSec Crypto Profilethat you created earlier in this task.
- SelectandPanoramaCloud ServicesConfigurationRemote NetworksAddthe Azure VPN as a remote network.Specify the following choices:
- Select aLocationthat is closest to your Azure VNet.
- Select theIPSec Termination Nodethat you want to use for this remote network.Prisma Access uses this node to associate remote network locations with compute locations.
- Specify the IPSec primary tunnel that you just created in theIPSec Tunnelfield.
- Configure BGP routing.
- Click theBGPtab.
- Enter theAutonomous system number (ASN)value from Azure in thePeer ASfield and enter thePeer Addressvalue from Azure in theBGP peer IP address(es)field.
- (Optional) Enter an address that Prisma Access uses as itsLocal Addressfor BGP.Make sure that the address you specify does not conflict or overlap with IP addresses in the Infrastructure Subnet or subnets in the remote network.You must configure a static route on your CPE to the BGPLocal Address.
- CommitandPushyour configuration.
- After the onboarding process completes, selectand make a note of the value in thePanoramaCloud ServiceStatusNetwork DetailsRemote NetworksService IP Addressfield.
Set up Network Connectivity from your Azure Virtual Network
After you configure the remote network in Prisma Access, complete the configuration on Azure by performing the following task.
For additional information about configuring BGP on Azure, see the Microsoft Azure document Overview of BGP with Azure VPN Gateways.
- In Azure, create a local network gateway.
- In theSearch resources, services, and docssearch box, typelocal network gateways.
- Enter the following values in the text box that displays.
- Enter aNamefor the gateway.
- Enter anIP address. Use theService IP Addressfrom the remote network in Prisma Access ().PanoramaCloud ServiceStatusNetwork DetailsRemote Networks
- CheckConfigure BGP settingsand enter a uniqueAutonomous system number (ASN)andBGP peer IP address.
- Enter aSubscription,Resource group, andLocationfor the gateway.
- Create a virtual network connection.
- Navigate to and open the page for the virtual network gateway you created when you configured a virtual network and virtual network gateway on Azure.
- On the page for the virtual network gateway, clickConnections. At the top of the Connections page, click+Addto open the Add connection page.
- Enter values for the new connection, then clickOK.In theShared key (PSK)field, use the samePre-shared Keythat you used when you created the IKE gateway in Prisma Access.
- Add a new route table to use for BGP routing.
- Select+Create a resourceon the upper left corner of the Azure portal.
- SelectNetworking, then selectRoute table.
- Add aName,Subscription,Resource Group, andLocation.
- SetBGP route propagationtoEnabled.
- Associate a subnet to the route table you created.
- Open the route table you created.
- ClickAssociateto add a subnet.
- In theAssociate subnetcolumn, clickVirtual network.
- Select the virtual network you created when you configured a virtual network and virtual network gateway on Azure.
Verify Remote Network Connectivity
To verify that the IPSec tunnel between Azure and Prisma Access is operational, perform the following steps:
- In Azure, select theConnectionyou created and clickOverview.The tunnel should show a status ofConnected.
- Verify that the BGP routes are being advertised on Azure.
- Open the route table you just created.
- Select the name of a network interface.
- Select.Support + troubleshootingEffective routes
- Verify that the BGP routes are being advertised.
- Check the remote network and BGP status in Prisma Access.In Panorama, select.PanoramaCloud ServicesStatusMonitorRemote NetworksStatusTheConfig Statusshould beIn Syncand theBGP Statusshould beEstablished.
Secure Internet-Bound Traffic with Prisma Access
If you enable BGP, the virtual network gateway does not use static routes and uses only the routes it learns from BGP advertisements.
To secure all traffic to and from Azure, you must force traffic to pass through Prisma Access. You do this by enabling the forced tunneling feature on Azure.
Enabling forced tunneling may result in a loss of connectivity to virtual network instances over the internet. Make sure that you use another connection method (for example, a bastion host) to connect to instances over the internet.
You configure forced tunneling by using PowerShell CLI commands in your Azure account as described in the following task. For more details about forced tunneling, see the Microsoft Azure document Configure forced tunneling using the Azure Resource Manager deployment model.
To enable the feature, complete the following workflow.
These commands are examples. If you use different variables for your route tables, virtual network gateways, subnets, or resource groups, substitute those values in the commands provided in this task.
- Log into your PowerShell console with elevated privileges, and connect to your account.
- Create a new route table by entering the following commands:>New-AzureRmRouteTable -Name "DefRouteTable" -ResourceGroupName "GPCS-PM-TME" -Location "WEST US">$rt = Get-AzureRmRouteTable -Name "DefRouteTable" -ResourceGroupName "GPCS-PM-TME">Add-AzureRmRouteConfig -Name "DefaultRoute" -AddressPrefix "0.0.0.0/0" -NextHopType VirtualNetworkGateway -RouteTable $rt>Set-AzureRmRouteTable -RouteTable $rt
- Modify the subnet configuration by entering the following commands:>$vnet = Get-AzureRmVirtualNetwork -Name "GPCS-Onboarding-VMNET" -ResourceGroupName "GPCS-PM-TME">Set-AzureRmVirtualNetworkSubnetConfig -Name "GPCS-O-Subnet-1" -VirtualNetwork $vnet -AddressPrefix "10.200.1.0/24" -RouteTable $rt>Set-AzureRmVirtualNetwork -VirtualNetwork $vnet
- Enable the default route for the network gateway default site by entering the following commands.>$LocalGateway = Get-AzureRmLocalNetworkGateway -Name "GPCS-Gateway-US-WEST" -ResourceGroupName "GPCS-PM-TME">$VirtualGateway = Get-AzureRmVirtualNetworkGateway -Name "GPCS-Onboarding-Gateway" -ResourceGroupName "GPCS-PM-TME">Set-AzureRmVirtualNetworkGatewayDefaultSite -GatewayDefaultSite $LocalGateway -VirtualNetworkGateway $VirtualGateway
Troubleshoot the Site-to-Site Connection
Use the procedures in this section to troubleshoot any issues you have with tunnel creation.
- To troubleshoot the site-to-site connection in Prisma Access, log in to Panorama and select, then enterLogsSystem(subtype eq vpn)in theFilterfield to view messages related to VPN tunnel creation.
- To troubleshoot the site-to-site connection on Azure, you can download the VPN gateway configuration on Azure by selecting, selecting the name of a network interface. selectingNetworkingSettings, and clickingSupport + troubleshootingEffective routesDownload.
Recommended For You
Recommended videos not found.