After establishing a site-to-site connection to Azure network, you will be able to connect to resources that are created on Azure Frontend network.
Configuration:
Create AWS Customer Gateway:
Sign in to the AWS Portal site with an administrative account.
Click Services and select VPC.
Select your VPC at Filter by VPC, this is the VPC you will use to configure IPsec VPN.
Go to VIRTUAL PRIVATE NETWORK (VPN) > Customer Gateways > Click Create Customer Gateway.
Create Customer Gateways with the following parameters:
Go to VIRTUAL PRIVATE NETWORK > Virtual Private Gateways > Click Create Virtual Private Gateway.
Create a Virtual Private Gateway with the following parameters:
To create VIRTUAL PRIVATE NETWORK (VPN) > Site-to-Site VPN Connection > click Create VPN Connection.
Create with the following information:
We need to create a static route to route the Palo Alto Firewall's subnet through the Virtual Gateway.
To create in VIRTUAL PRIVATE CLOUD > Route Tables > check existing route tables > go to Route tab > click Edit Route > click Add route.
Add:
After creating the VPN Connection, we will select the newly created VPN Connection and click Download Configuration.
Select the following information to download the configuration file:
Create Zone:
We need to create zones for VPN connections.
To create go to Network > Zones.
Click Add and create the following information:
We will create the Address Object for the 2 LAN layers of the Palo Alto Firewall and AWS devices.
To create go to Object > Addresses.
Click Add and create according to the following parameters.
Palo Alto Firewall LAN:
To create go to Network > Interface > Tunnel.
Click Add and create according to the following information:
Config tab:
To create Virtual Routers go to Network > Virtual Routers > click Add and configure according to the following information.
Tab Router Settings:
Name: VR1 Tab General: Click Add and select the vlan ports (LAN port), ethernet1/1 (internet port) and tunnel.2 (the tunnel used to connect VPN).
Tab Static Routes > IPv4
Click Add to add static routes and fill in the following information:
We will create IKE Crypto ie Phase 1 for VPN connection.
To create, go to Network > IKE Crypto click Add and create according to the following information:
To create IPsec Crypto go to Network > IPsec Crypto and click Add.
Configure according to the following parameters:
To create go to Network > IKE Gateways and click Add.
Based on the IKE Gateway parameters that we have from the config file downloaded from AWS.
If we use IKEv2 only mode, enter the parameters of IKEv2 only mode, if we use IKEv2 preferred mode, enter the parameters of IKEv2 preferred mode.
In this article we will use IKEv2 only mode.
Configure according to the following parameters
General:
Now we will start creating a VPN connection with AWS.
To create go to Network > IPsec Tunnels and click Add.
Create with the following information:
We need to create a policy that allows traffic from Palo Alto Firewall's LAN subnet to pass through AWS's LAN subnet and vice versa.
To create a policy go to Policies > Security and click Add.
Create a policy that allows traffic from the Palo Alto Firewall's LAN subnet to pass through the AWS LAN subnet with the following information:
Tab General:
Go to AWS portal > Virtual Private Network (VPN) > Site-to-Site VPN Connections.
At VPN Connection > Tunnel Details > make sure the tunnel's status is UP.
Test the connection.
Ping result from linux server to Palo Alto Firewall's LAN IP machine.
Successful ping result.
Check the log by going to Monitor > Logs > Traffic, we will see the traffic going from source ip 172.31.42.255 to destination source 10,146.41.1.
Conversely, ping from the Palo Alto Firewall's LAN to the Linux server at AWS.
Successful ping result.