Create a Palo Alto and Azure Site-to-Site IPsec VPN

AZURE CONFIGURATION

PALO ALTO CONFIGURATION

CONNECTING TO AZURE RESOURCES

After establishing a site-to-site connection to Azure network, you will be able to connect to resources that are created on Azure Frontend network.

Configuring IPsec VPN between Palo Alto Firewall and AWS

Configuration:

Create AWS Customer Gateway:

Sign in to the AWS Portal site with an administrative account.

Click Services and select VPC.

Select your VPC at Filter by VPC, this is the VPC you will use to configure IPsec VPN.

Go to VIRTUAL PRIVATE NETWORK (VPN) > Customer Gateways > Click Create Customer Gateway.

Create Customer Gateways with the following parameters:

Your Vision, Our Expertise

Elevating Your Software Product Engineering Journey with Vast Edge

Create Virtual Private Gateway:

Go to VIRTUAL PRIVATE NETWORK > Virtual Private Gateways > Click Create Virtual Private Gateway.

Create a Virtual Private Gateway with the following parameters:

Create Site-to-site VPN Connection:

To create VIRTUAL PRIVATE NETWORK (VPN) > Site-to-Site VPN Connection > click Create VPN Connection.

Create with the following information:

Create Route:

We need to create a static route to route the Palo Alto Firewall's subnet through the Virtual Gateway.

To create in VIRTUAL PRIVATE CLOUD > Route Tables > check existing route tables > go to Route tab > click Edit Route > click Add route.

Add:

Download the VPN configuration file and collect the necessary information:

After creating the VPN Connection, we will select the newly created VPN Connection and click Download Configuration.

Select the following information to download the configuration file:

Palo Alto Firewall:

Create Zone:

We need to create zones for VPN connections.

To create go to Network > Zones.

Click Add and create the following information:

Create Address Object:

We will create the Address Object for the 2 LAN layers of the Palo Alto Firewall and AWS devices.

To create go to Object > Addresses.

Click Add and create according to the following parameters.

Palo Alto Firewall LAN:

Create Interface Tunnel:

To create go to Network > Interface > Tunnel.

Click Add and create according to the following information:

Config tab:

Create Virtual Routers:

To create Virtual Routers go to Network > Virtual Routers > click Add and configure according to the following information.

Tab Router Settings:

Name: VR1 Tab General: Click Add and select the vlan ports (LAN port), ethernet1/1 (internet port) and tunnel.2 (the tunnel used to connect VPN).
Tab Static Routes > IPv4

Click Add to add static routes and fill in the following information:

Create IKE Crypto:

We will create IKE Crypto ie Phase 1 for VPN connection.

To create, go to Network > IKE Crypto click Add and create according to the following information:

Create IPsec Crypto:

To create IPsec Crypto go to Network > IPsec Crypto and click Add.

Configure according to the following parameters:

Create IKE Gateways:

To create go to Network > IKE Gateways and click Add.

Based on the IKE Gateway parameters that we have from the config file downloaded from AWS.

If we use IKEv2 only mode, enter the parameters of IKEv2 only mode, if we use IKEv2 preferred mode, enter the parameters of IKEv2 preferred mode.

In this article we will use IKEv2 only mode.

Configure according to the following parameters

General:

Create IPsec Tunnels:

Now we will start creating a VPN connection with AWS.

To create go to Network > IPsec Tunnels and click Add.

Create with the following information:

Create Policy:

We need to create a policy that allows traffic from Palo Alto Firewall's LAN subnet to pass through AWS's LAN subnet and vice versa.

To create a policy go to Policies > Security and click Add.

Create a policy that allows traffic from the Palo Alto Firewall's LAN subnet to pass through the AWS LAN subnet with the following information:

Tab General:

Result:

Go to AWS portal > Virtual Private Network (VPN) > Site-to-Site VPN Connections.

At VPN Connection > Tunnel Details > make sure the tunnel's status is UP.

Test the connection.

Ping result from linux server to Palo Alto Firewall's LAN IP machine.

Successful ping result.

Check the log by going to Monitor > Logs > Traffic, we will see the traffic going from source ip 172.31.42.255 to destination source 10,146.41.1.

Conversely, ping from the Palo Alto Firewall's LAN to the Linux server at AWS.

Successful ping result.

ABOUT VAST EDGE

Vast Edge has been empowering businesses since 2004 with tailored cloud solutions that go beyond regular IT management. As a Cloud Solution Provider (CSP), we specialize in delivering fully managed services that combine implementation, integration, and ongoing support - positioning us as your trusted IT partner, not just a vendor.
Our Offerings:
- Azure, GCP, AWS, OCI Cloud Services: Security, DevOps, Data Analytics, Warehousing, AI/ML, and Seamless Integrations
- ERP Migration & Implementation: Expertise across Dynamics, SAP, Sage, Oracle EBS, JDE, & NetSuite
We deliver complete solutions. Our CSP model is built around value-added services, ensuring customers receive expert implementation, optimization, and support alongside their Cloud investments.
Read more about us

QUICK LINKS

TECHNOLOGY PARTNERS

CONTACT US

Copyrights © July 25 , 2025 All Rights Reserved by Vast Edge Inc.