How to configure Palo Alto Firewall and Microsoft Azure Site to site VPN

Microsoft Azure requires IKEv2 (route-based VPN) for dynamic routing. IKEv1 is restricted to static routing only.  IKEv2 is supported in PAN-OS 7.1.4 and newer versions, and fully supports the necessary route-based VPN and crypto profiles to connect to MS Azure’s dynamic VPN architecture. This document discusses the basic configuration on both Palo Alto Networks firewall and Microsoft Azure site to site VPN.

Part 1 Create a Site-to-Site VPN (VNet) using the Azure portal

A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.

  1. Login the Azure portal.
  2. Click Create a resource.


3. In the Search the marketplace field, type ‘virtual network’. Locate Virtual network from the returned list and click to open the Virtual Network page.

4. From the Select a deployment model list, select Resource Manager, and then click Create. This opens the ‘Create virtual network’ page.

5. With the ‘Create virtual network’ open, enter information such as Name, Address space, Address range. Click Create to create VNet.

6. Now, you should the VNet created.

Published by

Bob Lin

Bob Lin, Chicagotech-MVP, MCSE & CNE Data recovery, Windows OS Recovery, Networking, and Computer Troubleshooting on http://www.ChicagoTech.net How to Install and Configure Windows, VMware, Virtualization and Cisco on http://www.HowToNetworking.com