Create VPN from Sonicwall to Azure

This article talks through the creation of a Route-Based VPN between Azure and an On Premise Sonicwall firewall. This is done using the Resource Manager deployment.

IP Schema

In this example I have used the below Azure subnets. You should plan your subnets before starting this process.

  • AzureDemo-Full-Subnet – all IPs on Azure    (e.g. 172.26.0.0/16)
  • GatewaySubnet – used for external connections        (e.g. 172.26.0.0/24)
  • AzureDemo-Servers – Subnet for servers in Azure     (e.g. 172.26.1.0/24)

Azure Configuration

NB – you may want to consider creating a dedicated resource group for the below if you have existing resource groups. In this example we are installing servers into the “UK West” Azure location.

Create Virtual Network

You will need to create a new virtual network. Obviously make sure the IP range doesn’t overlap with any existing subnets.

Go to “more services”, then “Virtual Networks”. For the deployment model select “Resource Manager”. Enter your new subnet details.

You will need to create an address space to include all your subnets, and an initial subnet – e.g. for servers. In the example above I have an address space or 172.26.0.0/16 with a subnet of 172.26.1.0/16 to store my servers.

Note if you need to add additional subnets you are able to do this after the Virtual Network is created.

Create Gateway Subnet

Within the Virtual network go to subnets and then click “Gateway Subnet”

The gateway subnet you create must be named GatewaySubnet or it won’t work.

In this example I have used a subnet of 172.26.0.0/24

Create Virtual Network Gateway

Go to “more services”, “virtual network gateway”. Click Add. Fill out as below – you will probably want to create a new public IP. Note this is route-based.

Note provisioning virtual network gateway may take up to 45 minutes.

Create Local Gateway

Create an entry for your on-premise subnets.

Go to “more services”, “local network gateway” then click “add”.

  • IP Address = External interface of your VPN device/firewall
  • Address Space = e.g. the subnet used in the office you are connecting to
  • Resource group = select your existing resource group.

Note it may take a while to provision a public IP – be patient! Once the IP is display in the portal you can move on to the next step.

Configure Azure VPN

Go to “more services”, “connections”. Click “Add”. Fill out details as below.

Configure Sonicwall

Create Address Object

Create an address object for the Azure vNet subnet

Create VPN

Note the policy type is “tunnel interface

Create Route

Finally create a route to tell the sonicwall to use the VPN tunnel for the Azure subnets. Note for testing you might want to restrict the “source” to a single test maching on your on premise network.

Testing

If the VPN connects successfully you should see a green “dot” as below.

For testing it is helpful to have a VM running on the Azure subnet. Note that you will need to allow pings through the firewall of this VM.

netsh advfirewall firewall add rule name=”All ICMP V4″ protocol=icmpv4:any,any dir=in action=allow

END

Leave a Reply

Your email address will not be published. Required fields are marked *