This article talks through the creation of a Route-Based VPN between Azure and an On Premise Sonicwall firewall. This is done using the Resource Manager deployment.
IP Schema
In this example I have used the below Azure subnets. You should plan your subnets before starting this process.
- AzureDemo-Full-Subnet – all IPs on Azure (e.g. 172.26.0.0/16)
- GatewaySubnet – used for external connections (e.g. 172.26.0.0/24)
- AzureDemo-Servers – Subnet for servers in Azure (e.g. 172.26.1.0/24)
Azure Configuration
NB – you may want to consider creating a dedicated resource group for the below if you have existing resource groups. In this example we are installing servers into the “UK West” Azure location.
Create Virtual Network
You will need to create a new virtual network. Obviously make sure the IP range doesn’t overlap with any existing subnets.
Go to “more services”, then “Virtual Networks”. For the deployment model select “Resource Manager”. Enter your new subnet details.
You will need to create an address space to include all your subnets, and an initial subnet – e.g. for servers. In the example above I have an address space or 172.26.0.0/16 with a subnet of 172.26.1.0/16 to store my servers.
Note if you need to add additional subnets you are able to do this after the Virtual Network is created.
Create Gateway Subnet
Within the Virtual network go to subnets and then click “Gateway Subnet”
The gateway subnet you create must be named GatewaySubnet or it won’t work.
In this example I have used a subnet of 172.26.0.0/24
Create Virtual Network Gateway
Go to “more services”, “virtual network gateway”. Click Add. Fill out as below – you will probably want to create a new public IP. Note this is route-based.
Note provisioning virtual network gateway may take up to 45 minutes.
Create Local Gateway
Create an entry for your on-premise subnets.
Go to “more services”, “local network gateway” then click “add”.
- IP Address = External interface of your VPN device/firewall
- Address Space = e.g. the subnet used in the office you are connecting to
- Resource group = select your existing resource group.
Note it may take a while to provision a public IP – be patient! Once the IP is display in the portal you can move on to the next step.
Configure Azure VPN
Go to “more services”, “connections”. Click “Add”. Fill out details as below.
Configure Sonicwall
Create Address Object
Create an address object for the Azure vNet subnet
Create VPN
Note the policy type is “tunnel interface
Create Route
Finally create a route to tell the sonicwall to use the VPN tunnel for the Azure subnets. Note for testing you might want to restrict the “source” to a single test maching on your on premise network.
Testing
If the VPN connects successfully you should see a green “dot” as below.
For testing it is helpful to have a VM running on the Azure subnet. Note that you will need to allow pings through the firewall of this VM.
netsh advfirewall firewall add rule name=”All ICMP V4″ protocol=icmpv4:any,any dir=in action=allow
END