-
10.10.200.0/24 - Click Next
.
- In the Virtual Network Address Spaces section click add subnet:
- Subnet – Enter a name for the subnet.
- Starting IP – Enter the first IP of the IP Range for the subnet. E.g.,
-
-
10.10.201.0 - CIDR(ADDRESS COUNT) – Selectthe subnet mask from the list. E.g., /24 for 256 IP addresses
-
- Click add gateway subnet:
- Starting IP – Enter the first IP for the gateway subnet. E.g.,
-
-
10.10.201.0 - CIDR (ADDRESS COUNT) – Select the subnet mask from the list. E.g., /29 for 8 IP addresses
-
- Click OK
.
The Azure Virtual Network you have just created is now listed in the NETWORK menu in the Azure management interface.
Step 2. Create a VPN Gateway for the Microsoft Azure Network
Create the Azure VPN Gateway.
- Log into your Microsoft Azure Management Portal (https://manage.windowsazure.com).
- In the left pane click NETWORKS.
- Click on the Network previously created in Step 1.
- in the top menu click on DASHBOARD.
- In the bottom pane, click CREATE GATEWAY.
- Select Static Routing from the list. Creating the gateway will take a couple of minutes.
When the color of the gateway turns blue, the gateway has been successfully created. The Gateway IP is now displayed below the VPN Gateway image.
Step 3. Configure IPsec Site-to-Site VPN on the X-Series Firewall
Create a active IPsec VPN connection on the X-Series Firewall.
-
Go to the Site-to-Site page (VPN > Site-to-Site).
- If your are using a dynamic address (DHCP, xDSL, 3G) to connect to the Internet, or if you are behind a NAT enable Use Dynamic IPs in the GLOBAL SERVER SETTINGS section and click Save. The VPN service restarts.
- In the Site-to-Site IPsec Tunnels section click on Add.
- Enter the Name for the IPsec VPN. E.g.,
-
AzureVPNGateway - Configure the Phase 1 and Phase 2 encyption settings:
- Phase 1:
- Encryption – AES
- Hash Method – SHA
- DH Group – Group 2
- Lifetime – 28800
- Phase 2:
- Encryption – AES
- Hash Method – SHA256
- Lifetime – 3600
- Perfect Forward Secrecy – No
- Local End – Active
- Local Address – Dynamic or static if you are using a static WAN connection.
-
Local Networks – Enter your on-premise subnet(s). E.g.,
- Remote Gateway – Enter the IP for the GATEWAY IPADDRESS listed on the DASHBOARD of your Azure network. E.g.,
- Phase 1:
-
137.117203.108 - Remote Networks – Enter the remote VPC subnet. E.g.,
-
-
10.10.201.0/24 - Authentication – Select Shared Passphrase.
- Passphrase – Enter the Shared Key generated by your Azure VPN Gateway. To view the shared key go to the DASHBOARD of your Azure network and click on the Manage Key icon in the bottom pane.
- Enable Aggressive – No.
-
- Click Save.
Step 4. Create a Access Rule
If you do not have the VPN-SITE-2-SITE access rule you must create an access rule to allow traffic to allow traffic from your local network to the Azure subnet.
-
Go to the FIREWALL > Firewall Rules page.
- Add a Access Rule:
- Type – Select ALLOW.
- Source – Enter your local network(s) or select a network object containing only your local network(s). E.g.,
-
10.10.200.0/24 - Destination – Enter the remote subnet in the Azure Network. E.g.,
-
-
10.10.201.0/24 - Network Services – Select Any.
- Connection – Select No SNAT
-
- Click Save.
- Place the firewall rule so no rule matches the VPN traffic above it.
- Click Save.
Your X-Series Firewall will now automatically connect to the Azure VPN Gateway.
