Deploy Dynamic Routing (BGP) between Azure VPN and Third-Party Firewall (Palo Alto)
This blog explains how to deploy dynamic routing (BGP) between Azure VPN and a third-party firewall. You can refer to this topology and deployment guide in scenarios where you need VPN connectivity between an on-premises third-party VPN device and Azure VPN, or any cloud environment.
Why BGP?
BGP is the standard routing protocol commonly used in the Internet to exchange routing and reachability information between two or more networks. When used in the context of Azure Virtual Networks, BGP enables the Azure VPN gateways and your on-premises VPN devices, called BGP peers or neighbors, to exchange “routes” that will inform both gateways on the availability and reachability for those prefixes to go through the gateways or routers involved. BGP can also enable transit routing among multiple networks by propagating routes a BGP gateway learns from one BGP peer to all other BGP peers.
Diagram Diagram:BGP Between Azure VPN and Third-Party FirewallPre-Requisite
Firewall Network: Firewall with three interfaces (Public, Private, Management). Here, the LAB has configured with VM-series Palo Alto firewall.
Azure VPN Network: Test VM, Gateway Subnet
Test Network Connected to Firewall Network: Azure VM with UDR pointing to Firewall’s Internal Interface. The test network should be peered with firewall network.
Configuration
Part 1: Configure Azure VPN with BGP enabled
Create Virtual Network Gateway with below specification
Provide Name, Gateway type (VPN), VPN SKU, VNet (with dedicated Gateway Subnet), Public IP
Enable BGP and provide AS number
Create
Note: Azure will auto provision a local BGP peer with an IP address from Gateway Subnet. After deployment the configuration will look similar to below. Make a note of Public IP and Peer IP generated, we need this while configuring VPN at remote end
Create Local Network Gateway
Local Network Gateway represents the firewall VPN network Configuration where you should provide remote configuration parameters.
Provide Name, Remote peer Public IP
In the Address space specify remote BGP peer IP (Router ID in case of Palo Alto).
Please note that if you are configuring static route instead of dynamic you should advertise entire remote network ranges which you want to communicate through VPN. Here BGP making this process much simpler.
In Advanced tab enable BGP and provide remote ASN Number and BGP peer IP
create
Create Connections with default crypto profile
Once the VPN Gateway and Local Network Gateway has provisioned you can build connection which represents IPsec and IKE configurations.
Go to VPN GW and under Settings, Add Connection
Provide Name, VPN Gateway, Local Network Gateway, Pre-Shared Key
Enable BGP
If Required Modify IPsec and IKE Crypto setting, Else leave it as default
Create
Completed the Azure end configuration, now we can move to firewall side.
Part 2: Configure Palo Alto Firewall VPN with BGP enabled
Create IKE Gateway with default IKE Crypto profile
Provide Ike Version, Local VPN Interface, Peer IP, Pre-shared key
Create IPSec Tunnel with default IPsec Crypto profile
Create Tunnel Interface
Create IPsec Tunnel: Provide tunnel Interface, IPsec Crypto profile, IKE Gateway
By this configuration your tunnel should be UP
Now finish the remaining BGP Configurations
Configure a Loopback interface to represent BGP router, we have provided 10.0.17.5 IP for the interface.
Configure virtual router Redistribution Profile
Configure Redistribution Profile as below, this configuration ensures what kind of routers needed to be redistributed to BGP peer routers
Enable BGP and configure local BGP and peer BGP parameters
Provide Router ID, AS number
Make user to enable Install Route Option
Configure EBGP Peer Group and Peer with Local BGP Peer IP, Remote (Azure)BGP Peer IP and Remote (Azure) BGP ASN Number.
Also Specify Redistribution profile, also make sure to enable Allow Redistribute Default Route, if you need to propagate default route to BGP peer router
Create Static route for Azure BGP peer
Commit changes
Test Results
Now we can test the connectivity, I have already configured necessary NAT and default route in Firewall. You can see the propagated route in both azure VPN gateway and Palo Alto firewall.
FW NAT
Name
Src
Zone
Dst
Zone
Dst
I/F
Dst
Addr
Service
Translated Packet Source Translation
Translated Packet Destination Translation
nattovm1
any
Untrust
any
untrust_int_ip
3389
none
destination-translation;address: vm1
nattovm2
any
Untrust
any
untrust_int_ip
3000
none
destination-translation;address: vm2;port: 3389
natto internet
any
Untrust
ethernet1/1
default
0.0.0.0/0
dynamic-ip-and-port;ethernet1/1
none
Stattic Route configured:
Azure VPN GW Connection Status and Propagated routes
Azure Test VM1 (10.0.0.4) Effective routes
Palo Alto BGP Summary
Palo Alto BGP connection status
Palo Alto BGP Received Route
Palo Alto BGP Propagated Route
Final Forwarding table
Ping and trace result from Test VM1 to test VM2
Conclusion:
BGP simplifies the route advertisement process. There are lot more configuration options that we can try in BGP to smooth functioning of routing. BGP also enables automatic redundancy and high Availability. Hence it is always recommended to configure BGP when it comes to production grade complex networking.
This blog explains how to deploy dynamic routing (BGP) between Azure VPN and a third-party firewall. You can refer to this topology and deployment guide in scenarios where you need VPN connectivity between an on-premises third-party VPN device and Azure VPN, or any cloud environment.
Why BGP?
BGP is the standard routing protocol commonly used in the Internet to exchange routing and reachability information between two or more networks. When used in the context of Azure Virtual Networks, BGP enables the Azure VPN gateways and your on-premises VPN devices, called BGP peers or neighbors, to exchange “routes” that will inform both gateways on the availability and reachability for those prefixes to go through the gateways or routers involved. BGP can also enable transit routing among multiple networks by propagating routes a BGP gateway learns from one BGP peer to all other BGP peers.
Diagram Diagram:BGP Between Azure VPN and Third-Party FirewallPre-Requisite
Firewall Network: Firewall with three interfaces (Public, Private, Management). Here, the LAB has configured with VM-series Palo Alto firewall.
Azure VPN Network: Test VM, Gateway Subnet
Test Network Connected to Firewall Network: Azure VM with UDR pointing to Firewall’s Internal Interface. The test network should be peered with firewall network.
Configuration
Part 1: Configure Azure VPN with BGP enabled
Create Virtual Network Gateway with below specification
Provide Name, Gateway type (VPN), VPN SKU, VNet (with dedicated Gateway Subnet), Public IP
Enable BGP and provide AS number
Create
Note: Azure will auto provision a local BGP peer with an IP address from Gateway Subnet. After deployment the configuration will look similar to below. Make a note of Public IP and Peer IP generated, we need this while configuring VPN at remote end
Create Local Network Gateway
Local Network Gateway represents the firewall VPN network Configuration where you should provide remote configuration parameters.
Provide Name, Remote peer Public IP
In the Address space specify remote BGP peer IP (Router ID in case of Palo Alto).
Please note that if you are configuring static route instead of dynamic you should advertise entire remote network ranges which you want to communicate through VPN. Here BGP making this process much simpler.
In Advanced tab enable BGP and provide remote ASN Number and BGP peer IP
create
Create Connections with default crypto profile
Once the VPN Gateway and Local Network Gateway has provisioned you can build connection which represents IPsec and IKE configurations.
Go to VPN GW and under Settings, Add Connection
Provide Name, VPN Gateway, Local Network Gateway, Pre-Shared Key
Enable BGP
If Required Modify IPsec and IKE Crypto setting, Else leave it as default
Create
Completed the Azure end configuration, now we can move to firewall side.
Part 2: Configure Palo Alto Firewall VPN with BGP enabled
Create IKE Gateway with default IKE Crypto profile
Provide Ike Version, Local VPN Interface, Peer IP, Pre-shared key
Create IPSec Tunnel with default IPsec Crypto profile
Create Tunnel Interface
Create IPsec Tunnel: Provide tunnel Interface, IPsec Crypto profile, IKE Gateway
By this configuration your tunnel should be UP
Now finish the remaining BGP Configurations
Configure a Loopback interface to represent BGP router, we have provided 10.0.17.5 IP for the interface.
Configure virtual router Redistribution Profile
Configure Redistribution Profile as below, this configuration ensures what kind of routers needed to be redistributed to BGP peer routers
Enable BGP and configure local BGP and peer BGP parameters
Provide Router ID, AS number
Make user to enable Install Route Option
Configure EBGP Peer Group and Peer with Local BGP Peer IP, Remote (Azure)BGP Peer IP and Remote (Azure) BGP ASN Number.
Also Specify Redistribution profile, also make sure to enable Allow Redistribute Default Route, if you need to propagate default route to BGP peer router
Create Static route for Azure BGP peer
Commit changes
Test Results
Now we can test the connectivity, I have already configured necessary NAT and default route in Firewall. You can see the propagated route in both azure VPN gateway and Palo Alto firewall.
FW NAT
Name
Src Zone
DstZone
DstI/F
DstAddr
Service
Translated Packet Source Translation
Translated Packet Destination Translation
nattovm1
any
Untrust
any
untrust_int_ip
3389
none
destination-translation;address: vm1
nattovm2
any
Untrust
any
untrust_int_ip
3000
none
destination-translation;address: vm2;port: 3389
natto internet
any
Untrust
ethernet1/1
default
0.0.0.0/0
dynamic-ip-and-port;ethernet1/1
none
Stattic Route configured:
Azure VPN GW Connection Status and Propagated routes
Azure Test VM1 (10.0.0.4) Effective routes
Palo Alto BGP Summary
Palo Alto BGP connection status
Palo Alto BGP Received Route
Palo Alto BGP Propagated Route
Final Forwarding table
Ping and trace result from Test VM1 to test VM2
Conclusion:
BGP simplifies the route advertisement process. There are lot more configuration options that we can try in BGP to smooth functioning of routing. BGP also enables automatic redundancy and high Availability. Hence it is always recommended to configure BGP when it comes to production grade complex networking.
Read More
