How to Configure a Site to Site (S2S) VPN Between a SonicWall Firewall and Microsoft Azure | Step by Step Guide
This article covers how to configure a Site to Site VPN between a SonicWall firewall and Microsoft Azure.
For setting up Site to Site VPN, you need the followings:
• Azure valid subscription
• SonicWall hardware.
• Valid Public IP Address at the on-premises side.
In my lab, I am going to use SonicWall TZ 205 with SonicOS Enhanced 18.104.22.168 firmware. You can use any other model SonicWall or any NSA series of the SonicOS.
The following networks will be used for demonstration purposes during this article. Your networks may be different.
Azure Side Resources
- Gateway subnet: 10.10.0.0/24
- LAN subnet: 10.10.1.0/24
- Public IP: 22.214.171.124
SonicWall Side Resources
- LAN subnet: 126.96.36.199/24
- Public IP: 188.8.131.52
Let’s get started
- Log in to the Azure portal
- Navigate to Virtual Networks and click Add to create a new network scheme. You can also search by click New and search Virtual Network.
- In this scenario, we’ve defined the following network. Once filled out click Create.
Address space: 10.10.0.0/16
Subnet name: SL-VLAN
Subnet address range: 10.10.1.0/24
4. Next, we’ll define the gateway network inside of the virtual network we just created. In our case, the virtual network is called “SL-VNET”. Click back into SL-VNET, select Subnets | Gateway Subnet. Define the gateway subnet (in our case 10.10.0.0/24) and click Create.
The virtual network gateway uses a specific subnet called the Gateway Subnet. The Gateway Subnet is part of the virtual network IP address range that you specify when configuring your virtual network. It contains the IP addresses that the virtual network gateway resources and services use. The subnet must be named ‘GatewaySubnet’ in order for Azure to deploy the gateway resources. You can’t specify a different subnet to deploy the gateway resources to. If you don’t have a subnet named ‘GatewaySubnet’, when you create your VPN gateway, it will fail.
Note: Gateway Subnet is used only for communication between other subnets. You should never deploy additional resources to the Gateway Subnet.
5. Next, we’ll create a virtual network gateway. Click on “All Services” and search for “Virtual network gateways“. (You can highlight “star” to pin in the left Menu)
6. Create a new virtual network gateway. Give the gateway a name and define the VPN type. We’ll select gateway type VPN and VPN type Route-based. Choose SKU type. Select the virtual network (in our case SL-VNET) and create a new public IP address. We’ll use this public IP address later on while configuring the VPN on the SonicWall. Click Create.
VPN Gateway throughput and connection limit capabilities are defined by the VPN SKU type. We deploy VPN SKU VpnGW1 as the default SKU. More information on VPN SKUs can be found in the screenshot below.
Note: Provisioning a virtual network gateway may take up to 45 minutes.
7. Click on the newly created virtual network gateway. Select Connections | Add.
8. Give the connection a name. Under connection type select Site-to-site (IPsec). Create a new local network gateway. This will be the public IP of the SonicWall and the local network. In our case, the local network of the SonicWall is the default SonicWall subnet 184.108.40.206/24.
9. Provide a secure shared key. This will also be used on the SonicWall. Click OK.
We created a connection. You can see that the status of the connection is showing as “Connecting” because we have not yet configured the VPN connection on the SonicWall side.
10. We’ll grab the public IP of Azure and use it in the SonicWall. Navigate to “All Services” and search for Public IP addresses. Take a note of the public IP for the next steps.
Creating an Address Object for the virtual network
- Navigate to the Network > Address Objects.
- Click Add to create a new Address Object.
Enter the following information:
Name – Enter a name for the Address Object (SL-AzureNetwork is used in this example)
Zone Assignment – Click the drop-down, and then select VPN.
Type – Click the drop-down, and then select Network.
Network – Enter the network IP address as shown in the SL-VNET.
Netmask/Prefix Length – Enter the netmask. (in our case 255.255.0.0).
Creating a SonicWall VPN Connection
- Navigate to the VPN tab. We’re using the SonicOS 220.127.116.11 firmware. Click Settings. Click Add to create a new VPN policy.
- Give the VPN policy a name. We’ll use the following settings:
Policy Type: Tunnel Interface
Authentication Method: IKE using Preshared Secret
Next, click the Proposals tab.
3. Under Proposals select:
IKE (Phase 1) Proposal: Exchange – IKEv2 Mode, Group – 2, Encryption – AES-256, Authentication – SHA1, Life Time – 28800.
IKE (Phase 2) Proposal: Protocol – ESP, Encryption – 3DES, Authentication – SHA1, Life Time – 27000.
4. Select the Advanced tab. Select Enable Keep Alive. Deselect Enable Windows Networking. Select Do not send trigger packet during IKE SA negotiation.
5. Next, navigate to Network | Routing. Select Route Policies and create a new policy. Set the destination for the Azure network and select the Azure interface.
Test the connectivity from SonicWall
It takes 5-7 minutes for the VPN policy to come up. Once the VPN policy is up we see a green indicator.
The SonicWALL firewall automatically initiates the VPN connection and keeps it alive when Keep Alive is enabled.
Test the connectivity from Azure
Go to the Azure Management Portal, and navigate to Virtual Networks Gateway.
Click the Connections and go to its Dashboard.
You can see the connection status changed from “Connecting” to “Connected“.
We have successfully configured Azure Site to Site VPN with SonicWall hardware Firewall.
Now you can create Virtual Machines in Azure and can access Azure VMs from your Network.
For additional help you can always reach out to us and order our cloud operations support services.
In the next lab, I will show you how you can configure Point to Site VPN with Azure.
Need Help? Contact Us
STEPINLOGIC | 292 262 6652
Full-service IT provider for Growing Companies in NY & NJ