Supported Platforms
Microsoft Azure is supported with the following Dell SonicWALL appliances:
- SuperMassive E10000 Series
- SuperMassive 9200 / 9400 / 9600
- E-Class NSA E5500 / E6500 / E7500 / E8500 / E8510
- NSA 2600 / 3600 / 4600 / 5600 / 6600
- NSA 220 / 220W / 240 / 250M / 250MW / 2400 / 2400MX / 3500 / 4500 / 5000
- TZ 100 / 100W / 105 / 105W / 200 / 200W / 205 / 205W / 210 / 210W / 215 / 215W
- TZ 300 / 300W / 400 / 400W / 500 / 500W / 600
- SOHO / SOHO W
Supported firmware
For the SuperMassive E10000 series, all approved versions of SonicOS support Microsoft Azure. For platforms other than the SuperMassive E10000 Series, the following SonicOS firmware or hotfixes support the latest version of Microsoft Azure:
Contact Support at https://support.software.dell.com/manage-service-request to obtain a hotfix or support build for your Dell SonicWALL firewall. Non-hotfix or support build firmware is available on MySonicWALL for your platform.
In example:
Vpn Type: PolicyBased
Local virtual network gateway: 208.x.x.40 (Sonicwall external interface IP (Public IP address)
Azure Gateway Public IP Address: 40.x.x.x
Local Network Address: 192.168.37.0/24 (Your on-premises local network. Specify starting IP address of your network.)
Azure VNet Address: 40.0.0.0/16
Shared Key: s30keBEOikz5Orl1GYI8not22dbnuZCJ
It takes couple of minutes to create Gateway Connection. Once created review the Virtual Network Gateway IP Address
#Sonicwall Configuration#
- Log into the SonicOS management interface as an administrator
- Navigate to the VPN > Settings dialog
- Click Add
The VPN Policy dialog displays:
Enter the following information:
- Authentication Method – select IKE using Preshared Secret
- Name – Enter a name for the policy (Azure is used in this example)
- IPsec Primary Gateway Name or Address in this example 40.x.x.x For more information, see the DynRouteVPN Quick Start dialog.
- Shared Secret – in this example s30keBEOikz5Orl1GYI8not22dbnuZCJ For more information, see Managing Shared Keys
Click the Proposals tab:
Click the Exchange drop-down menu, and then select IKEv2 Mode.
- Azure supports only IKEv2 Mode for route-based site-to-site VPN. For more information about the settings on this dialog, refer to this MSN article titled About VPN Devices for Virtual Network
Click the Advanced tab:
- Enable Keep Alive by checking Enable Keep Alive
- Click the VPN Policy bound to drop-down menu, and then select a WAN interface. For example, Interface X5
- Click OK
- Navigate to the Network > Address Objects dialog
- Click Add to create a new Address Object
The Add Address Object dialog displays:
NOTE: The information displayed in this dialog is for example only, and can vary depending on your network.
Enter the following information:
- Name – Enter a name for the Address Object (Azure Network is used in this example)
- Zone Assignment – Click the drop-down, and then select VPN
- Type – Click the drop-down, and then select Network
- Network – in this example 40.0.0.0
- Netmask/Prefix Length – in this example 255.255.0.0
- Click Add
To create a static route policy, complete the following steps:
- Navigate to the Network > Routing dialog
- Click Add to create a new Route Policy
The Add Route Policy dialog displays:
Configure Source to the same on-premise network you configured in the Site-to-Site Connectivity dialog.
NOTE: The information displayed in this screenshot is for example only, and could vary depending on your network.
- Select Disable route when the interface is disconnected
- Select Auto-add Access Rules
- Click OK
###Testing Connectivity###
To test the connectivity from Azure portal view connection resource
To test the connectivity from SonicOS:
- Log in to the SonicOS management interface, and navigate to the VPN > Settings dialog
In the VPN Policies table, the VPN shows as connected:
It might take a while for the VPN tunnel to show as connected in the Azure Management Portal.
To test traffic flow from the SonicOS side to the Azure cloud, complete either of the following:
- Try to establish an RDP connection to a Virtual Machine (VM) in the cloud on port 3389 from a host behind the Dell SonicWALL firewall
- Try to ping a VM in the cloud from a host behind the Dell SonicWALL firewall
By default, a VM in the Azure has the inbound ICMP blocked by Windows Firewall and needs to be enabled in Windows using this command:
netsh advfirewall firewall add rule name="All ICMP V4" protocol=icmpv4:any,any dir=in action=allow