This is a diagram that I have used for the lab. I have used the same topology to deploy VPN site to site between Azure and Palo Alto firewall on-prem (https://tungle.ca/?p=3338). Basically I removed the Palo Alto firewall and put FortiGate in the diagram.
![](https://tungle.ca/wp-content/uploads/2022/04/image-791.png)
Create a new virtual network is Azure-PA.
![](https://tungle.ca/wp-content/uploads/2022/04/image-736.png)
Change default network to PrivateSubnet is 10.0.1.0.
![](https://tungle.ca/wp-content/uploads/2022/04/image-737.png)
A subnet address range is 10.0.1.0/24
![](https://tungle.ca/wp-content/uploads/2022/04/image-739.png)
Click Create.
![](https://tungle.ca/wp-content/uploads/2022/04/image-741.png)
Create a new subnet.
![](https://tungle.ca/wp-content/uploads/2022/04/image-742.png)
A subnetwork address range is 10.0.0.0/24
![](https://tungle.ca/wp-content/uploads/2022/04/image-743.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-744-1024x403.png)
Go to “Virtual network gateway” to create a new virtual network gateway.
![](https://tungle.ca/wp-content/uploads/2022/04/image-745.png)
Virtual network: Azure-PA.
Subnet: Gatewaysubnet 10.0.0.0/24
Public IP address name: VPNIP
![](https://tungle.ca/wp-content/uploads/2022/04/image-746.png)
Click Create.
![](https://tungle.ca/wp-content/uploads/2022/04/image-747.png)
Wait around from 20 to 30 minutes to see if the Deployment will be done.
![](https://tungle.ca/wp-content/uploads/2022/04/image-749.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-750.png)
Go to “Local network gateway” and create a new local network gateway.
An IP address is a public IP address of the Palo Alto firewall.
Address space is Palo Alto’s LAN subnets.
![](https://tungle.ca/wp-content/uploads/2022/04/image-751.png)
Clock create.
![](https://tungle.ca/wp-content/uploads/2022/04/image-752.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-753.png)
Go to “Virtual network gateways”, and select the virtual network gateways that we have created in the previous step.
![](https://tungle.ca/wp-content/uploads/2022/04/image-754-1024x256.png)
Go to “Connections” – Add.
![](https://tungle.ca/wp-content/uploads/2022/04/image-755.png)
Enter a shared key (PSK) for VPN site-to-site.
![](https://tungle.ca/wp-content/uploads/2022/04/image-756.png)
Take note of the IP address of Azure VPN.
![](https://tungle.ca/wp-content/uploads/2022/04/image-766-1024x461.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-757-1024x328.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-759-1024x396.png)
On FortiGate on-prem.
![](https://tungle.ca/wp-content/uploads/2022/04/image-801.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-802.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-803.png)
Create a static default route.
![](https://tungle.ca/wp-content/uploads/2022/04/image-804.png)
Configure an IPSEC Tunnel.
![](https://tungle.ca/wp-content/uploads/2022/04/image-799.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-805.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-822.png)
Phase 1.
![](https://tungle.ca/wp-content/uploads/2022/04/image-810.png)
Phase 2.
![](https://tungle.ca/wp-content/uploads/2022/04/image-811.png)
Create a new network object for FortiGate.
FG-LAN: 172.16.0.0/16
![](https://tungle.ca/wp-content/uploads/2022/04/image-812.png)
Azure-LAN: 10.0.0.0/16.
![](https://tungle.ca/wp-content/uploads/2022/04/image-815.png)
Create both access rules to allow traffic from FortiGate LAN subnets to your Azure VPN private subnets. Remember “Disable NAT” on these rules.
![](https://tungle.ca/wp-content/uploads/2022/04/image-816.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-813.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-814.png)
Create a static route to allow traffic from FortiGate LAN subnets to your Azure private subnets via the IPSEC VPN site-to-site IKEv2 tunnel.
![](https://tungle.ca/wp-content/uploads/2022/04/image-817.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-818.png)
Ping from Kali machine to Windows 2016 on Azure.
![](https://tungle.ca/wp-content/uploads/2022/04/image-821.png)
The tunnel is up on FortiGate.
![](https://tungle.ca/wp-content/uploads/2022/04/image-819.png)
Ping a Kali machine on FortiGate LAN subnet from Azure.
![](https://tungle.ca/wp-content/uploads/2022/04/image-820.png)
Back to VPN2S, we can see the VPN status connection is “Connected”.
![](https://tungle.ca/wp-content/uploads/2022/04/image-784-1024x371.png)