Configure a VPN with an NGFW Engine in Azure

When you have deployed an NGFW Engine in Azure, you can use it as an endpoint in VPNs with other NGFW Engines in your network.

Note: You cannot use Cloud Auto-Scaled Firewalls in VPNs.

Configuring a VPN between NGFW Engines that are managed by the same SMC has the following advantages compared to using Azure's native VPN tools:

Access control for VPN traffic
Centralized management of the NGFW Engines that act as VPN gateways

Because the public IP addresses of NGFW Engines deployed in Azure are dynamic, the following restrictions apply when you use an NGFW Engine deployed in Azure as a VPN gateway:

The VPN gateway must use the fully qualified domain name (FQDN) of your NGFW Engine as the phase-1 ID.
IKEv1 main mode with pre-shared key authentication is not supported. Aggressive mode allows the use of pre-shared keys, but for security reasons certificate-based authentication is also recommended when IKEv1 is set in aggressive mode.