Forced Tunneling with Azure Virtual Network, and Network Gateway in a Point-To-Site scenario.

Mark McGookin 21 Reputation points
2022-05-16T13:02:29.54+00:00

Hi,

We have a number of remote developers that require access to external services, that we have to have a static IP address for. As the developers are all remote now, we have no 'office IP address' to add.

We have created an Azure Virtual Network, and associated it with a Public IP Address. We have also added a Network Gateway to the VNet and successfully connected a client (using macOS) to the network, and it all seems to be working fine. The VNet Gateway is setup to be 'route-based' VPN. The SKU is VpnGw2AZ.

However, after some further reading, this P2S causes the Internet Traffic to be dropped by the VPN and connections to the internet still use the client machine's IP address. Is there any way that we can use this existing setup to enable forced-tunneling on the VPN connections, so when a user is connected to the VPN, all their internet traffic flows through the virtual network and out via the Public IP address? (Thus allowing us to add that IP address to the external providers white list)

I have read that there is a way to use a firewall in a vnet with a custom route to force internet traffic to use the public IP, but am unsure just how to go about configuring that.

This won't be huge amounts of traffic, but as the external providers take 6 weeks to change a whitelisted IP address, it's business critical for us to get this working.

Any help would be appreciated.

Mark

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,379 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
564 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,139 questions
0 comments
Accepted answer
  1. GitaraniSharma-MSFT 47,316 Reputation points Microsoft Employee
    2022-05-19T12:48:20.067+00:00

    Hello @Mark McGookin ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to configure forced tunneling on your Azure P2S VPN and get a static IP address for external/Internet connectivity.

    Forced tunneling is generally not supported for Azure P2S VPN unless you use Azure Firewall Manager. If you secure internet traffic via Firewall Manager, you can advertise the 0.0.0.0/0 route to your VPN clients. This makes your clients send all internet bound traffic to Azure for inspection. Then, firewall SNATs the packet to the PIP of Azure Firewall for egress to Internet.

    Please note that to advertise 0.0.0.0/0 route to your VPN clients, you need to break them into two smaller subnets 0.0.0.0/1 and 128.0.0.0/1 as mentioned in the below document:
    Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

    You have deploy a secured virtual hub with firewall manager and add the P2S VPN Gateway to allow your egress traffic that will be controlled by a firewall policy.
    Refer : https://learn.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network

    You can refer the below doc which explains how to configure forced tunneling for Virtual WAN Point-to-site VPN and take inputs on the configuration:
    https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-forced-tunnel

    Another reference for you:
    https://learn.microsoft.com/en-us/answers/questions/689877/index.html

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Randy Sutton 36 Reputation points
    2022-12-26T17:45:59.827+00:00

    I'm facing a similar situation and finding it difficult to get this setup. It seems like the Virtual WAN/HUB is a replacement for the existing Virtual Network Gateway. Connecting these two seems like overkill since the Virtual WAN provides all the same functionality as the Virtual Network Gateway. Plus, the cost for Virtual WAN is astronomical compared to the Virtual Network Gateway.

    1 person found this answer helpful.
    0 comments
  2. Cristian SPIRIDON 4,471 Reputation points
    2022-05-17T03:14:44.04+00:00

    Hi,

    You can co figure force tunelling like is explained in following post:
    https://learn.microsoft.com/en-us/answers/questions/531188/does-azure-vpn-allow-to-route-all-traffic-now.html

    The ideea is that with that all your network trafic is routed though VPN and then Azure infrastructure. You will loose internet if your VPN is not properly configured to provide NAT, but if you configure NAT on VPN then force tunnelling will solve your requirements.

    Hope this helps!