Share via

Restrict Access

Nandan NK 50 Reputation points
2024-05-06T18:02:42.8233333+00:00

We have few azure customers and they have firewall servers hosted in azure like PAN firewall or FortiClient, our network team need to access those firewall servers over SS and port 443, we have VPN setup in office so we have whitelisted our VPN IP in customer firewall VM nsg but the thing is almost 300 users who connected to the VPN directly and they can also access customers firewall if they get credentials so this is not good, so I'm looking some solution;

EX; I'm thinking of creating vdi, terminal, bastion host server in our azure environment and that should act as jump host to firewall, there any other better way someone can suggest

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,219 questions
Windows Network
Windows Network
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Network: A group of devices that communicate either wirelessly or via a physical connection.
674 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 23,911 Reputation points Microsoft Employee
    2024-05-06T23:31:42.43+00:00

    @Nandan NK

    I understand you wish to access the firewall servers over SSH and port 443.

    EX; I'm thinking of creating vdi, terminal, bastion host server in our azure environment and that should act as jump host to firewall, there any other better way someone can suggest

    Using Azure Bastion will be a good choice in this case, you can also enable MFA using Microsoft Entra authentication. But just in case as documented here if you're advertising a default route (0.0.0.0/0) over VPN, and this route is being injected into your Virtual Networks, this will break the Azure Bastion service.

    Another approach you can explore here will be to configure P2S VPN for access based on users and groups - Microsoft Entra authentication as documented here.

    When you use Microsoft Entra ID as the authentication method for P2S, you can configure P2S to allow different access for different users and groups. If you want different sets of users to be able to connect to different VPN gateways, you can register multiple apps in AD and link them to different VPN gateways. Although you will have to deploy additional VPN Gateway in this case.

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  2. Jing Zhou 3,350 Reputation points Microsoft Vendor
    2024-05-08T07:45:25.5866667+00:00

    Hello,

     

    Thank you for posting in Q&A forum.

    Azure Bastion can be a proper way to restric the access to firewall.

    Bastion can work as a jump machine to the firewall server and avoid unnecessary access.

    REF: https://learn.microsoft.com/en-us/azure/bastion/bastion-overview

    Meanwhile, to create a network security group and also restrict source IP access to the firewall server, which wll cost less than bastion.

    REF: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

    To help other customers who may be facing the same issue, please don't forget to vote if the reply is helpful.

    Hope this answer can help you well.

     

    Best regards,

    Jill Zhou