Hi I am using the Azure VPN client (P2S) and have manually added an IP range to route this traffic via the VPN. The traffic is SQL related and will connect to an externally hosted SQL Server elswhere, outside of the Azure network. There is a firewall at the SQL side which requires an IP to allow traffic. How do I know which IP or IP range to add to the firewall to allow the routed traffic from the Azure network which has been routed via the Azure VPN client? thank you Leon

@LeonT , Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. From your verbatim, I take it that you'd like to route Internet bound traffic (externally hosted SQL Server outside of Azure) from a local machine via Azure using P2S Please Note : The use case of Azure P2S VPN Gateway is to connect your remote devices to Azure VNET It is not designed to provide internet connectivity to P2S Clients. See : Custom routes for P2S VPN clients While you can make this work with a help of a NVA such as Azure Firewall, This is not recommended with regular VPN gateway. If you require this feature, we'd suggest you consider vWAN Secured Hub with "Internet Traffic Routing Policy" enabled If you are still interested using a regular VPN Gateway, Consider deploying a NVA or Azure Firewall on the VNET and route all traffic to the Firewall from the VPN Gateway. You should advertise additional custom routes of the externally hosted service's IP to the P2S Clients. On the GatewaySubnet, attach a UDR with routes 0.0.0.0/1 and 128.0.0.0/1 pointing to the nextHop as the NVA's/Azure Fierwall's IP Address Now, this Firewall will provide the P2S Clients with Internet connectivity And the outgoing communication will use the Pubic IP of the Azure Firewall Which you can whitelist in the externally hosted service's Firewall. NOTE : The Firewall should have an Allow rule allowing traffic to pass through it Kindly let us know if this helps or you need further assistance on this issue. Thanks, Kapil Please don’t forget to close the thread by clicking " Accept the answer " wherever the information provided helps you, as this can be beneficial to other community members.

Azure VPN (P2S) routing IP traffic

Accepted answer

KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2024-07-24T06:02:42.0666667+00:00
@LeonT ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

From your verbatim, I take it that you'd like to route Internet bound traffic (externally hosted SQL Server outside of Azure) from a local machine via Azure using P2S

Please Note :

The use case of Azure P2S VPN Gateway is to connect your remote devices to Azure VNET

It is not designed to provide internet connectivity to P2S Clients.

See : Custom routes for P2S VPN clients

While you can make this work with a help of a NVA such as Azure Firewall,

This is not recommended with regular VPN gateway.

If you require this feature, we'd suggest you consider vWAN Secured Hub with "Internet Traffic Routing Policy" enabled

If you are still interested using a regular VPN Gateway,

Consider deploying a NVA or Azure Firewall on the VNET and route all traffic to the Firewall from the VPN Gateway.

You should advertise additional custom routes of the externally hosted service's IP to the P2S Clients.

On the GatewaySubnet, attach a UDR with routes 0.0.0.0/1 and 128.0.0.0/1 pointing to the nextHop as the NVA's/Azure Fierwall's IP Address

Now, this Firewall will provide the P2S Clients with Internet connectivity

And the outgoing communication will use the Pubic IP of the Azure Firewall

Which you can whitelist in the externally hosted service's Firewall.

NOTE :

The Firewall should have an Allow rule allowing traffic to pass through it

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.

1 person found this answer helpful.
Zuuber 125 Reputation points

2024-07-24T14:54:01.4533333+00:00

I think i have achieved this now, my initial tests seems to work, thank you so much.

A final question, when you stated "The Firewall should have an Allow rule allowing traffic to pass through it". I think I have allowed ALL traffic, see attached, is this ok or should the rule be more specific? Am I allowing all inbound and outbound traffic into my Azure environment with the above rule, if so that's obviously not good.

KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2024-07-24T15:36:44.0666667+00:00

Zuuber ,

Glad we could be of assistance.

Allowing every traffic through Azure Firewall is not recommended.

Instead, in the Network Rule , keep the

Source : <P2S Client IP Address Pool>

Source Port : *

Destination : <externally hosted service's Public IP>

Destination Port : <externally hosted service's Port>

You can make use of Azure Firewall diagnostic logs to understand what traffic allowed and what is blocked

See : Enable diagnostic logging through the Azure portal

You can use the below KQL Query

AzureDiagnostics | where ResourceType == "AZUREFIREWALLS"

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.

Zuuber 125 Reputation points

2024-07-25T08:46:58.0433333+00:00

When you mentioned "This is not recommended with regular VPN gateway."
Why is it not recommended? What are the concerns \ drawbacks?

KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2024-07-25T09:02:03.5+00:00

Zuuber ,

The main drawback is the Management overhead

The need to properly update the routes and the Firewall

Moreover, VPN Gateway is not designed for reverse forced tunneling.

i.e., the same would not work for S2S Connections as there is no way for you advertise 0.0.0.0/0 from Azure

However, vWAN can advertise this 0.0.0.0/0 default route.

Also, currently there are no MS Documents highlighting this set up.

It is always suggested to follow the documented design patterns.

Cheers,

Kapil

Zuuber 125 Reputation points

2024-07-25T09:22:46.46+00:00

If I went down the vWAN option it looks like an Azure Firewall is still required, is that correct?

KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2024-07-25T09:45:06.8433333+00:00

Zuuber , yes - that is correct.

Zuuber 125 Reputation points

2024-07-25T13:21:25.5833333+00:00

I successfully got this working using the gateway option thanks to your pointers.

There will only be a small amount of SQL tarffic being routed so im thinking this option may be ok.

I want to see how the Virtual WAN option works but I am struggling setting this up, are you able to provide basic pointers again and im sure i can figure the rest out.

Also the documentaion i have read suggests that if there is already a VPN gateway on the virtual network this needs to be removed and a new gateway created, is that correct?

KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2024-07-25T14:05:10.1533333+00:00

Zuuber , You are most welcome.

Wrt your question,

vWAN deploys a managed vHub in which the VPN Gateway gets deployed.

Then you have to connect the VNET to the vHub

See : Connect a virtual network to a Virtual WAN hub

This means, no VNET can have a VPN Gateway on it's own

Instead, every VNET should use the vHUB's VPN Gateway

You can review vWAN docs from : Create a site-to-site connection using Azure Virtual WAN on how to create a VPN Gateway on a vHUB

Cheers,

Kapil
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure VPN (P2S) routing IP traffic

0 additional answers

Your answer