Denying Access between Multiple Site-to-Site Connections on Azure Virtual Network Gateway

Question

Denying Access between Multiple Site-to-Site Connections on Azure Virtual Network Gateway

Hannu Oksman 87

When utilizing Azure Virtual Network Gateway with multiple site-to-site connections, can the different sites by access each other default?

If yes, is the use of Network Security Group with outbound deny rules, accompanied by necessary allow-rules with higher priority the best practice?

If no, what is required to enable transit routing between VPN devices via Azure? BGP?

Please note, we do not want the sites to access each other, nor do we require hub-spoke topology.

KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-08T08:18:21.1533333+00:00

@Hannu Oksman

We noticed your experience on this Q&A community platform for this thread was rated as "Not helpful".

However, in light of the answer I have provided recently, I would urge you to reconsider your feedback and Accept this answer to close this thread.

Should you have any follow up queries, please do let me know and I shall be more than glad to assist you :)

We are eager to know what could have been done better to evolve your experience to a 5* star rating. Your candid feedback is very important to us.

Looking forward to your reply.

Cheers,

Kapil
Hannu Oksman 87 Reputation points

2023-06-12T05:28:35.82+00:00

@KapilAnanth-MSFT thank you, it was a misunderstanding. I rated temporarily one post as 'No' because UI showed "Did this solve your problem?" which it didn't. However, it was helpful.

I've noticed some threads have "Was this answer helpful?" instead of "Did this solve your problem?". Maybe the latter is visible because I started this thread?

Based on your experience/feedback comment "Did this solve your problem?" seems to ask about helpfulness, not about solving the problem? If so, maybe the text could be improved to avoid future misunderstandings?

Accepted answer

1 additional answer

Your answer

KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-06-08T08:18:21.1533333+00:00

@Hannu Oksman

We noticed your experience on this Q&A community platform for this thread was rated as "Not helpful".

However, in light of the answer I have provided recently, I would urge you to reconsider your feedback and Accept this answer to close this thread.

Should you have any follow up queries, please do let me know and I shall be more than glad to assist you :)

We are eager to know what could have been done better to evolve your experience to a 5* star rating. Your candid feedback is very important to us.

Looking forward to your reply.

Cheers,

Kapil
Hannu Oksman 87 Reputation points

2023-06-12T05:28:35.82+00:00

@KapilAnanth-MSFT thank you, it was a misunderstanding. I rated temporarily one post as 'No' because UI showed "Did this solve your problem?" which it didn't. However, it was helpful.

I've noticed some threads have "Was this answer helpful?" instead of "Did this solve your problem?". Maybe the latter is visible because I started this thread?

Based on your experience/feedback comment "Did this solve your problem?" seems to ask about helpfulness, not about solving the problem? If so, maybe the text could be improved to avoid future misunderstandings?

Answer 1

@Hannu Oksman

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to know if Azure VPN gateway can provide transit connectivity to your OnPrem networks.

Yes, Azure VPN Gateways with BGP enabled S2S Connections, will enable transit connectivity between your sites.

This is documented here : Transit routing between your on-premises networks and multiple Azure VNets

User's image

The recommended approach to prevent this, is, as you stated,

to use NSG for workloads in VNet.
And for servers in OnPremises, you must have Firewalls in place so that they only talk to the expected destination servers.
Also, you can disable BGP for the S2S Connections - and this will prevent Transit routing.

Hope this helps. Kindly let us know if you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Answer 2

Paul Wildenberg 5

When using a route based VPN gateway it is possible for different sites to communicate if routing on the different sites is configured to use the VPN connection for traffic to the other site. https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

It is not advisable to use a Network Security Group on the Gateway subnet as it might lead to unexpected behavior: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal. You should restrict incoming traffic on the firewalls of the respected sites.

Hannu Oksman 87 Reputation points

2023-06-08T07:33:19.73+00:00

Thank you.

From the first link I understand that on-site/prem policy-based VPN cannot use Azure VPNG to transit to other on-prem, which is fine because that's unwanted: "The on-premises networks connecting through policy-based VPN devices with this mechanism can only connect to the Azure virtual network; they cannot transit to other on-premises networks or virtual networks via the same Azure VPN gateway."

The second link advice against associating a network security group (NSG) to the gateway subnet, so I'll look for other options. Yes, I should advice different sites (spokes) on firewall usage, but I wouldn't want to rely on that and make sure that from Azure VPN (hub) sites cannot transit to each other.

This didn't answer the main question about can the different sites by access each other default. From Comparison of virtual network peering and VPN Gateway (link) table I gather that the answer is 'No' because BGP isn't enabled, yes? Table says "Transitive relationship": "If virtual networks are connected via VPN gateways and BGP is enabled in the virtual network connections, transitivity works."
Paul Wildenberg 5 Reputation points

2023-06-08T09:55:25.43+00:00
You are correct in you assumptions:

Policy based: no transit

Route based, no BGP: No routing info is exchanged, hence no transitive relationship (it can be configured manually by configuring routing on every site).

Route based, BGP: routing info is exchanged, transitive relationship is established

Share via

Denying Access between Multiple Site-to-Site Connections on Azure Virtual Network Gateway

1 additional answer

Your answer