Denying Access between Multiple Site-to-Site Connections on Azure Virtual Network Gateway

Hannu Oksman 87 Reputation points
2023-06-02T13:08:48.4966667+00:00

When utilizing Azure Virtual Network Gateway with multiple site-to-site connections, can the different sites by access each other default?

If yes, is the use of Network Security Group with outbound deny rules, accompanied by necessary allow-rules with higher priority the best practice?

If no, what is required to enable transit routing between VPN devices via Azure? BGP?

Please note, we do not want the sites to access each other, nor do we require hub-spoke topology.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,793 questions
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator
    2023-06-08T08:16:39.8566667+00:00

    @Hannu Oksman

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to know if Azure VPN gateway can provide transit connectivity to your OnPrem networks.

    Yes, Azure VPN Gateways with BGP enabled S2S Connections, will enable transit connectivity between your sites.

    This is documented here : Transit routing between your on-premises networks and multiple Azure VNets

    User's image

    The recommended approach to prevent this, is, as you stated,

    • to use NSG for workloads in VNet.
    • And for servers in OnPremises, you must have Firewalls in place so that they only talk to the expected destination servers.
    • Also, you can disable BGP for the S2S Connections - and this will prevent Transit routing.

    Hope this helps. Kindly let us know if you need further assistance on this issue.

    Thanks,

    Kapil


    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Paul Wildenberg 5 Reputation points
    2023-06-02T14:32:34.5+00:00

    When using a route based VPN gateway it is possible for different sites to communicate if routing on the different sites is configured to use the VPN connection for traffic to the other site. https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

    It is not advisable to use a Network Security Group on the Gateway subnet as it might lead to unexpected behavior: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal. You should restrict incoming traffic on the firewalls of the respected sites.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.