Azure Firewall and VPN for remote user
We have servers in a remote location, and I am currently able to access them through a VPN client. However, I now need to set up a firewall and VPN with a dedicated public IP. Additionally, I would like to enable site-to-site VPN. If I connect to the Azure VPN, my local laptop's public IP should match the Azure public IP. Is this feasible? Could you please help me on that
Azure VPN Gateway
Azure Firewall
Azure
-
Silvia Wibowo 3,166 Reputation points • Microsoft Employee
2024-05-09T23:18:17.26+00:00 Hi @network , please clarify your current setup and what you're trying to achieve.
Laptop (VPN client) ---[VPN over internet]--->Server (remote location - is this on Azure?)
In Azure:
- Firewall
- VPN Gateway (is it same vNet with Firewall?)
Laptop's public IP should match Azure public IP (VPN Gateway's of Firewall's? --> why?
-
Luca Lionetti 3,131 Reputation points
2024-05-10T07:21:07.5233333+00:00 Hi,
Welcome to Microsoft Q&A community forum!
It is not very clear what you want to do, if I understand correctly now you connect with a client-to-site C2S vpn to servers in a remote location. Now you want to install a firewall and a vpn but I didn't understand where. Between this vpn appliance and azure you want to do a S2S site to site? your pc if it connects through the site to site it will connect to azure via the onprem concentrator.On your side you will have one public ip on the vpn concentrator and on azure side a different public ip on the azure vpn gateway, you cannot have the same public ip on your laptop and on azure.
If you can clarify your setup it can help us
Cheers
Luca
-
network 20 Reputation points
2024-05-12T09:52:14.91+00:00 Hi,
We have five servers with a server provider (not in the cloud). Three of these servers are assigned public IP addresses, while the remaining two servers are connected via NAT IP. We utilize the NAT IP for VPN connections, which our client has whitelisted. Currently, we can only access client sites whose traffic originates from the whitelisted IP.However, our requirement is to access client sites directly. As our employees are working from home without a dedicated office, we plan to purchase a public IP and set up a site-to-site VPN. With this setup, we will share the new IP with our clients for whitelisting. Once connected to the new VPN, our traffic will route through the new public IP, allowing our developers to access client sites directly from their local laptops without the need for RDP access to the server.
Does this approach seem feasible and secure?
Thanks,
Saravanan -
Silvia Wibowo 3,166 Reputation points • Microsoft Employee
2024-05-13T02:12:40.6133333+00:00 Hi @network , I understand that you have to access client's site from laptop over the internet. There is a requirement from client to allow a fixed public IP address.
It seems similar to Scenario2 of VPN Gateway use case:
Employees' laptops ---VPN P2S---> Azure VPN Gateway ---VPN S2S---> Client's site
With that setup, employees' laptops can reach any server in client's site using their internal/private IP address.
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
-
KapilAnanth-MSFT 36,396 Reputation points • Microsoft Employee
2024-05-15T08:31:40.45+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
Let's call the 3rd party where the 5 servers reside as "ServerProvider"
Can you establish a S2S Connection from Azure VPN to "ServerProvider"?
- If so, you can follow Silvia Wibowo's answer.
- This will work provided that ServerProvider supports S2S and BGP.
Or your intention is to use a fixed public IP to connect to the servers?
- If so, your flow becomes something like this
Employees' laptops ---> VPN P2S---> Azure VPN Gateway ---> Azure Firewall---> ServerProvider - In this case, you have 2 ways to configure this
#1 Use vWAN with Secured Hub and Routing Intent
- This should be straight forward to setup and does not require additional configuration and validation from your end.
- Deploy a vWAN with SecuredHub and enable "Internet Traffic Routing Policy"
- Deploy a P2S Gateway in the same vWAN (same secured Hub)
- Now, all the traffic destined to Internet will go via the Azure Firewall deployed in the Hub
#2 Use Azure VPN Gateway with custom Routing and Azure Firewall
- Unlike the #1, this is complex and requires you to manually set the routing.
- Deploy a Azure VPN Gateway with P2S enabled and an Azure Firewall on the same VNET.
- In the P2S configuration, advertise the ServerProvider's IP Address - Advertise custom routes for P2S VPN clients
- In the GatewaySubnet, attach a route table to forward traffic destined to ServerProvider's IP Address to the Azure Firewall IP.
In either case, make sure there are Allow Rules configured in the Azure Firewall so as to it will not block the traffic.
All the outgoing traffic would now use the IP of the Azure Firewall.
You may wonder if you can bypass the Azure Firewall,
- Unfortunately, that is not the case
- You must have an NVA - either Azure Firewall or a 3rd party NVA if you want to make internet connectivity.
- This is because Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped.
Kindly let us know if this helps or you need further assistance on this issue.
Thanks,
Kapil
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Sign in to comment