Azure WAN and P2S VPN Forced Tunneling

Ajeet Singh 71 Reputation points
2021-10-14T02:57:10.967+00:00

I have setup Azure WAN with a secured hub(Azure Firewall). WAN also has a P2S VPN which am successfully able to connect to. I understand forced tunneling was not an option before Azure VWAN, but now can i do forced tunneling for my P2S clients and give them a common public IP address instead of their own ISP Public IP Address?

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
225 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,555 questions
Azure Firewall Manager
Azure Firewall Manager
An Azure service that provides central network security policy and route management for globally distributed, software-defined perimeters.
92 questions
0 comments No comments
{count} vote

Accepted answer
  1. GitaraniSharma-MSFT 49,581 Reputation points Microsoft Employee
    2021-10-14T16:40:27.6+00:00

    Hello @Ajeet Singh ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    Yes, you can do forced tunneling for your P2S clients.

    If you secure internet traffic via Firewall Manager you can advertise the 0.0.0.0/0 route to your VPN clients. This makes your clients send all internet bound traffic to Azure for inspection. Then, firewall SNATs the packet to the PIP of Azure Firewall for egress to Internet.

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.

6 additional answers

Sort by: Most helpful
  1. Victor Tan 1 Reputation point
    2022-12-02T21:36:15.053+00:00

    anyone running into this issue? I can't see what else can be wrong.


  2. Lab Coat1 6 Reputation points
    2023-04-18T14:19:56.95+00:00

    Running into a similar issue. Followed: https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-forced-tunnel Ran the powershell command and update the version in the xml file route to 0.0.0.0 shows up pointing to the virtual wan. What I notice, is that simply adding the 0.0.0.0/0 route does not keep traffic from the client to going anywhere within the client's internal network. Which, among other things, if there is a web proxy configured on the local network, then the client machine can completely bypass the tunnel to the Internet. We are wanting to move away from the Cisco AnyConnect client, which seems to more strictly enforce all traffic.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.