Share via

Azure P2S VPN for Remote Workers

Ferry, James 0 Reputation points
2023-03-17T13:35:09.4066667+00:00

Hello,

I would like to know if there is an alternative to a forced tunnel VPN through Virtual WAN in Azure. We have an external company that needs to access one of our Azure Virtual Desktops. We use the azure remote desktop app that uses 365 credentials to log in so that we can apply conditional access to it. They work remotely and no longer have a central office. The issue is that they do not have a static IP address so we cannot create a conditional access policy for them, and on top of that they are in a foreign county. We do not want to give them access to our Meraki VPN, we just want to give them an isolated public IP. I was able to successfully create a virtual wan solution and a hub with a firewall deployed securing internet traffic so that its acts as a forced tunnel and it is only allowing access to the AVD services to prevent a mass amount of data from going through it. The problem is this seems way overkill and I am worried about the cost. I just want to test the waters and see if there is any other way to make this work.

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
224 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,556 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,491 questions
Azure Firewall Manager
Azure Firewall Manager
An Azure service that provides central network security policy and route management for globally distributed, software-defined perimeters.
92 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. risolis 8,721 Reputation points
    2023-03-19T03:53:14.4233333+00:00

    Hello @Ferry, James

    Thank you for posting this concern on this community space.

    I was reading your case scenario description and I would like to share my 2 cents about it so, see them down below:

    1-You can either use Virtual WAN along with an NVA and your case it is a Cisco Meraki appliance.

    2-You may try to consider this other solution as shown on the next link:

    https://blogs.cisco.com/security/cisco-secure-firewall-to-support-microsoft-azure-gateway-load-balancer

    3-Furthermore, If you are using a VPN gateway as Point-to-Site VPN for remote workers you could also integrate an UDR (User defined Route) feature to override the default routing behavior called System routes and do force-tunneling with the network segment desired.

    If I am not mistaken, besides that previous point you will have to use a L4 balancer as well since you mentioned Remote desktop services on this scenario.

    I hope that can be helpful for you to adjust your case scenario as per your company needs : )

    Looking forward to your feedback,

    Cheers,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  2. GitaraniSharma-MSFT 49,651 Reputation points Microsoft Employee
    2023-03-20T12:26:50.32+00:00

    Hello @Ferry, James ,

    I understand that you would like to know if there is an alternative to a forced tunnel VPN through Virtual WAN in Azure.

    You can configure forced tunneling on your Azure P2S VPN to direct all traffic to the VPN tunnel, but Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

    Hence, in order to secure Internet traffic, you need to use Azure Firewall Manager. If you secure Internet traffic via Firewall Manager, you can advertise the 0.0.0.0/0 route to your VPN clients. This makes your P2S VPN clients send all Internet bound traffic to Azure for inspection. Then, firewall SNATs the packet to the Public IP of Azure Firewall for egress to Internet. For this, you have to deploy a secured virtual hub with Azure firewall manager and add the P2S VPN Gateway to allow your egress traffic that will be controlled by a firewall policy.

    Refer: https://learn.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network

    https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-forced-tunnel

    Azure Bastion would be a good choice if you only need connectivity to one resource but Bastion connectivity to Azure Virtual Desktop isn't supported as of today.

    Refer: https://learn.microsoft.com/en-us/azure/bastion/bastion-faq#virtual-desktop

    https://learn.microsoft.com/en-us/azure/bastion/work-remotely-support

    I'm not sure how many of your users need access to AVD but Azure Bastion supports up to 50 host instances (the number of concurrent RDP/SSH connections that Azure Bastion can support.)

    I will check with the Azure Bastion Product Group to see if there has been any progress on this feature support.

    However, if you are not looking for a native solution, you may explore the third-party Network Virtual Appliances (NVAs) from Azure Marketplace which may fit your requirement.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/nva-work-remotely-support

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.