Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,558 questions
Hello @Marcos Vinicius Silva Reis ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to configure your Point to site VPN in a way that users can access Internet via their P2S VPN connection using a specific public IP 189.120 .225.65 instead of their local ISP public IP.
Azure Point to Site VPN do not have a Public IP. Only the VPN gateway has a Public IP which is used for Site-to-Site VPN connections. Point to Site VPN make use of the configured address pool to allocate an IP address to the connected VPN client or local machine and this is a private IP. So, the Public IP of the clients still remains the ISP Public IP.
To configure Azure P2S VPN with a single static IP address, you would need to force tunnel the VPN traffic to the VPN gateway and configure Azure Firewall manager to provide Internet connectivity via SNAT.
However, Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped.
Hence, you need to introduce another resource such as Azure Firewall or a NVA (Network Virtual Appliance) which can take care of the Internet connectivity.
But there is another limitation on the traditional VPN gateway (when I say traditional VPN gateway, I mean a VPN gateway without vWAN solution, which is deployed directly into a Vnet) as below:
Traditional VPN gateways do not have the EnableInternetSecurity flag option. This flag is needed and must be set to true for your clients to be properly configured for forced-tunneling/accessing Internet via the VPN gateway.
The P2S VPN gateway under Virtual WAN Hub has this option. Refer: https://learn.microsoft.com/en-us/powershell/module/az.network/update-azp2svpngateway?view=azps-10.1.0
So, in order to reach the Internet via Azure P2S VPN gateway, you need to deploy a secured virtual WAN hub with Azure firewall manager and add the P2S VPN Gateway to allow your egress traffic that will be controlled by a firewall policy. Refer: https://learn.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network
When you secure internet traffic via Azure Firewall (Firewall Manager), you can advertise the 0.0.0.0/0 route or any custom route to your VPN clients. This makes your clients send the internet bound traffic to Azure for inspection. Then, firewall SNATs the packet to the PIP of Azure Firewall for egress to Internet.
To do this, you need to setup an Azure Firewall & then configure a Policy to allow P2S traffic to Internet.
You can also use a NVA instead of Azure Firewall as per your requirement.
To advertise custom route to your VPN clients, refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes
You can also add the route directly in your downloaded azurevpnconfig.xml file as below:
You can refer the below doc which explains how to configure forced tunneling for Virtual WAN Point-to-site VPN:
https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-forced-tunnel
Another reference for you:
https://learn.microsoft.com/en-us/answers/questions/589858/index.html
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.