![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 21%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESO%3C/text%3E%3C/svg%3E)
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,483 questions
Hello @Seun Ore ,
I understand that you would like to force IP whitelisting on your Azure VPN gateway.
If your requirement is to restrict/configure more specific routes/address prefixes from your on-premises to Azure:
You can use BGP to support automatic and flexible prefix updates. BGP can also enable transit routing among multiple networks by propagating routes a BGP gateway learns from one BGP peer to all other BGP peers. With BGP, you only need to declare a minimum prefix to a specific BGP peer over the IPsec S2S VPN tunnel. You can control which on-premises network prefixes you want to advertise to Azure to allow your Azure Virtual Network to access.
Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview
But if your requirement is to restrict/configure more specific routes/address prefixes via the VPN tunnel from Azure to your on-premises:
You can do so using the New-AzIpsecTrafficSelectorPolicy command.
Traffic selectors can be defined via the trafficSelectorPolicies attribute on a connection via the New-AzIpsecTrafficSelectorPolicy PowerShell command. For the specified traffic selector to take effect, ensure the Use Policy Based Traffic Selectors option is enabled.
The custom configured traffic selectors will be proposed only when an Azure VPN gateway initiates the connection. A VPN gateway accepts any traffic selectors proposed by a remote gateway (on-premises VPN device). This behavior is consistent between all connection modes (Default, InitiatorOnly, and ResponderOnly).
Policy-based traffic selector option can be specified with Default policy, without the custom IPsec/IKE policy.
Ex: Your Vnet address range is 10.0.0.0/23 but you do not want to advertise the whole range to your on-prem via VPN tunnel but would like to advertise smaller ranges such as 10.0.0.0/27, 10.0.0.32/27, 10.0.0.64/26 & so on, then you can define it as below:
$trafficSelectorPolicy = New-AzIpsecTrafficSelectorPolicy -LocalAddressRange ("10.0.0.0/27", "10.0.0.32/27", "10.0.0.64/26") -RemoteAddressRange ("192.168.10.0/24", "172.16.0.0/24")
New-AzVirtualNetworkGatewayConnection -ResourceGroupName $rgname -name $vnetConnectionName -location $location -VirtualNetworkGateway1 $vnetGateway -LocalNetworkGateway2 $localnetGateway -ConnectionType IPsec -RoutingWeight 3 -SharedKey $sharedKey -UsePolicyBasedTrafficSelectors $true -TrafficSelectorPolicy ($trafficSelectorPolicy)
- LocalAddressRange contains the smaller address ranges from within your Azure Vnet.
- RemoteAddressRange contains your on-prem network ranges configured in your local network gateway.
You can also set custom traffic selectors in your VPN connection using Azure Portal as below:
https://learn.microsoft.com/en-us/azure/vpn-gateway/ipsec-ike-policy-howto#policy-parameters
Adding or updating an IPsec/IKE policy could cause a small disruption (a few seconds) as the Azure VPN gateway tears down the existing connection and restarts the IKE handshake to re-establish the IPsec tunnel with the new cryptographic algorithms and parameters. Ensure your on-premises VPN device is also configured with the matching algorithms and key strengths to minimize the disruption.
But this will only affect the connection you are working with. Any other existing connections will not be affected.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.