Azure P2S VPN gateway setting restrict access for Azure AD groups

Loc Mai 1 Reputation point
2022-10-17T05:38:52.7+00:00

We have a several P2S gateways to different vWAN and virtual hubs, authenticate against the Azure AD - connect through the Azure VPN client. Is there anyway (or nearby future plan to support) to restrict the access to each gateway for specific Azure AD users/groups?

Note: I also checked this option https://learn.microsoft.com/en-us/azure/virtual-wan/user-groups-about#gateway-concepts - as a work around to have a default group that going no where and the specific groups that will have the allow IP address pools to go into the virtual WAN. But it causes a lot of confusion on the operation side as why do we need extra routes in the route table when we could have check if the users were allowed to access the VPN gateway or not?

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
190 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,403 questions
{count} votes

1 answer

Sort by: Most helpful
  1. KapilAnanth-MSFT 36,556 Reputation points Microsoft Employee
    2022-10-21T08:57:15.487+00:00

    Hi @Loc Mai ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
    I understand that you would like to know about blocking VPN access to remote users based on UPN

    I had reached out internally to our Product Group and they have suggested the workaround which you are aware of.

    For vWAN, we have a preview feature called Multipools support for User VPN. This allows you to assign users IP addresses from specific address pools based on the P2S Users’ authentication credentials. To restrict certain users from accessing Azure resources, you could perform the following steps:

    1. Specify which Azure Active Directory Group Object IDs you want to associate to a specific user group
    2. Specify which IP address pools you want to associate to this user group
    3. Deploy a Firewall (Azure Firewall or 3rd party NVA Firewall like Check Point/Fortinet) in the hub, and configure this firewall to block access to Azure resources for these IP addresses

    Conceptual information and tutorials on how to configure user groups are in the links below:

    Though this method has a bit of management overhead, we must note that this method of assigning IP to users provide us with other features, mainly, Routing and allow/block to specific VNet ranges with the help of a NVA or Azure Firewall.

    While with direct blocking, we can only allow/block the entire VNet range.

    However, should you feel we need this feature for environments with minimal workload, you can always raise a feedback item in Azure Feedback Hub

    I hope this helps.
    Please let us know should there be any follow-up queries on this, I shall be glad to address them.

    Cheers,
    Kapil

    ----------------------------------------------------------------------------------------------------------------

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments No comments