Help Setup a VPN with one static Outbound IP

Question

I wants to connect my team to a VPN client on our desktop and laptop devices so they are brought under a VPN for our company. This will allow all staff to have a singular static outbound IP Address. They can then add this Static IP Address to any whitelist we need (SQL Servers, VMs etc in and outside of Azure) so we don’t not have to maintain individual IPs for each staff member for system access. We have already looked into point to site VPN but that do not meet their needs. We are looking to setup a VPN with one static Outbound IP. what would be the best way to achieve this. Thanks in advance for the help

Answer 1

Hello @Nick Diaz ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to configure your Azure P2S VPN with a single static IP address for external/Internet connectivity.

To configure Azure P2S VPN with a single static IP address, you would need to force tunnel the VPN traffic to the VPN gateway and configure Azure Firewall manager to provide Internet connectivity via SNAT.

You can configure forced tunneling on your Azure P2S VPN to direct all traffic to the VPN tunnel but Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped. Hence, you need to secure Internet traffic using Azure Firewall Manager. If you secure Internet traffic via Firewall Manager, you can advertise the 0.0.0.0/0 route to your VPN clients. This makes your P2S VPN clients send all Internet bound traffic to Azure for inspection. Then, firewall SNATs the packet to the Public IP of Azure Firewall for egress to Internet.

Please note that to advertise 0.0.0.0/0 route to your VPN clients, you need to break them into two smaller subnets 0.0.0.0/1 and 128.0.0.0/1 as mentioned in the below document:
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

You have to deploy a secured virtual hub with Azure firewall manager and add the P2S VPN Gateway to allow your egress traffic that will be controlled by a firewall policy.
Refer : https://learn.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network

You can refer the below doc which explains how to configure forced tunneling for Virtual WAN Point-to-site VPN and take inputs on the configuration:
https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-forced-tunnel

Another reference for you:
https://learn.microsoft.com/en-us/answers/questions/589858/index.html

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

You are correct that Azure P2S VPN does not allow outbound (internet) traffic. The answer of @Nick Diaz will work, but requires you to pay for an Azure Firewall to handle the traffic. You can look in the Azure Marketplace for VPN solutions (https://azuremarketplace.microsoft.com/en-us/marketplace/apps?search=vpn&page=1). Most of them will serve your needs.

However, if you set up a P2S VPN connection to Azure, you can allow the VNET in Azure to access your SQL Servers in Azure. Unfortunately this will only work for workload in Azure though.