Public IP of Azure VPN P2S and Internet Access via the tunnel

Mohamed Roushdy 35 Reputation points
2023-02-08T12:46:09.8833333+00:00

Hello,

My apologies if this question has already been asked several times. Couldn't fine the answer I need. In short, we have Azure and non-Azure resources publically accessible, however, these non-Azure resources require IP whitelisting. The goal is to grant our external software-developers access both to our Azure resources, as well as our other external resources via a single VPN tunnel to keep the IP-whitelisting task much easier, the admin needs to keep whitelisting IPs all the time, so, is it possible via Azure P2S to have the following achieved?

1- force all traffic to go through the P2S tunnel

2- still have internet access while the P2S connection is established.

3- have fixed (known) public IPs of Azure VPN that we could use to whitelist with our other non-Azure resources

Best Regards,

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,361 questions
0 comments
Accepted answer
  1. GitaraniSharma-MSFT 46,761 Reputation points Microsoft Employee
    2023-02-08T12:55:32.0766667+00:00

    Hello @Mohamed Roushdy ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to force tunnel your Azure P2S VPN traffic and still be able to access Internet and get a single static IP address to whitelist for external/Internet connectivity.

    To configure Azure P2S VPN with a single static IP address, you would need to force tunnel the VPN traffic to the VPN gateway and configure Azure Firewall manager to provide Internet connectivity via SNAT.

    You can configure forced tunneling on your Azure P2S VPN to direct all traffic to the VPN tunnel, but Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped. Hence, you need to secure Internet traffic using Azure Firewall Manager. If you secure Internet traffic via Firewall Manager, you can advertise the 0.0.0.0/0 route to your VPN clients. This makes your P2S VPN clients send all Internet bound traffic to Azure for inspection. Then, firewall SNATs the packet to the Public IP of Azure Firewall for egress to Internet.

    Please note that to advertise 0.0.0.0/0 route to your VPN clients, you need to break them into two smaller subnets 0.0.0.0/1 and 128.0.0.0/1 as mentioned in the below document:

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

    You have to deploy a secured virtual hub with Azure firewall manager and add the P2S VPN Gateway to allow your egress traffic that will be controlled by a firewall policy.

    Refer: https://learn.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network

    You can refer the below doc which explains how to configure forced tunneling for Virtual WAN Point-to-site VPN and take inputs on the configuration:

    https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-forced-tunnel

    Another thread reference for you:

    https://learn.microsoft.com/en-us/answers/questions/589858/index.html

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest