Cómo redireccionar el trafico de una VM en Azure para que salga por medio de la IP de mi infraestructura onpremise?

Question

Hola, me gustaría saber si hay alguna manera de configurar mi infraestructura en Azure para que el trafico de mi VM que está corriendo en Azure salga por la IP de mi infraestructura Onpremise?
Mi VM ya está conectada a mi infraestructura onpremise por medio de una VPN site 2 site de Azure. Puedo hacer ping desde mi máquina virtual hacia mis workstations fisicas y también viceversa. Pero al momento de tratarme de conectar a un repositorio de BitBucket que tiene restringido el acceso solamente a mi dirección IP de mi infraestructura OnPremise me salta error porque mi VM se intenta conectar directamente a internet utilizando una dirección IP proporcionada por Azure. En mi caso quiero que se intente conectar a internet utilizando la dirección IP de mi infraestructura onpremise. Es posible, si es así, podrían ayudarme indicando como se hace?

Answer 1

Hello @Jesus Reyes ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to know how to redirect the traffic of a VM in Azure so that it leaves through the IP of your on-premises infrastructure.

You can configure forced tunneling for the subnet where this Azure VM is deployed or your whole Azure Vnet depending upon your requirement.

Forced tunneling lets you redirect or "force" all Internet-bound traffic back to your on-premises location via a Site-to-Site VPN tunnel for inspection and auditing. If you don't configure forced tunneling, Internet-bound traffic from your VMs in Azure always traverses from the Azure network infrastructure directly out to the Internet, without the option to allow you to inspect or audit the traffic.

Forced tunneling must be associated with a VNet that has a route-based VPN gateway. Your forced tunneling configuration will override the default route for any subnet in its VNet.

With a splitted tunneling type you can redirect all the traffic for specific subnets directly to on-premises, instead of other subnet that continue to have direct internet access without redirection.

This allows you to restrict and inspect Internet access from your virtual machines or cloud services in Azure, while continuing to enable your multi-tier service architecture required.

If there are no Internet-facing workloads in your virtual networks, you also can apply forced tunneling to the entire virtual networks.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm

Forced tunneling in Azure is configured using virtual network custom user-defined routes. Redirecting traffic to an on-premises site is expressed as a Default Route to the Azure VPN gateway.

Refer: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#user-defined

You need to create a route table and add a route with the below values and assign it to the Azure VM subnet whose traffic needs to be redirected to your on-premises:

• Destination address prefix: 0.0.0.0/0
• Next hop type: Virtual network gateway

Refer: https://learn.microsoft.com/en-us/azure/virtual-network/manage-route-table#create-a-route-table

Then you need to configure your on-premise router/firewall to handle this traffic as per your requirement. You can either block it or allow it to the Internet.

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.