Hello @Eric Maussion ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to configure your Point to site VPN in a way that your coworkers can reach a specific public IP 1.2.3.4 through their P2S VPN connection (using the VPN gateway public IP or a NAT IP) instead of their local ISP public IP.
Azure Point to Site VPN do not have a Public IP. Only the VPN gateway has a Public IP which is used for Site to Site VPN connections. Point to Site VPN make use of the configured address pool to allocate an IP address to the connected VPN client or local machine and this is a private IP. So, the Public IP of the clients still remains the ISP Public IP.
To route all the P2S traffic through Azure Vnet and give them a common public IP address instead of their own ISP Public IP Address, you can enable forced tunneling for your P2S clients. --> Which you don't want to do.
Please note that:
Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped.
Hence, you need to introduce another resource such as Azure Firewall or a NVA (Network Virtual Appliance) which can take care of the Internet connectivity.
But there is another limitation on the traditional VPN gateway (when I say traditional VPN gateway, I mean a VPN gateway without vWAN solution, which is deployed directly into a Vnet) as below:
Traditional VPN gateways do not have the EnableInternetSecurity flag option. This flag is needed and must be set to true for your clients to be properly configured for forced-tunneling/accessing Internet via the P2S VPN gateway.
The P2S VPN gateway under Virtual Hub has this option.
NOTE: The setup that you currently have with custom routes and UDR will not work, because like I mentioned above, Internet connectivity is not provided through the traditional VPN gateway. As a result, all traffic bound for the Internet is dropped at the gateway itself.
So, in order to reach the Internet via Azure P2S VPN gateway, you need to deploy a secured virtual hub with Azure firewall manager and add the P2S VPN Gateway to allow your egress traffic that will be controlled by a firewall policy.
Refer: https://learn.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network
You can advertise the 0.0.0.0/0 route or any custom route to your VPN clients and secure Internet traffic via Azure Firewall (Firewall Manager). This makes your clients send the Internet bound traffic to Azure for inspection. Then, Firewall SNATs the packet to the PIP of Azure Firewall for egress to Internet.
To do this, you need to setup an Azure Firewall & then configure a Policy to allow P2S traffic to Internet.
You can also use a NVA instead of Azure Firewall as per your requirement.
To advertise custom route to your VPN clients, refer:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes
You can also add the route directly in your downloaded azurevpnconfig.xml file as below:
<clientconfig>
<includeroutes>
<route>
<destination>1.2.3.4</destination><mask>32</mask>
</route>
</includeroutes>
</clientconfig>
You can refer the below doc which explains how to configure forced tunneling for Virtual WAN Point-to-site VPN and take inputs on the configuration:
https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-forced-tunnel
Another reference for you:
https://learn.microsoft.com/en-us/answers/questions/589858/index.html
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.