Specific route to a public IP through P2S VPN

Eric Maussion 26 Reputation points
2023-07-19T10:28:47.9766667+00:00

Hello,

I've been unexpectedly stuck with this issue. The goal is to make sure that coworkers can reach a specific public IP 1.2.3.4 (some public website) through their P2S VPN connection to Azure (using the VPN gateway public IP or a NAT IP) instead of their local public IP (office, home...).

Side note: I do not want to enable force tunneling.

What we have:

  • An Azure VPN gateway with working P2S. The gateway subnet is 10.11.255.0/27, the VPN gateway public IP is 20.1.1.1
  • A custom route advertised on the P2S tunnel, advertising 1.2.3.4/32. The route is correctly propagated to connected clients.
  • A route table attached to the gateway subnet that includes a route to 1.2.3.4 -> Internet (that should not be necessary as the default route for a VN is internet...)

Unfortunately, clients connected to the P2S cannot reach 1.2.3.4 (using ping, curl, traceroute). Traceroute output tells me the packet is stuck at the VPN gateway. What am I missing?

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,309 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,025 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 45,406 Reputation points Microsoft Employee
    2023-07-19T12:06:10.6733333+00:00

    Hello @Eric Maussion ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to configure your Point to site VPN in a way that your coworkers can reach a specific public IP 1.2.3.4 through their P2S VPN connection (using the VPN gateway public IP or a NAT IP) instead of their local ISP public IP.

    Azure Point to Site VPN do not have a Public IP. Only the VPN gateway has a Public IP which is used for Site to Site VPN connections. Point to Site VPN make use of the configured address pool to allocate an IP address to the connected VPN client or local machine and this is a private IP. So, the Public IP of the clients still remains the ISP Public IP.

    To route all the P2S traffic through Azure Vnet and give them a common public IP address instead of their own ISP Public IP Address, you can enable forced tunneling for your P2S clients. --> Which you don't want to do.

    Please note that:

    Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

    Hence, you need to introduce another resource such as Azure Firewall or a NVA (Network Virtual Appliance) which can take care of the Internet connectivity.

    But there is another limitation on the traditional VPN gateway (when I say traditional VPN gateway, I mean a VPN gateway without vWAN solution, which is deployed directly into a Vnet) as below:

    Traditional VPN gateways do not have the EnableInternetSecurity flag option. This flag is needed and must be set to true for your clients to be properly configured for forced-tunneling/accessing Internet via the P2S VPN gateway.

    Refer: https://learn.microsoft.com/en-us/powershell/module/az.network/set-azvirtualnetworkgateway?view=azps-10.1.0

    The P2S VPN gateway under Virtual Hub has this option.

    Refer: https://learn.microsoft.com/en-us/powershell/module/az.network/update-azp2svpngateway?view=azps-10.1.0

    NOTE: The setup that you currently have with custom routes and UDR will not work, because like I mentioned above, Internet connectivity is not provided through the traditional VPN gateway. As a result, all traffic bound for the Internet is dropped at the gateway itself.

    So, in order to reach the Internet via Azure P2S VPN gateway, you need to deploy a secured virtual hub with Azure firewall manager and add the P2S VPN Gateway to allow your egress traffic that will be controlled by a firewall policy.

    Refer: https://learn.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network

    You can advertise the 0.0.0.0/0 route or any custom route to your VPN clients and secure Internet traffic via Azure Firewall (Firewall Manager). This makes your clients send the Internet bound traffic to Azure for inspection. Then, Firewall SNATs the packet to the PIP of Azure Firewall for egress to Internet.

    To do this, you need to setup an Azure Firewall & then configure a Policy to allow P2S traffic to Internet.

    You can also use a NVA instead of Azure Firewall as per your requirement.

    To advertise custom route to your VPN clients, refer:

    https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes

    You can also add the route directly in your downloaded azurevpnconfig.xml file as below:

    <clientconfig>  
    <includeroutes>      
    <route>          
    <destination>1.2.3.4</destination><mask>32</mask>      
    </route>  
    </includeroutes> 
    </clientconfig>
    

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/azure-vpn-client-optional-configurations#add-custom-routes

    You can refer the below doc which explains how to configure forced tunneling for Virtual WAN Point-to-site VPN and take inputs on the configuration:

    https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-forced-tunnel

    Another reference for you:

    https://learn.microsoft.com/en-us/answers/questions/589858/index.html

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful