Share via

Azure VPN Display Azure External IP on point to site

Nathan Cooke 0 Reputation points
2023-07-25T12:33:06.6266667+00:00

I have a client that has an azure point to site setup.

This setup also has a site to site down to an on prem setup with files shares and the main infastructure is based in azure.

The client has a few pieces of software that is licensed and accessed based off of external IP address, Is there a way to route traffic via the azure network to display the azure external IP address so we can have this whitelisted? The client also requires internet connectivity so doing a full forced tunnel doesnt seem to apply here as they access a fair amount of applications at the same time.

We are not in a place where we could add all of the end users external home IPs to the whitelist as these are both dynamic and there is abotu 50 users that could potenentially use the setup.

Currently we have a openVPN SSL Point to Site setup for users. This works for accessing shares but on connection split tunnels all traffic via the home router and resolved the users home IP address.

Any Help is appreciated.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,796 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,775 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator
    2023-07-26T04:26:25.19+00:00

    @Nathan Cooke

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I am afraid this will not be feasible with a traditional VPN gateway (when I say traditional VPN gateway, I mean a VPN gateway without vWAN solution, which is deployed directly into a Vnet)

    For a Traditional VPN Gateway:

    To route all the P2S traffic through Azure Vnet , you can enable forced tunneling for your P2S clients. --> Which you don't want to do.

    Please note that:

    Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

    Limitation:

    Traditional VPN gateways do not have the EnableInternetSecurity flag option. This flag is needed and must be set to true for your clients to be properly configured for forced-tunneling(for accessing Internet) via the P2S VPN gateway.

    For a vWAN P2S Gateway

    The P2S VPN gateway under Virtual Hub has this option.

    Configure a vWAN P2S Gateway

    In order to reach the Internet via Azure P2S VPN gateway, you need to deploy a secured virtual hub with Azure firewall manager and add the P2S VPN Gateway to allow your egress traffic that will be controlled by a firewall policy.

    You can advertise the 0.0.0.0/0 route or any custom route to your VPN clients and secure Internet traffic via Azure Firewall (Firewall Manager). This makes your clients send the Internet bound traffic to Azure for inspection. Then, Firewall SNATs the packet to the PIP of Azure Firewall for egress to Internet.

    To do this, you need to setup an Azure Firewall & then configure a Policy to allow P2S traffic to Internet.

    References:

    Below doc explains how to configure forced tunneling for Virtual WAN Point-to-site VPN and take inputs on the configuration:

    https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-forced-tunnel

    Other Q&A references :

    Please let us know if we can be of any further assistance here.

    Thanks,

    Kapil

    Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.