Routing s2s traffic to Azure internet

Question

Routing s2s traffic to Azure internet

Richard Peacock 0

Hello Im trying to organize how we will structure our Azure environment and need some pointers, please.

We currently have Azure setup with Meraki firewalls joining our sites but appears we can't achieve what we need to as Meraki vmx cant route the inbound vpn traffic to the internet.

We have a new requirement that requires devices outside of Azure to route all traffic to Azure via vpn. The devices need to reach the internet and additionally for devices in azure to talk with devices outside of azure.

Basic diagram included.

Does the diagram achieve the below requirements? is there a simpler cheaper way without Azure Firewall

Requirements:

*Devices A in the image needs to connect to the internet via the site-to-site VPN to Azure (no split tunneling)

*Devices A will look to DNS server in Azure for Resolution

*Device B needs to be able to access Devices A

User's image

KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-08-03T06:16:42.7733333+00:00
@Richard Peacock

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to route all internet traffic to Azure via S2S Connection for inspection.

I am afraid this will not be feasible with Azure VPN Gateway.

You will need Azure vWAN to achieve forced tunneling internet traffic from OnPrem towards Azure.

What's the Problem with traditional VPN gateway:

Please note that:

Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

How can this be achieved?:

You would require a

Azure vWAN

and Azure secured vHub (Azure Firewall or any such NVA)

In order to reach the Internet via Azure, you need to deploy a secured virtual hub with Azure firewall manager and use Internet Routing Policy (advertise 0.0.0.0/0 to your OnPrem site)

Refer:

Azure Firewall as NVA : https://learn.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network

Internet Routing Policy : https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies#background

Prefix advertisement to on-premises : https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies#prefixadvertisments

Make sure Propagate default route or Enable internet security flag is set to true on the connection

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-08-04T11:23:53.5633333+00:00

@Richard Peacock

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil
Richard Peacock 0 Reputation points

2023-08-04T12:20:26.6066667+00:00

Hi Kapil Thank you for your response we will shortly try the suggestion in the next week and let you know if it was a success. Thanks.
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-08-08T05:17:51.9333333+00:00

Hi @Richard Peacock

Reaching out to check if you were able to test the configuration?

Please let us know if we can be of any further assistance here.

Thanks,

Kapil
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-08-11T04:30:16.95+00:00

@Richard Peacock

I have summarized my comments and posted it as a new answer.

I would highly appreciate if you could Accept the answer and close this thread

Original posters help the community find answers faster by identifying the correct answer.

Thanks,

Kapil

1 answer

Your answer

KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-08-03T06:16:42.7733333+00:00

@Richard Peacock

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to route all internet traffic to Azure via S2S Connection for inspection.

I am afraid this will not be feasible with Azure VPN Gateway.

You will need Azure vWAN to achieve forced tunneling internet traffic from OnPrem towards Azure.

What's the Problem with traditional VPN gateway:

Please note that:

Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

How can this be achieved?:

You would require a

Azure vWAN

and Azure secured vHub (Azure Firewall or any such NVA)

In order to reach the Internet via Azure, you need to deploy a secured virtual hub with Azure firewall manager and use Internet Routing Policy (advertise 0.0.0.0/0 to your OnPrem site)

Refer:

Azure Firewall as NVA : https://learn.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network

Internet Routing Policy : https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies#background

Prefix advertisement to on-premises : https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies#prefixadvertisments

Make sure Propagate default route or Enable internet security flag is set to true on the connection

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-08-04T11:23:53.5633333+00:00

@Richard Peacock

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil
Richard Peacock 0 Reputation points

2023-08-04T12:20:26.6066667+00:00

Hi Kapil Thank you for your response we will shortly try the suggestion in the next week and let you know if it was a success. Thanks.
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-08-08T05:17:51.9333333+00:00

Hi @Richard Peacock

Reaching out to check if you were able to test the configuration?

Please let us know if we can be of any further assistance here.

Thanks,

Kapil
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-08-11T04:30:16.95+00:00

@Richard Peacock

I have summarized my comments and posted it as a new answer.

I would highly appreciate if you could Accept the answer and close this thread

Original posters help the community find answers faster by identifying the correct answer.

Thanks,

Kapil

Answer 1

@Richard Peacock

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to route all internet traffic to Azure via S2S Connection for inspection.

I am afraid this will not be feasible with Azure VPN Gateway.

You will need Azure vWAN to achieve forced tunneling internet traffic from OnPrem towards Azure.

What's the Problem with traditional VPN gateway:

Please note that:

Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

How can this be achieved?:

You would require a

Azure vWAN
and Azure secured vHub (Azure Firewall or any such NVA)

In order to reach the Internet via Azure, you need to deploy a secured virtual hub with Azure firewall manager and use Internet Routing Policy (advertise 0.0.0.0/0 to your OnPrem site)

Refer:

Azure Firewall as NVA : https://learn.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network
Internet Routing Policy : https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies#background
Prefix advertisement to on-premises : https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies#prefixadvertisments
Make sure Propagate default route or Enable internet security flag is set to true on the connection

Kindly let us know if you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Share via

Routing s2s traffic to Azure internet

1 answer

Your answer