P2S Internet Access with ALZ Architecture (vWan)

JC 10

I'm doing a POC learning a bit more about Azure vWAN. The infrastructure is based on the ALZ architecture (with minor adjustments). No ER, just using S2S and P2S VPN (only P2S configured at this stage - OpenVPN w/ AAD + address pools). Have a few spokes peered to the hub and default route is 0.0.0.0/0 - AzFw. The P2S works as expected... connects w/o any errors and I'm able to reach VMs in the spokes. Now for the question (fair warning - I'm very much in the learning stage). I cannot figure out how to allow internet access to specific sites via the P2S VPN. For example, let's say I want to allow users connecting via the P2S to access the Azure Portal. I tried creating IP groups (that parallel the P2S client address pools) and setting up application rules for the portal (using those ip groups and fqdn for the portal)... but I still cannot connect. I'm missing something really basic here, but cannot seem to figure it out. Thanks for any help or guidance you can offer!

1 answer

GitaraniSharma-MSFT 47,676 Reputation points Microsoft Employee

2023-08-21T09:57:48.7233333+00:00

Hello @JC ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to know how to allow Internet access via the P2S VPN in your Virtual WAN.

In order to reach the Internet via Azure P2S VPN gateway, you need to configure forced tunneling for your Virtual WAN Point-to-site VPN.

Refer the below doc which explains how to configure forced tunneling for Virtual WAN Point-to-site VPN:

https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-forced-tunnel

Forced tunneling allows you to send all traffic (including Internet-bound traffic) from remote users to Azure. In Virtual WAN, forced tunneling for Point-to-site VPN remote users signifies that the 0.0.0.0/0 default route is advertised to remote VPN users.

You need to deploy a virtual hub with Azure firewall manager and add the P2S VPN Gateway to allow your egress traffic that will be controlled by a firewall policy.

Refer: https://learn.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network

When you secure internet traffic via Azure Firewall (Firewall Manager), you can advertise the 0.0.0.0/0 route or any custom route to your VPN clients. This makes your clients send the internet bound traffic to Azure for inspection. Then, firewall SNATs the packet to the Public IP of Azure Firewall for egress to Internet.

To do this, you need to setup an Azure Firewall & then configure a Policy to allow P2S traffic to Internet. --> Since you already have an Azure Firewall, this will be easy for you.

You also need to make sure the EnableInternetSecurity flag is turned on for your Point-to-site VPN gateway. This flag must be set to true for your clients to be properly configured for forced-tunneling.

And then advertise custom routes to your VPN clients.

Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes

https://learn.microsoft.com/en-us/azure/vpn-gateway/azure-vpn-client-optional-configurations#add-custom-routes

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
JC 10 Reputation points

2023-08-21T13:28:26+00:00

Thanks for the quick response @GitaraniSharma-MSFT

Forced tunneling is enabled on the P2S VPN and it's deployed to the vWAN (part of the overall vWAN deployment). The default route 0.0.0.0/0 is advertised, but it seems like SNAT is not working (because I have something misconfigured).

I'm enabling internet security when deploying the P2S infrastructure so that shouldn't be an issue:

And I think I'm creating the firewall policy correctly... Is it sufficient to just create an Application Rule? For the sourceIpGroups I'm just using the IP Group I created that encapsulates the P2S client IP pools and then targeting the portal FQDN via https.

Still no internet access... Thoughts on what I'm screwing up? :-)

GitaraniSharma-MSFT 47,676 Reputation points Microsoft Employee

2023-08-22T10:44:47.4433333+00:00

Hello @JC ,

As mentioned in the forced tunneling doc,

You can use Azure Firewall Manager to configure Virtual WAN to send all internet-bound traffic via Azure Firewall deployed in the Virtual WAN hub.

For configuration steps and a tutorial, see the Azure Firewall Manager documentation Securing virtual hubs.

Alternatively, this can also be configured via using an Internet Traffic Routing Policy. For more information, see Routing Intent and Routing Policies.

I'm not sure which method you are using but sharing a few points below for your reference:

If you are using the secured virtual hub method, then you need to create a Firewall policy with network/application rules to allow any IP address from the VPN client pool to access the required IP addresses/FQDNs.

https://learn.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network#create-a-firewall-policy-and-secure-your-hub

https://learn.microsoft.com/en-us/azure/virtual-wan/manage-secure-access-resources-spoke-p2s#-create-rules-to-manage-and-filter-traffic

The source should be your P2S VPN client address pool and then add a required destination. It could be 0.0.0.0/0 (for all Internet) or any specific sites/IP addresses.

For more information, refer: https://learn.microsoft.com/en-us/answers/questions/589858/azure-wan-and-p2s-vpn-forced-tunneling

Associate the policy to your hub:

https://learn.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network#associate-policy

Then configure the hub routing to route Internet traffic via Azure Firewall:

https://learn.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network#route-traffic-to-your-hub

If you are using the Internet Traffic Routing Policy method, follow the below doc to configure an Internet Traffic Routing Policy:

https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies

Internet Traffic Routing Policy: When an Internet Traffic Routing Policy is configured on a Virtual WAN hub, all branch (Remote User VPN (Point-to-site VPN), Site-to-site VPN, and ExpressRoute) and Virtual Network connections to that Virtual WAN Hub forwards Internet-bound traffic to the Azure Firewall, Third-Party Security provider, Network Virtual Appliance or SaaS solution specified as part of the Routing Policy.

In other words, when an Internet Traffic Routing Policy is configured on a Virtual WAN hub, the Virtual WAN advertises a default (0.0.0.0/0) route to all spokes, Gateways and Network Virtual Appliances (deployed in the hub or spoke).

Kindly let me know if the above helps or you need further assistance on this issue.

Regards,

Gita

GitaraniSharma-MSFT 47,676 Reputation points Microsoft Employee

2023-08-23T10:32:47.32+00:00

Hello @JC ,

Could you please provide an update on this post?

Kindly let us know if the above helps or you need further assistance on this issue.

Regards,

Gita

JC 10 Reputation points

2023-08-23T12:28:41.1366667+00:00

Thanks @GitaraniSharma-MSFT ... I'll review the config again and try to figure out what I have misconfigured. All the steps above look like exactly what I'm doing (not using the internet traffic routing policy method). Doubt I'll have time to look at this until this weekend, but when I do, I'll definitely follow back up. Thanks for the help!

GitaraniSharma-MSFT 47,676 Reputation points Microsoft Employee

2023-08-28T12:48:06.4933333+00:00

Hello @JC ,

Could you please provide an update on this post?

Were you able to review your configuration? Please let me know if you need further assistance on this issue.

Regards,

Gita

JC 10 Reputation points

2023-08-28T16:02:07.3833333+00:00

Hi @GitaraniSharma-MSFT ... still cross-referencing the info above looking for differences that might be causing the problem. Thanks for checking in... I'll provide an update later today/tonight.

JC 10 Reputation points

2023-08-29T14:59:25.08+00:00

Hi @GitaraniSharma-MSFT ... I'm out of ideas. Cross-referenced everything in the articles above and all looked correct. I even tried using the routing intent and routing policies alternative, but that was a step backwards honestly. At this point, no idea why the P2S is not working.

GitaraniSharma-MSFT 47,676 Reputation points Microsoft Employee

2023-08-30T09:43:34.9866667+00:00

Thank you for the update, @JC .

In such a case, to troubleshoot the exact issue here, we will need a specialized 1:1 session, where a support engineer can have a screen share session to pinpoint the issue. So, if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

In case you need help with a one-time free technical support, I would request you to send an email with subject line "ATTN gishar | P2S Internet Access with ALZ Architecture (vWan)" to AzCommunity[at]Microsoft[dot]com with the following details, I will follow-up with you.

Reference this Q&A thread

Your Azure Subscription ID

Note: Do not share any PII data as a public comment.

We will post a summarized answer once the issue is resolved.

Regards,

Gita

GitaraniSharma-MSFT 47,676 Reputation points Microsoft Employee

2023-09-04T13:15:55.8133333+00:00

Hello @JC , could you please send us an email as requested, so that we can help you with a one-time free technical support and create a support request for further troubleshooting on this issue?

JC 10 Reputation points

2023-09-04T18:57:14.78+00:00

Hi @GitaraniSharma-MSFT ... We have a support plan and I submitted a ticket a few days ago. Seems like every time I respond, someone different from Microsoft responds back with a similar line of questions. Hopefully, we'll eventually reach a resolution (which I'll gladly post here).

GitaraniSharma-MSFT 47,676 Reputation points Microsoft Employee

2023-09-06T13:36:22.24+00:00

Thank you for the update, @JC . Could you please send us the support request number over an email to the email ID commented above with the requested subject line? I can track it from my end, see the progress and provide some inputs, if possible.
Sign in to comment