Controlling peer-to-peer traffic in Azure VPN Gateway (or the Gateway Subnet itself)

Question

Controlling peer-to-peer traffic in Azure VPN Gateway (or the Gateway Subnet itself)

Antti Keskinen 40

I am planning to use an Azure VPN Gateway in an Azure Virtual Network to allow secure communication between devices. The overall architecture has several client devices which open a point-to-site connection to the same Azure VPN Gateway. I then have a "maintenance PC" which also opens a point-to-site connection to this Azure VPN Gateway, and I want to be able to reach the SSH servers that're running on these individual clients, and are listening on the virtual adapter that's created when the VPN connection is established.

I am planning to use VpnGw1 tier, and the OpenVPN tunnel type.

There are few questions related to this:

Does Azure VPN Gateway, out-of-the-box, prohibit this kind of peer-to-peer traffic?
If it does not then what means or methods do I have to control who can connect and where within the VPN network itself?
1. Azure documentation suggests that Network Security Groups should not be used in the Gateway Subnet so as to allow correct operation of the virtual machines that run the VPN Gateway
  1. What I want to achieve is only allow the "maintenance PC" to connect to the the SSH servers, and prohibit e.g. "SSH hopping" from one device to another
    1. Using iptables rules on the devices themselves is an option but I doubt that the "maintenance PC" will always get the same "virtual IP" inside the VPN; if this IP changes then the rules will also stop working
In Azure VPN Gateway is it possible to enforce that specific clients will always get a specific "virtual IP" address inside the VPN, or an address from a specific address block?

Accepted answer

0 additional answers

Your answer

Answer 1

KapilAnanth-MSFT 49,611 Microsoft Employee Moderator

@Antti Keskinen

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to know if we can filter peer-to-peer traffic within network via VPN Gateway.

I take it that you would like to use the "maintenance PC" to SSH to other remotely connected P2S devices - please let me know if my understanding is incorrect.

I am afraid this won't be possible, as you mentioned,

NSGs on GatewaySubnet is not supported
The IPs assigned to the remote P2S Clients are not fixed.
- There is an idea for this in Azure Feedback hub, you can add your comments:
  https://feedback.azure.com/d365community/idea/639028dd-8926-ec11-b6e6-000d3a4f0789

The only workaround I can think of is leveraging SSH Key pairs and providing access only to "maintenance PC" from other remote devices.

Cheers,

Kapil

Antti Keskinen 40 Reputation points

2023-12-26T09:32:21.64+00:00

@KapilAnanth-MSFT

Thanks for the comment. Your understanding is correct: we wish to limit that only the "maintenace PC" is able to open an SSH connection through the VPN Gateway to the remote devices in the other end.

When you say we should leverage key pairs do you mean that when we generate the client certificates for "maintenance PC" (for use with the VPN Gateway) then we should export the public portion (without the private bits), and install this public certificate to the remote devices' ".ssh/authorized_keys" file?

As I understand it this would allow the "maintenance PC" to use its certificate pair in two distinct ways: authenticating itself to the VPN Gateway to open the VPN tunnel, and authenticating itself to the SSH server on the remote device.

Is this understanding correct?

One scenario came to my mind, and that is using either multiple private IP address ranges in a single VPN Gateway instance (if they support such behavior) or alternatively using multiple VPN Gateway instances with distinct private IP address ranges in the same GatewaySubnet. Obviously in order for the multiple VPN Gateway instances approach to work then something specific is needed in order for traffic to be routed correctly. The traffic from the "maintenance PC" would first enter the VPN tunnel, then it would exit in the GatewaySubnet, then enter the second VPN, and finally exit at the remote device.

The question here is, what IP address will be presented to the remote device in this scenario? Will it use an address from the address pool of the first VPN Gateway? Or will it use an address from the GatewaySubnet? Or will it use an address from the address pool of the second VPN Gateway?

Unfortunately the specifics of how address translation and NAT works in the VPN Gateways is not very clearly documented in Azure.
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-12-27T05:35:37.91+00:00
@Antti Keskinen

Thanks for your question.

When you say we should leverage key pairs do you mean that when we generate the client certificates for "maintenance PC" (for use with the VPN Gateway) then we should export the public portion (without the private bits), and install this public certificate to the remote devices' ".ssh/authorized_keys" file?

This is partially correct.

The certificate created for P2S VPN Gateway authentication and the SSH keys are not related.

What I meant is you create an SSH Key pair and distribute the Public Key to ".ssh/authorized_keys" of all other remote devices and use the Private Key to the "maintenance PC"

This way, only "maintenance PC" can login to other remote devices.

While all the connected devices might be able to ping each other, only "maintenance PC" will be allowed to login.

The solution I suggested does not include an Azure product at all (and hence not to be confused with Azure VPN Gateway certificates)

Wrt,

1.using multiple VPN Gateway instances each with distinct P2S private IP address ranges in the same GatewaySubnet.

Unfortunately, a GatewaySubnet can only have one VPN Gateway in it.

So "multiple VPN Gateway instances" is not feasible.

2.multiple P2S private IP address ranges in a single VPN Gateway instance

A P2S Gateway can have only one address pool.

This features are available in Azure vWAN : User groups and IP address pools for P2S User VPNs.

However, this would require you to re-architect your environment to accommodate vWAN.

Cheers,

Kapil
Antti Keskinen 40 Reputation points

2023-12-27T19:12:19.4566667+00:00

According to the discussions in the comments there is no way to achieve these in the VPN Gateway resource itself.

Any limitation of connectivity must be done by configuring the SSH servers and the clients connecting to them correctly e.g. by using client-specific certificates.

Credits go to @KapilAnanth-MSFT
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2023-12-28T03:48:49.32+00:00

@Antti Keskinen

Yes.

The ask can be achieved by using a vWAN with P2S Gateway : User groups and IP address pools for P2S User VPNs.

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I have converted our comments and posted it as a new answer in case you'd like to "Accept" the answer.

Thank you again for your time and patience throughout this issue.

Cheers,

Kapil.
Antti Keskinen 40 Reputation points

2023-12-28T06:31:47.4866667+00:00

Thank you. I converted my answer to a comment so it doesn't cause clutter.

Share via

Controlling peer-to-peer traffic in Azure VPN Gateway (or the Gateway Subnet itself)

0 additional answers

Your answer