Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,389 questions
Route S2S VPN traffic coming into Azure to Internet
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 37%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Colin
0
Reputation points
We have a client that (for whatever reason) requires SFTP traffic leaving their LAN to exit through a VPN, but our network security policy does not allow for VPN connections to external networks (aka client networks such as this. Our SFTP site is publicly hosted so any internet connection can reach it.
To appease both parties, I was asked to create our side of the VPN tunnel within an Azure subscription that is not tied to our domain, and have the client SFTP traffic route out of the tunnel, to the internet and our SFTP server, back to the Azure sub, and then finally back over the VPN.
I have created the needed resources for a S2S connection with the client, established the VPN tunnel with them, and can see 'Data in' on the Connection resource, but do not see any 'Data out'. I have also created a route table within the same resource group as all VPN resources and configured routes for traffic through the the VPN with next hop set to 'Internet' and the return traffic with the SFTP device IPs as the destination to next hop to the Virtual Network Gateway.
Am I trying to do something Azure was not designed for/doesn't support? If now, how do I get traffic to route between the VPN tunnel and internet?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 48%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGR%3C/text%3E%3C/svg%3E)
Glen Rego 75 Reputation points Microsoft Employee2024-03-25T22:07:04.26+00:00 Hi Colin,
I appreciate you bringing your question to our attention. I've created a diagram to summarize your current setup, as shown below. Please let me know if there are any details I may have missed.
I have a few follow-up queries:
- How is the SFTP Client Traffic being NATted?
- Were you able to confirm that the traffic has reached the SFTP Server? If so, what is the Public IP address seen by the SFTP server on the Internet?
From what I can gather, it appears that the return traffic might not be returning due to possible asymmetric routing.
-
Colin 0 Reputation points
2024-03-26T14:18:59.16+00:00 Hi Glen,
You're diagram looks correct.
After talking to my network engineer about what I'm trying to accomplish and where I'm getting hung up, he also asked about how the traffic is NATed coming out of the VPN tunnel and I didn't have answer for him. I think I need to setup ingress and egress NAT rules on the Virtual Network Gateway but I need to look into how to do this and get the VPN traffic NATed so it can then be routed. Since it's not currently NATed out of the VPN, it never reaches the SFTP server.
Also think I am missing a public IP interface in the Azure local subnet I created for the traffic to route out to the internet. I'm a little confused as to how to get the VPN traffic from the /27 Gateway subnet to the /24 LAN subnet in my Azure subscription, my route table is associated to both subnets though.
Thanks
-
Colin 0 Reputation points
2024-03-26T14:33:38.88+00:00 Here is a diagram with some more details to hopefully explain what I'm trying to do and where I'm getting hung up.
I think the SFTP device traffic is failing at my Virtual Network Gateway due to lack of NATing, but I am very confused as to how the NAT rules should be configured in my case.
-
Colin 0 Reputation points
2024-03-26T17:42:18.82+00:00 Update: talking to the client, I've discovered they're VPN 'remote network' is set to the SFTP's public IP, not the LAN subnet in my Azure subscription. I'm going to have them switch that and hopefully that gets the VPN traffic to flow into the LAN subnet where I can then route it to the internet (and the SFTP server) via the secondary public NIC.
-
KapilAnanth-MSFT 35,416 Reputation points Microsoft Employee2024-03-29T05:52:16.7733333+00:00 @Colin ,
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to route internet traffic via S2S Tunnel via Azure.
I am afraid this configuration is not supported.
- A VPN Gateway is not capable to routing internet traffic.
- See here
-
If you are interested in this requirement, you must consider using a Virtual WAN with Hub routing intent and routing policies
Hope this helps.
Cheers,
Kapil
Sign in to comment