Hello @Donapati Ravindra Kumar Reddy ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you are trying to setup an Azure Gateway VPN to connect to another companies' network located in AWS using a Checkpoint VPN manager and the remote connection is policy based however Azure has removed policy-based VPN from the GUI setup and indicate that you can create a route-based gateway that will make a policy-based connection using traffic selectors but you are not sure how to specify the traffic selectors.
So, there are 2 points to this question which I'm answering below:
Azure has removed policy-based VPN from the GUI setup:
We're taking action to ensure the continued operation of deployed VPN gateways that utilize Basic SKU public IP addresses. If you already have VPN gateways with Basic SKU public IP addresses, there is no need for you to take any action.
However, it's important to note that Basic SKU public IP addresses are being phased out. We highly recommend using Standard SKU public IP addresses when creating new VPN gateways. Further details on the retirement of Basic SKU public IP addresses can be found here.
Even though the Basic SKU VPN gateway isn't available in the portal, you can still create Basic SKU VPN gateway using Azure CLI or PowerShell.
Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#vpn-basic
To create Basic SKU VPN gateway using Azure PowerShell, you can refer the below articles:
https://github.com/MicrosoftDocs/azure-docs/issues/114852
How to create a route-based gateway that will make a policy-based connection using traffic selectors?
To make a policy-based VPN connection using a route-based VPN gateway, configure the route-based VPN gateway to use prefix-based traffic selectors with the option "PolicyBasedTrafficSelectors
".
Traffic selectors can be defined via the trafficSelectorPolicies
attribute on a connection via the New-AzIpsecTrafficSelectorPolicy
PowerShell command. For the specified traffic selector to take effect, ensure the Use Policy Based Traffic Selectors
option is enabled.
The custom configured traffic selectors will be proposed only when an Azure VPN gateway initiates the connection. A VPN gateway accepts any traffic selectors proposed by a remote gateway (on-premises VPN device). This behavior is consistent between all connection modes (Default, InitiatorOnly, and ResponderOnly).
https://learn.microsoft.com/en-us/azure/vpn-gateway/ipsec-ike-policy-howto
The workflow to enable this connectivity:
- Create the virtual network, VPN gateway, and local network gateway for your cross-premises connection.
- Create an IPsec/IKE policy.
- Apply the policy when you create a S2S connection and enable the policy-based traffic selectors on the connection.
To create Route-based VPN gateway: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-create-gateway-portal
If you want to enable Azure VPN gateway to connect to policy-based on-premises VPN devices, you can select Enable for the Use policy-based traffic selectors option.
'UsePolicyBasedTrafficSelectors
' is an optional parameter on the connection. If you set UsePolicyBasedTrafficSelectors
to $True on a connection, it will configure the Azure VPN gateway to connect to policy-based VPN firewall on premises. If you enable PolicyBasedTrafficSelectors, you need to ensure your VPN device has the matching traffic selectors defined with all combinations of your on-premises network (local network gateway) prefixes to/from the Azure virtual network prefixes, instead of any-to-any.
For example, if your on-premises network prefixes are 10.1.0.0/16 and 10.2.0.0/16, and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you need to specify the following traffic selectors:
10.1.0.0/16 <====> 192.168.0.0/16
10.1.0.0/16 <====> 172.16.0.0/16
10.2.0.0/16 <====> 192.168.0.0/16
10.2.0.0/16 <====> 172.16.0.0/16
To create an IPsec/IKE policy and apply it: https://learn.microsoft.com/en-us/azure/vpn-gateway/ipsec-ike-policy-howto#step-3-configure-a-custom-ipsecike-policy-on-the-s2s-vpn-connection
To define traffic selectors on an Azure S2S VPN connection, you can use the New-AzIpsecTrafficSelectorPolic
y PowerShell command as below:
PowerShellCopy
$trafficSelectorPolicy
NOTE: For the specified traffic selector to take effect, ensure the Use Policy Based Traffic Selectors
option is enabled.
Checkpoint VPN device doc: https://support.checkpoint.com/results/sk/sk101275
Kindly let us know if the above helps or you need further assistance on this issue.
Please "upvote" if the information helped you. This will help us and others in the community as well.