Hi,
I understand this question might be asked many times, but I am in that situation where I need some clairty.
I have a hybrid model , where the on-prem need to connect to the Azure workloads (in spoke VNets), on the HUB VNets a 3rd party Firewall is implemented, and all Spoke VNets are peered with the HUB, with UDR to always poing the traffic towards the Firewall in the HUB.
The connection between Azure and on-prem is via site-to-site VPN (using azure vpn-gw).
requirement (due to regulations and compliance) :
1-all Internet traffic must be re-directed from Azure to On-prem (Force-tunneling).
2-No Internet access is allowed on Azure (no public IP except the one for the VPN-GW)
3-Bastion Services for the users in the on-prem to access their workloads on Azure (as a jump server).
I was looking into the above requirements, and the doubt is regarding the Bastion service, will it work without having a public IP? also will it work with the UDR and force tunneling?
In case the bastion service will not work, will a jump server work with this setup (by having all the ingress and egress traffic passing through the NVA (3rd party Firewall)?
Thank you