Azure Bastion in HUB VNET with FG Firewall and forced tunneling towards on-prem with site-to-site VPN (via VPN-GW)

Question

Hi,

I understand this question might be asked many times, but I am in that situation where I need some clairty.

I have a hybrid model , where the on-prem need to connect to the Azure workloads (in spoke VNets), on the HUB VNets a 3rd party Firewall is implemented, and all Spoke VNets are peered with the HUB, with UDR to always poing the traffic towards the Firewall in the HUB.

The connection between Azure and on-prem is via site-to-site VPN (using azure vpn-gw).

requirement (due to regulations and compliance) :

1-all Internet traffic must be re-directed from Azure to On-prem (Force-tunneling).

2-No Internet access is allowed on Azure (no public IP except the one for the VPN-GW)

3-Bastion Services for the users in the on-prem to access their workloads on Azure (as a jump server).

I was looking into the above requirements, and the doubt is regarding the Bastion service, will it work without having a public IP? also will it work with the UDR and force tunneling?

In case the bastion service will not work, will a jump server work with this setup (by having all the ingress and egress traffic passing through the NVA (3rd party Firewall)?

Thank you

Answer 1

Hi @Faisal Jafar , I understand that you must use forced-tunneling internet traffic back to on-prem and you wanted to know whether Azure Bastion will work.

Answer is no, Azure Bastion will not work with forced-tunneling. You need to create a jump host on Azure. As long as you set up your Firewall correctly to do forced-tunneling, a jump host is just another VM in Azure, it will work fine.