Need a solution to divert a particular ip range from a particular site in S2S connection to deliver all traffic to path to access internet

Sayan Mallick 0 Reputation points
2024-11-06T05:24:21.22+00:00

We have a Virtual Machine (10.0.0.6) in Azure (on Linux OS )running a particular application with internet connectivity though the default route 0.0.0.0/0 via internet.

The Virtual Machine (10.0.0.6) is connected to two on prem sites say S1 & S2 via Site to site VPN .

We want all traffic from S1 use the default route 0.0.0.0/0 via internet in VM (10.0.0.6) to reach internet.

But all traffic from S2 shouldn't use the default route 0.0.0.0/0 via internet in VM, instead we want it to use customer's own network (say S3) to reach internet.IMG_20241106_104803

What solution can be implemented to achieve this ?

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,774 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,753 questions
{count} votes

1 answer

Sort by: Most helpful
  1. KapilAnanth-MSFT 49,521 Reputation points Microsoft Employee Moderator
    2024-11-06T11:27:25.8366667+00:00

    @Sayan Mallick ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    From your verbatim,

    • You have 2 OnPrem sites connected to a VPN Gateway, S1 and S2
    • You would like to forward 0.0.0.0/0 traffic to Azure via VPN Gateway for both the sites S1 and S2
    • For S1, you would like to forward the traffic to a NVA(10.0.0.6) in Azure VNET
    • For S2, you would like to forward the traffic to a different site, say S3

    Observation,

    • I am afraid neither of the above is possible with traditional VPN Gateway
    • You have to use Virtual WAN with a combination of Forced tunneling and custom routing via NVA to match your requirement
      • Even with this, I doubt you will be able to achieve the requirement
    • With a traditional S2S, you cannot advertise 0.0.0.0/0 to the Sites S1 and S2, and hence, internet traffic will not reach the VPN Gateway from S1 or S2.

    With vWAN,

    • Only the destination IP is used to configure the nextHop
      • i.e., when 0.0.0.0/0 is destination, we can define the nextHop
      • But with S1 or S2's address space as source, we cannot define anything for the traffic.

    With that said,

    • Assume all the 3 sites, S1, S2 and S3 are connected to the vWAN VPN Gateway
    • First, advertise 0.0.0.0 routes from S3 - this is called Forced Tunneling
      • Now, only for the site S2, enable the flag as mentioned above.
      • This will make sure S2 learns 0.0.0.0/0 and nextHop is S3
      • Your requirement 2 is met here.
    • Since you don't want Azure and S1's traffic to be going to S3,
      • Simply, do not enable the flag
      • Use Custom Routing to route 0.0.0.0/0 to the NVA by attaching a Route Table to the Branch Connection
      • Follow the configuration steps in Alternate workflow

    I understand this is complex, but so is the requirement.

    You have to use Azure VWAN, if you want to meet both the requirements.

    Cheers,

    Kapil

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.