VPN Gateway and Firewall

Question

VPN Gateway and Firewall

Lam Bui Quang 0

I'm currently using an Azure VPN Gateway with Point-to-Site (P2S) clients and Azure Firewall to control outbound internet traffic from remote users. However, I noticed that I cannot associate a Route Table containing a default route (0.0.0.0/0) to the subnet where the VPN Gateway is deployed. As a result, I’m unable to fully control or inspect the traffic from P2S clients going to the internet via Azure Firewall.

Is there any alternative method or recommended architecture to enforce forced tunneling for P2S clients through Azure Firewall without using Site-to-Site (S2S) or Virtual WAN?

User's image

Lam Bui Quang 0 Reputation points

2025-05-27T01:51:44.26+00:00

Thank you for your answer, I will try the above solutions. In addition, I am researching to use only the VPN gateway and remove the firewall. Currently, my VM has successfully connected to the VPN. I am using forced tunneling to route all traffic from the VM through the VPN gateway, but as a result, I can no longer access the internet. What should I do? I’ve read about some solutions such as modifying the XML file of the VPN client profile but it's not working. Do I need to configure a NAT gateway?
Lam Bui Quang 0 Reputation points

2025-05-27T01:52:27.8333333+00:00

Thank you for your answer, I will try the above solutions. In addition, I am researching to use only the VPN gateway and remove the firewall. Currently, my VM has successfully connected to the VPN. I am using forced tunneling to route all traffic from the VM through the VPN gateway, but as a result, I can no longer access the internet. What should I do? I’ve read about some solutions such as modifying the XML file of the VPN client profile. Do I need to configure a NAT gateway?
Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-05-28T02:02:17.2466667+00:00
Hi @Lam Bui Quang

Yes, you need to configure a NAT Gateway in Azure to provide internet connectivity to your P2S VPN clients when using forced tunneling and have removed the Azure Firewall. You'll need a public IP address for the NAT Gateway and you need to associate this NAT Gateway with the subnet where your VPN Gateway is deployed (GatewaySubnet). This allows any traffic originating from or routed to this subnet to use the NAT Gateway for outbound internet access.

Please make sure that your P2S VPN client configuration is indeed advertising the default route (0.0.0.0/0) to the clients, forcing all their traffic into the tunnel. This is what you've already set up for forced tunneling.

Modifying the VPN client profile XML is typically done to customize routes and you generally do not need to modify the XML to solve the lack of internet access when forced tunneling is active and you're removing the firewall. The solution lies in providing a NAT path within Azure, which the NAT Gateway does. Ensure the XML correctly specifies forced tunneling.

If the above helps, please take a moment to click 'Accept answer'.

If you still have questions, please let us know what is needed in the comments so the question can be answered.

2 answers

Your answer

Lam Bui Quang 0 Reputation points

2025-05-27T01:51:44.26+00:00

Thank you for your answer, I will try the above solutions. In addition, I am researching to use only the VPN gateway and remove the firewall. Currently, my VM has successfully connected to the VPN. I am using forced tunneling to route all traffic from the VM through the VPN gateway, but as a result, I can no longer access the internet. What should I do? I’ve read about some solutions such as modifying the XML file of the VPN client profile but it's not working. Do I need to configure a NAT gateway?
Lam Bui Quang 0 Reputation points

2025-05-27T01:52:27.8333333+00:00

Thank you for your answer, I will try the above solutions. In addition, I am researching to use only the VPN gateway and remove the firewall. Currently, my VM has successfully connected to the VPN. I am using forced tunneling to route all traffic from the VM through the VPN gateway, but as a result, I can no longer access the internet. What should I do? I’ve read about some solutions such as modifying the XML file of the VPN client profile. Do I need to configure a NAT gateway?
Sai Prasanna Sinde 6,645 Reputation points Microsoft External Staff Moderator

2025-05-28T02:02:17.2466667+00:00

Hi @Lam Bui Quang

Yes, you need to configure a NAT Gateway in Azure to provide internet connectivity to your P2S VPN clients when using forced tunneling and have removed the Azure Firewall. You'll need a public IP address for the NAT Gateway and you need to associate this NAT Gateway with the subnet where your VPN Gateway is deployed (GatewaySubnet). This allows any traffic originating from or routed to this subnet to use the NAT Gateway for outbound internet access.

Please make sure that your P2S VPN client configuration is indeed advertising the default route (0.0.0.0/0) to the clients, forcing all their traffic into the tunnel. This is what you've already set up for forced tunneling.

Modifying the VPN client profile XML is typically done to customize routes and you generally do not need to modify the XML to solve the lack of internet access when forced tunneling is active and you're removing the firewall. The solution lies in providing a NAT path within Azure, which the NAT Gateway does. Ensure the XML correctly specifies forced tunneling.

If the above helps, please take a moment to click 'Accept answer'.

If you still have questions, please let us know what is needed in the comments so the question can be answered.

Answer 1

Hi @Lam Bui Quang

The best recommendation for your suggested scenario is configuring the P2S VPN connection to send all traffic to Azure. Then, use UDRs on your application subnets to route that traffic through the Azure Firewall.

Benefits of Virtual WAN for this Scenario:
- Simplified Routing: vWAN automates much of the complex routing that would be difficult or impossible with traditional VNets.
- Centralized Security: Azure Firewall Manager provides a centralized management plane for your security policies across multiple hubs and spokes.
- Scalability: vWAN is designed for large-scale deployments and offers high scalability for P2S connections.
When setting up your P2S VPN configuration, make sure that you advertise the default route (0.0.0.0/0) to the VPN clients and if you use AD authentication, this is often handled by default or else if you use certificate or RADIUS authentication, you might need to explicitly configure the routes to be advertised. For IKEv2 and OpenVPN protocols, you can advertise 0.0.0.0/0.
Deploy Azure Firewall in a dedicated subnet (AzureFirewallSubnet) within a hub VNet. Your P2S VPN Gateway would also reside in this hub VNet (GatewaySubnet) and if you have workloads in the same VNet or peered VNets, they will be considered spoke VNets.
Create a Route Table add a route with the address prefix 0.0.0.0/0 and set the Next hop type to Virtual appliance. Set the Next hop address to the private IP address of your Azure Firewall and associate this Route Table with all the subnets where your P2S clients will be accessing resources and from which you want to filter outbound internet traffic. Make sure that please don't associate this route table with the GatewaySubnet or AzureFirewallSubnet. Please refer the document.
Create appropriate Network rules and Application rules on your Azure Firewall to allow or deny traffic from the P2S client IP address pool to the internet or other network destinations.

Your feedback is important so please take a moment to click 'Accept answer'.

If you still have questions, please let us know what is needed in the comments so the question can be answered.

Thank you for helping to improve Microsoft Q&A!

Answer 2

Hey Lam Bui Quang

thanks a lot for posting your question on the Microsoft Q&A portal it's awesome that you're reaching out for help, and I’ll do my best to assist you with your vpn gateway and firewall setup ))

From what I understand, you're dealing with some connectivity or configuration issues between your vpn gateway and firewall. This can be tricky, especially if you're new to networking, but don’t worry, we’ll break it down step by step.

1.Make sure your vpn gateway is properly configured in Azure (or your cloud provider). The vpn gateway needs the right settings to establish a secure connection. You can check the configuration in the Azure portal under "Virtual Network Gateways." Here’s Microsoft’s official guide on setting up a vpn gateway: Azure VPN Gateway documentation.

Next, your firewall rules might be blocking the vpn traffic. Firewalls can sometimes interfere with the vpn connection, especially if the necessary ports (like UDP 500 or 4500 for IPsec) aren’t open. You’ll need to check your firewall settings and ensure it allows traffic to and from the vpn gateway’s public IP. Microsoft has a good article on firewall rules for vpn here: Firewall rules for VPN.

If you’re using a network security group (nsg), double-check those rules too sometimes they block traffic even if the firewall allows it. Here’s how to configure nsg rules properly: NSG documentation.

Also, don’t forget to verify your on-premises firewall (if you have one). It needs to allow outbound traffic to the vpn gateway’s IP. Misconfigured on-premises firewalls are a common culprit for vpn issues.

If you’ve checked all that and still have problems, maybe shared some screenshots of your config? That could help spot any mistakes. Sometimes a small typo in an IP or subnet can break everything ))

Let me know if this helps or if you need more details! Happy to dig deeper into the issue with you.

rgds,
Alex
P.S. If my answer help to you, please Accept my answer
PPS That is my Answer and not a Comment
https://ctrlaltdel.blog/

Share via

VPN Gateway and Firewall

2 answers

Your answer