Azure Site-Site VPN Configuration

Question

Hi Everyone,

Apologies if this is already documented/answered anywhere - I haven't been able to find anything so far...

Some Background:

I'm currently deploying Azure AD DS for a new organisation. There is no existing on-prem infrastructure, and the aim is to avoid the need to deploy an on-prem server.

The organisation will use an Azure AD tenant as the identity provider used to sign on to M365, some organisation apps and I'd like them to sign on to their devices using the same set of credentials (and enable SSO)

On site, all devices are organisation managed and networked, so it makes sense to use the Azure S2S VPN to connect from the Router on site to the Azure network to enable sign-on to the managed domain from Azure AD DS.

The Question:

As far as I can tell from documentation and examples, all devices attached to the corporate network will be connected to the Azure VPN, and hence receive an IP address from the pool assigned on Azure. However, I don't want this to be the case for all devices. For instance, things like VoIP phones don't need access to the Azure network.

How can I configure this? Essentially the router (on-prem) needs to use 2 subnets/VLANs to assign IP addresses - one to the VTI to azure, and the other to just have a regular "local-only" IP address.

The router in question is a Ubiquiti EdgeRouter 12 - I'm happy to redirect this question towards the Ubiquiti community, however thought it was worth asking here in case anyone has deployed a similar configuration.

Thanks in advance,

Philip

Answer 1

Hi @Philip Kelley ,

If you use an Azure VPN Gateway with a Site-To-Site Connection the on-premises clients won't get a new IP address. I don't know where this information come from.

Basically you have your IP address range(s) on-premises and your IP address range(s) in Azure. These IP ranges must not overlap!
The Site-To-Site connection will be created between the public IP of the Azure VPN Gateway and the public IP of the on-premises router.
That's it.

Source: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Answer 2

Hello @Philip Kelley ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

As @Andreas Baumgarten rightly said, if you use an Azure VPN Gateway with a Site-To-Site Connection the on-premises clients won't get new IP addresses.

A Site-to-Site (S2S) VPN gateway connection is a connection over IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. A S2S connection requires a VPN device located on-premises that has a public IP address assigned to it. And the connection type could be either Route based or Policy based.

• RouteBased VPNs use "routes" in the IP forwarding or routing table to direct packets into their corresponding tunnel interfaces. The tunnel interfaces then encrypt or decrypt the packets in and out of the tunnels.
• Policy-based VPNs encrypt and direct packets through IPsec tunnels based on the IPsec policies configured with the combinations of address prefixes between your on-premises network and the Azure VNet.

Please refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#vpntype

You can find the steps on how to configure a Route-Based Site-to-Site IPsec VPN between a Microsoft Azure VPN gateway and an Ubiquiti EdgeRouter using static routing in the official doc below:
https://help.ui.com/hc/en-us/articles/115012305347

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.