Selective access restriction to servers from home using P2S VPN

Paul Nerie 261 Reputation points

We have a virtual network and use a P2S VPN to connect to it using a VPN Gateway.

We have basically two types of VM's:
Servers (running SQL, MySQL, and GIT)
Development (for software development and design work)

We have to types of users that connect to the vnet:

The objective:
Managers can connect to the servers from their home computers
Developers can only connect to the servers from their VM's within the vnet

The problem:
Anyone (both Managers and Developers) connected to the vnet through VPN can access the servers from home.

The only way I see to prevent server access from home is making a NSG rule that blocks the VPN client IP addresses from accessing the servers. But this would also block the Managers' access to the server.

Is there a way to make sure the Developers only access the servers from their VM's and not from their home computers, without also blocking the Managers' access?

Thanks in advance!

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
1,672 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Alan Kinane 16,636 Reputation points MVP

    How are your users authenticating, are you using the certificate based authentication method? You can use Azure AD authentication now if you use the OpenVPN protocol on the Standard SKU VPN Gateway then you can put your users into Azure AD groups and control access to the Azure VPN application using Conditional Access policies.

    0 comments No comments

  2. Paul Nerie 261 Reputation points

    Thanks for your reply.

    We use certificate-based authentication. We do have Azure AD though, and our users are in AD groups.

    The P2S VPN is configured to use IKEv2 and OpenVPN.

    We are using Conditional Access, and I have briefly looked into using this this but I haven't gone far enough. You info may help.

    So using Conditional Access I can implement the below?

    Managers -> VPN -> Servers
    Developers -> VPN -> VM -> Servers

    The developers can still access the servers, but not directly from their home computers. They can only access it using from their VM's.

    0 comments No comments

  3. Alan Kinane 16,636 Reputation points MVP

    I may have misunderstood. You can use CA to exclude users from using the VPN at all but if all users require the VPN then CA won't help.

    There might be an easier way, are the "servers" on a different VNET or subnet to the "VMs"?

    You could modify the VPN client configuration for the Developers so that they can't access the address space of the servers though the VPN.

    0 comments No comments

  4. Paul Nerie 261 Reputation points

    I actually have the servers in another VNET, so it has it's own VPN (which only the Managers use). And the Server and Development VNET's are peered.

    But if we can save costs by using only one VNET, that would be better.

    I'm not sure if by using a different subnet on the same VNET would work because using the NSG rules, I can only block the whole VPN IP address block (not selectively) from accessing the subnet.

    Maybe the correct solution is actually switching to AD auth as you suggested? If we can use it to implement the requirement.

    Thanks again!

    0 comments No comments

  5. Alan Kinane 16,636 Reputation points MVP

    I think you can remove the peered VNET address space from the VPN client configuration file so that those VPN users can't access that VNET. Long term I would recommend moving to Azure AD based authentication anyway as a more modern approach for authentication.