question

AjeetSingh-2588 avatar image
1 Vote"
AjeetSingh-2588 asked PatrickHolohan-3213 answered

Azure WAN and P2S VPN Forced Tunneling

I have setup Azure WAN with a secured hub(Azure Firewall). WAN also has a P2S VPN which am successfully able to connect to. I understand forced tunneling was not an option before Azure VWAN, but now can i do forced tunneling for my P2S clients and give them a common public IP address instead of their own ISP Public IP Address?

azure-vpn-gatewayazure-virtual-wanazure-firewall-manager
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GitaraniSharmaMSFT-4262 avatar image
1 Vote"
GitaraniSharmaMSFT-4262 answered MostafaLOURHMATI-7204 commented

Hello @AjeetSingh-2588 ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Yes, you can do forced tunneling for your P2S clients.

If you secure internet traffic via Firewall Manager you can advertise the 0.0.0.0/0 route to your VPN clients. This makes your clients send all internet bound traffic to Azure for inspection. Then, firewall SNATs the packet to the PIP of Azure Firewall for egress to Internet.

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @GitaraniSharmaMSFT-4262

I already did what you've mentioned however i still not see the Public IP from Firewall on my client. It is still from my ISP.

0 Votes 0 ·

Hello @AjeetSingh-2588 ,

Apologies for the delay in response.

I have confirmed with the PG and this should work if configured correctly. Did you setup the Azure Firewall Policy to allow P2S traffic to Internet?
To advertise 0.0.0.0/0 route to your VPN clients, you need to break them into two smaller subnets 0.0.0.0/1 and 128.0.0.0/1 as mentioned in the below doc:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

Regards,
Gita

1 Vote 1 ·
AjeetSingh-2588 avatar image AjeetSingh-2588 GitaraniSharmaMSFT-4262 ·

Hi @GitaraniSharmaMSFT-4262

Thanks for your supoprt, however I already had the setup that you've mentioned. Finally I got it working by adding the route directly in my downloaded azurevpnconfig.xml.

I added the following and it worked.

<clientconfig>

 <includeroutes>
     <route>
         <destination>0.0.0.0</destination><mask>1</mask>
     </route>
     <route>
         <destination>128.0.0.0</destination><mask>1</mask>
     </route>
 </includeroutes>

</clientconfig>

If i add these routes in Default Route on Portal it only adds 0.0.0/0 to my client and skips 0.0.0.0/1 and 128.0.0.0/1

1 Vote 1 ·
Show more comments
MostafaLOURHMATI-7204 avatar image
1 Vote"
MostafaLOURHMATI-7204 answered

Hi AjeetSingh

I have the same need, what rule was added on Firewall policy?

Thanks

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PatrickHolohan-3213 avatar image
0 Votes"
PatrickHolohan-3213 answered

Hi All,

I'm not sure if you are still looking for the answer. I recently built an Azure virtual WAN with a secure virtual hub, I configured Azure point-to-site (Azure AD authentication) and wanted to route all traffic through the firewall.

I found the answer to be as simple as changing the version number in the downloaded azurevpnconfig.xml from 1 to 2.

https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-forced-tunnel

This worked for me.

Regards

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.