Outbound connection P2S clients using Public Azure IP

MostLourh 26 Reputation points
2022-01-10T20:14:30.36+00:00

I have:

  • Azure Virtual Network Gateway used to allow P2S VPN Clients to Azure.
  • 15 Remote Windows 10 clients using Azure VPN client to connect to Azure by establishing P2S VPN.
  • Azure VNet hosting Azure Resources
  • Partner Datacenter that restrict access by IP address

I need:

  • Use a Azure static Public IP for all P2S clients to connect to the partner DataCenter.
  • I forced Tunneling by publshing 0.0.0.0/0 in azurevpnprofile to all P2S clients , but they can't connect to Internet trough VPN Gateway.

Question:

  • If i add a NVA in Azure VNet , it's possible to steer Internet Traffic from P2S clients via NVA? or i have to depoly another Azure component ?
  • I tried to use UDR but they can be linked only to VNet subnets and not P2S pool.

Thank for any advise!

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,703 questions
0 comments
Accepted answer
  1. SaiKishor-MSFT 17,191 Reputation points
    2022-01-10T21:37:16.543+00:00

    @MostLourh Thank you for reaching out to Microsoft Q&A. I understand that you want to know if you can force tunnel al traffic from P2S VPN clients via Azure PIP to your Partner DC.

    Forced tunneling is generally not supported for Azure P2S VPN unless you use Azure Firewall Manager. If you secure internet traffic via Firewall Manager, you can advertise the 0.0.0.0/0 route to your VPN clients. This makes your clients send all internet bound traffic to Azure for inspection. Then, firewall SNATs the packet to the PIP of Azure Firewall for egress to Internet.

    Please note that to advertise 0.0.0.0/0 route to your VPN clients, you need to break them into two smaller subnets 0.0.0.0/1 and 128.0.0.0/1 as mentioned in the below document:
    https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

    Hope this helps. Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MostLourh 26 Reputation points
    2022-01-10T23:09:43.953+00:00

    Thank you SaiKishor

    by your answer, I understand that i have to add a firewall Manager with VPN Gateway to allow an egress traffic that will be controlled by a firewall policy. Is it what you mean by your answer?

    Thank you again