Good morning all,
We currently have a requirement to move a current IPsec VPN we have terminating in our on-prem DC to Azure, this IPsec VPN carries traffic from a 3rd party provider SAAS solution so it can query our AD to import users objects and most importantly AD field data into their system and has been in place for a number of years.
We already have DC's setup in Azure which is within a VNet and subnet and has an NSG in front of it.
We can configure a new connection on an existing VPN GW which is in place in Azure and modify the NSG to allow the traffic.
My query is around securing the VPN traffic so it can only reach the DC's aware the NSG will prevent anything from that VPN unless we add it in however it will be able to reach other items within the same VNET unless we can control it.
Most of the subnets within the vNET have NSG's on them however my query is around things like APP GW, Firewall etc they dont have nsg's on their subnets so what stops the traffic from this 3rd party ipsec vpn being able to access these systems?
I have not been able to find a way of securing traffic (like an ACL) on the VPN connection or vpn gateway itself however we need to be sure that the traffic coming from this gateway can only query the DC's on LDAPS and is not able to reach anything else within the vNET.
Unfortunately I have inherited this environment as we always do and alot of things have been put inside the 1 vNET broken down into subnets.
On prem the firewall is the VPN gateway and controller so we have a VPN GW aswell as ACL rules to prevent anything other than specific address ability to query our on prem DC's - this also has an overlap of IP ranges so we NAT this also however from an Azure perspective there is no cross over.
Help is appreciated as reading up I have not been able to find this scenario anywhere.