Azure S2S Vpn With 3rd Party - How to Secure the Tunnel

ldstc2022 1 Reputation point
2022-05-11T08:03:40.75+00:00

Good morning all,

We currently have a requirement to move a current IPsec VPN we have terminating in our on-prem DC to Azure, this IPsec VPN carries traffic from a 3rd party provider SAAS solution so it can query our AD to import users objects and most importantly AD field data into their system and has been in place for a number of years.

We already have DC's setup in Azure which is within a VNet and subnet and has an NSG in front of it.

We can configure a new connection on an existing VPN GW which is in place in Azure and modify the NSG to allow the traffic.

My query is around securing the VPN traffic so it can only reach the DC's aware the NSG will prevent anything from that VPN unless we add it in however it will be able to reach other items within the same VNET unless we can control it.

Most of the subnets within the vNET have NSG's on them however my query is around things like APP GW, Firewall etc they dont have nsg's on their subnets so what stops the traffic from this 3rd party ipsec vpn being able to access these systems?

I have not been able to find a way of securing traffic (like an ACL) on the VPN connection or vpn gateway itself however we need to be sure that the traffic coming from this gateway can only query the DC's on LDAPS and is not able to reach anything else within the vNET.

Unfortunately I have inherited this environment as we always do and alot of things have been put inside the 1 vNET broken down into subnets.

On prem the firewall is the VPN gateway and controller so we have a VPN GW aswell as ACL rules to prevent anything other than specific address ability to query our on prem DC's - this also has an overlap of IP ranges so we NAT this also however from an Azure perspective there is no cross over.

Help is appreciated as reading up I have not been able to find this scenario anywhere.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,167 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 23,031 Reputation points Microsoft Employee
    2022-05-12T01:26:33.537+00:00

    Hello @ldstc2022 , Welcome to the Microsoft Q&A platform.

    As per my understanding of the questions, I think going through the security baseline for Azure VPN Gateway will be a good starting point here.

    Most of the subnets within the vNET have NSG's on them however my query is around things like APP GW, Firewall etc they dont have nsg's on their subnets so what stops the traffic from this 3rd party ipsec vpn being able to access these systems?

    NSG's are supported on Azure Application Gateway and alternatively you can enable WAF for application gateway to restrict access to certain IP address range. For Azure Firewall you can implement Network traffic filtering rules in order restrict access to certain IP address range.

    Please let me know if you have any additional questions. Thank you!

    0 comments