Share via

[Virtual Gateway] Reverse Proxy over VPN

Lance 301 Reputation points MVP Volunteer Moderator
2022-08-22T20:55:51.343+00:00

Hi folks,

I finally set up my dream networking config so I don't have to expose my house's IP address. However, the cost is running up really fast and will blow the budget before the monthly refill... So I either chose the wrong things in Azure, or there's a much better way to set this up.

Before I show what I did in Azure, let me say what I used to have:

At my house, I have port 443 open, all traffic gets sent to a docker container running NGINX Proxy Manager, then gets routed to one of my home lab servers. Nginxproxymanager is amazing because all of my subdomains get HTTPS support via LetsEncrypt with automatic updates and domain assignment.

The only downside to this setup is anyone with script kiddie level capabilities can see my external IP address with a simple tracert command (and they have).

I use DDNS with my domain registrar and the domains are always correct.

To recap : mysite.com -> DNS + DDNS IP -> my house:443 -> reverse proxy w/SSL -> server inside my network (there are 3 physical locations, but to keep things simple we'll keep it to 1)

I started noticing an increase in bad actor attempts on my gateway. Although I think I'm pretty well protected behind port 443 and the NGIX kills all incorrect traffic, the attacker still can see my WAN IP address.

Creating My Dream Setup

So, I looked into options where I could host the reverse proxy somewhere else and route the traffic over VPN. That way, any bad actor only gets the Azure Network Gateway IP address.

I did this by creating the following:
A Linux VM with NGINX proxy manager (All external traffic is routed here instead of my house's WAN IP)
Virtual Network (w 2 subnets; default and GatewaySubnet)
site-to-site VPN

Here's my final setup and it works gloriously

233723-image.png

In case you prefer Azure topology

233708-image.png

Problem

The issue is costs are building up really fast. It's blowing through my Azure Enterprise budget.

I'm wondering if:

  • Am I using the wrong gateway/VPN service? One of them shows no cost for traffic, the other shows egress traffic is charged per GB
  • Can I not just setup a site-to-site VPN on the Linux Virtual Machine itself and avoid all the custom Azure Networking charges and the added complexity of the system?
    • If yes, do you have any links to resources that shows how to setup an IPSEC VPN in a Linux virtual machine?
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,786 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,213 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Joe Carlyle 661 Reputation points MVP
    2022-08-23T08:00:06.373+00:00

    Perhaps not exactly what you are looking for, however, have you explored using Azure AD Application Proxy instead of all that Azure infra?

    https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.