P2S VPN to Azure Firewall

Cedric Helton 0 Reputation points
2023-12-19T23:05:22.2666667+00:00

Good afternoon Everyone,

We're looking to see if this is an option within Azure or not.

We currently have an Azure VPN (VNG) and an Azure FW. We DO NOT have an on-premise network. We are completely a cloud environment. Our goal is to use firewall to the VPN traffic, but when we connect, the public IP that shows our home internet and not the public IP of the firewall. We've tried creating UDR and creating rules on the FW to allow traffic but still no luck.

Our objective is to have users establish a VPN connection and have Azure Firewall filter their traffic.

The user trying to access business resources will either be granted access or denied by the firewall.

On the diagram below shows what we are looking for 2 different lines.

Red line is what we want to accomplish.

Green line is what's currently happening.

User's image

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,394 questions
Azure Traffic Manager
Azure Traffic Manager
An Azure service that is used to route incoming network traffic for high performance and availability.
111 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
578 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KapilAnanth-MSFT 35,591 Reputation points Microsoft Employee
    2023-12-20T17:21:44.04+00:00

    @Cedric Helton

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to filter P2S traffic via Azure Firewall deployed in the Hub VNET connecting to "Company Resources".

    Depending on what this "Company Resources" is, the case varies.

    NOTE : You cannot route Internet traffic (0.0.0.0/0) to Azure VPN Gateway via P2S.

    Now that we have established the above,

    1."Company Resources" is a VNET connected to this HubVNET via VNET Peering.

    • The case is here
    • Access is allowed if HubVNET has “Allow gateway transit” and VNET has “Use remote gateways” enabled.

    2."Company Resources" is a VNET connected to this HubVNET via S2S with BGP enabled.

    • The case is here
    • This won't work without BGP

    3."Company Resources" is a Azure Service that is integrated into the HubVNET or a VNET connected to the HubVNET via Peering or BGP S2S

    4."Company Resources" is a 3rd Party service in Internet.

    • In that case, traditional VPN Gateway cannot be used.
    • You must consider using a vWAN with a secured Hub, a P2S Gateway and configure Internet Routing.

    Routing Intent:

    Make sure you enable "Internet Traffic Routing Policy".

    P2S Gateway

    Hope this helps

    Thanks,

    Kapil

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments