![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 31%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,415 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 0%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
Let's call the 3rd party where the 5 servers reside as "ServerProvider"
Can you establish a S2S Connection from Azure VPN to "ServerProvider"?
- If so, you can follow Silvia Wibowo's answer.
- This will work provided that ServerProvider supports S2S and BGP.
Or your intention is to use a fixed public IP to connect to the servers?
- If so, your flow becomes something like this
Employees' laptops ---> VPN P2S---> Azure VPN Gateway ---> Azure Firewall---> ServerProvider - In this case, you have 2 ways to configure this
#1 Use vWAN with Secured Hub and Routing Intent
- This should be straight forward to setup and does not require additional configuration and validation from your end.
- Deploy a vWAN with SecuredHub and enable "Internet Traffic Routing Policy"
- Deploy a P2S Gateway in the same vWAN (same secured Hub)
- Now, all the traffic destined to Internet will go via the Azure Firewall deployed in the Hub
-
#2 Use Azure VPN Gateway with custom Routing and Azure Firewall
- Unlike the #1, this is complex and requires you to manually set the routing.
- Deploy a Azure VPN Gateway with P2S enabled and an Azure Firewall on the same VNET.
- In the P2S configuration, advertise the ServerProvider's IP Address - Advertise custom routes for P2S VPN clients
- In the GatewaySubnet, attach a route table to forward traffic destined to ServerProvider's IP Address to the Azure Firewall IP.
In either case, make sure there are Allow Rules configured in the Azure Firewall so as to it will not block the traffic.
All the outgoing traffic would now use the IP of the Azure Firewall.
You may wonder if you can bypass the Azure Firewall,
- Unfortunately, that is not the case
- You must have an NVA - either Azure Firewall or a 3rd party NVA if you want to make internet connectivity.
- This is because Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped.
Kindly let us know if this helps or you need further assistance on this issue.
Thanks,
Kapil
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.