Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
From your verbatim,
- I see you have one Azure VNET which comprises of the VPN Gateway and a virtual appliance (NVA)
- This VNET is connected to an OnPrem site via S2S
Please let me know if this observation is incorrect.
To address your queries,
1.Have the P2S VPN subnet reach on premises resources
- This should be doable as long as BGP is enabled between OnPrem and VPN Gateway
- This is documented here
2.Have the P2S VPN subnet be able to access the internet for specific IPs that we routed through the P2S VPN via the config file
- In the P2S configuration, advertise the "specific IPs" - Advertise custom routes for P2S VPN clients
- In the GatewaySubnet, attach a route table to forward traffic destined to "specific IPs" to the NVA.
- In the NVA, filter the traffic with an allow or block rule.
- So, the effective route would be
User laptops ---> VPN P2S---> Azure VPN Gateway ---> NVA ---> "specific IPs"
You cannot directly use the Azure VPN Gateway's IP to reach internet, you must route it via a NVA such as Azure Firewall.
P.S :
- This is a bit tricky to achieve and I would suggest you consider SecuredHub with "Internet Traffic Routing Policy" enabled.
- This simplifies routing and reduces management overhead
Kindly let us know if this helps or you need further assistance on this issue.
Thanks,
Kapil
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.