Share via

Routing P2S traffic to external networks or internet

Jeff-3160 0 Reputation points
2024-05-09T20:18:15.07+00:00

Hello.

We have configured an Azure P2S VPN to access resources in our vNet. This Azure vNet is also connected to other sites and the internet via a virtual appliance firewall running in the vNet. Clients connected to the P2S VPN subnet are able to access the resources in the vNet (there are multiple subnets and they are all reachable). Virtual PCs, servers, etc. in the vNet can reach on premises resources over the site to site VPNs configured in the virtual appliance firewall and vice versa. Virtual PCs, servers, etc. in the vNet can reach the internet through the virtual appliance firewall.

What we would LIKE to be able to do is:

  1. Have the P2S VPN subnet reach on premises resources
  2. Have the P2S VPN subnet be able to access the internet for specific IPs that we routed through the P2S VPN via the config file.

We do not want to enable full tunneling.

Is this possible? If so, how do we do it? I attached a high level diagram below. Everything is fully routable except the external laptops using the P2S VPN.

netdiagram

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,195 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KapilAnanth-MSFT 36,396 Reputation points Microsoft Employee
    2024-05-15T08:51:21.58+00:00

    @Jeff-3160 ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    From your verbatim,

    • I see you have one Azure VNET which comprises of the VPN Gateway and a virtual appliance (NVA)
    • This VNET is connected to an OnPrem site via S2S

    Please let me know if this observation is incorrect.

    To address your queries,

    1.Have the P2S VPN subnet reach on premises resources

    2.Have the P2S VPN subnet be able to access the internet for specific IPs that we routed through the P2S VPN via the config file

    • In the P2S configuration, advertise the "specific IPs" - Advertise custom routes for P2S VPN clients
    • In the GatewaySubnet, attach a route table to forward traffic destined to "specific IPs" to the NVA.
    • In the NVA, filter the traffic with an allow or block rule.
    • So, the effective route would be
      User laptops ---> VPN P2S---> Azure VPN Gateway ---> NVA ---> "specific IPs"

    You cannot directly use the Azure VPN Gateway's IP to reach internet, you must route it via a NVA such as Azure Firewall.

    P.S :

    • This is a bit tricky to achieve and I would suggest you consider SecuredHub with "Internet Traffic Routing Policy" enabled.
    • This simplifies routing and reduces management overhead

    Kindly let us know if this helps or you need further assistance on this issue.

    Thanks,

    Kapil

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments