question

PaulNerie-9756 avatar image
0 Votes"
PaulNerie-9756 asked PaulNerie-9756 commented

Selective access restriction to servers from home using P2S VPN

We have a virtual network and use a P2S VPN to connect to it using a VPN Gateway.

We have basically two types of VM's:
Servers (running SQL, MySQL, and GIT)
Development (for software development and design work)

We have to types of users that connect to the vnet:
Managers
Developers

The objective:
Managers can connect to the servers from their home computers
Developers can only connect to the servers from their VM's within the vnet

The problem:
Anyone (both Managers and Developers) connected to the vnet through VPN can access the servers from home.

The only way I see to prevent server access from home is making a NSG rule that blocks the VPN client IP addresses from accessing the servers. But this would also block the Managers' access to the server.

Is there a way to make sure the Developers only access the servers from their VM's and not from their home computers, without also blocking the Managers' access?

Thanks in advance!

azure-virtual-network
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlanKinane avatar image
0 Votes"
AlanKinane answered PaulNerie-9756 commented

I think you can remove the peered VNET address space from the VPN client configuration file so that those VPN users can't access that VNET. Long term I would recommend moving to Azure AD based authentication anyway as a more modern approach for authentication.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you.

This means, I can create two different profile XML files, one for Managers and one for Developers.

Once the profile is imported, can they be deleted? Otherwise the use can just edit the XML file and re-import again.

And there is no way to exclusion from within the Azure VPN app?

The only drawback I see here is that it's only for Azure VPN app. Clients using OpenVPN or the EXE installer for Windows will be exempt from this.

0 Votes 0 ·
PaulNerie-9756 avatar image
0 Votes"
PaulNerie-9756 answered

I actually have the servers in another VNET, so it has it's own VPN (which only the Managers use). And the Server and Development VNET's are peered.

But if we can save costs by using only one VNET, that would be better.

I'm not sure if by using a different subnet on the same VNET would work because using the NSG rules, I can only block the whole VPN IP address block (not selectively) from accessing the subnet.

Maybe the correct solution is actually switching to AD auth as you suggested? If we can use it to implement the requirement.

Thanks again!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlanKinane avatar image
0 Votes"
AlanKinane answered

I may have misunderstood. You can use CA to exclude users from using the VPN at all but if all users require the VPN then CA won't help.

There might be an easier way, are the "servers" on a different VNET or subnet to the "VMs"?

You could modify the VPN client configuration for the Developers so that they can't access the address space of the servers though the VPN.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PaulNerie-9756 avatar image
0 Votes"
PaulNerie-9756 answered

Thanks for your reply.

We use certificate-based authentication. We do have Azure AD though, and our users are in AD groups.

The P2S VPN is configured to use IKEv2 and OpenVPN.

We are using Conditional Access, and I have briefly looked into using this this but I haven't gone far enough. You info may help.

So using Conditional Access I can implement the below?

Managers -> VPN -> Servers
Developers -> VPN -> VM -> Servers

The developers can still access the servers, but not directly from their home computers. They can only access it using from their VM's.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlanKinane avatar image
0 Votes"
AlanKinane answered

How are your users authenticating, are you using the certificate based authentication method? You can use Azure AD authentication now if you use the OpenVPN protocol on the Standard SKU VPN Gateway then you can put your users into Azure AD groups and control access to the Azure VPN application using Conditional Access policies.

https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.