question

RuiCabral avatar image
0 Votes"
RuiCabral asked ChaitanyaNaykodiMSFT-9638 commented

How to handle common network for cloud enabled business

Hello,
One of the business scenarios that I face is that often our teams need to access client systems, which are made available after whitelisting IP addresses. In traditional environments, even when operating behind a VPN, normally the external-facing endpoint was not just an IP, it would normally be a network, which often is a challenge when asked to provide one single IP for whitelisting.

Currently, with fully could-based businesses, with 0 infrastructure, there is no VPN to connect to. Most teams are connected directly to the internet and sharing private connections with public IPs not only is not the right thing to do but also is not sustainable when it comes to business continuity.

I often go back to the thinking where I can use virtual desktops or DaaS to address this gap, but is this the only way, or are there other ways to address these challenges?

How are you addressing these challenges?


Thank you

azure-virtual-networkazure-vpn-gateway
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ChaitanyaNaykodiMSFT-9638 avatar image
0 Votes"
ChaitanyaNaykodiMSFT-9638 answered ChaitanyaNaykodiMSFT-9638 commented

Hello @RuiCabral, Thank you for reaching out. As per my understanding of the question due to the ongoing Pandemic many of the employees are working remotely and as they need access to client VMs they have to provide an Public IP of their home network so that it can be whitelisted, but due to remote work it is not always feasible to provide a single IP. Please correct me if my understanding is wrong.

Based on my understanding above there are some services which can help you in this case:

  1. Azure Bastion Service : This service provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. When you connect via Azure Bastion, your virtual machines do not need a public IP address, agent, or special client software. Azure Bastion and VNet peering can be used together and it supports Global virtual network peering which provides ability to transfer data between virtual networks across Azure subscriptions. You can go though this document on leveraging Azure Bastion for remote work.

  2. Azure Virtual WAN : Azure Virtual WAN is a networking service that brings many networking, security, and routing functionalities together to provide a single operational interface. For remote users you can set Point to Site VPN connections using IKEv2 and SSTP protocols.

You can also use Virtual Desktop Infrastructure as already mentioned by you. You can also go through this document which primarily describes how you can leverage Azure networking services, Microsoft network, and the Azure partner ecosystem to work remotely and mitigate network issues that you might be facing because of the COVID-19 crisis.

Hope this helps. Please let me know if you have any additional concerns or questions. Thank you!


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @ChaitanyaNaykodiMSFT-9638,
thank you for your reply. I have previously reviewed Bastion. If I understand correctly this would be a bridge into a VM-hosted environment, which would need to be put in place, whether fully managed by me or outsourced as a service.

Azure Virtual Wan, is closer to what I was referring to, yet when I read the support documentation, I am left w/ the impression that this service is filling up a gap where my outside users need to be linked on-perm resources. This is not my use case. All our infrastructure is outsourced, resides in the cloud and I am happy to use the current channels to access it.

What I am missing is a way to get my remote users "virtually" behind the same IP or IP network, so that I can accommodate these requests where in order to access an external resource, other businesses require a specific IP. e.g. imagine, you a client would need to share access to your website which sits behind an ip based firewall, and you need to whitelist IPs to get throught. You would ask (from whoever the business is helping you) an IP for you to whitelist. In turn, this business would probably like to share an IP that is controlled and managed and that could be accessed by multiple resources, in case some would not be available to work.

In the past, often we resolve this by using a "jump server" sitting somewhere with shared access as your entry point. But is there anything out there to address this differently?

Thank you so much.

0 Votes 0 ·

Hello @RuiCabral, thank you for providing additional details and explaining with an example. I think I understand the issue now.

I think Azure Virtual Network NAT will be a good solution in this case as it simplifies outbound-only Internet connectivity for virtual networks. When configured on a subnet, all outbound connectivity uses your specified static public IP addresses.
So in the example above the business will share this Virtual Network NAT's Public IP to me to whitelist. As this public IP is represents a virtual network which can be controlled and managed and that could be accessed by multiple resources. You can follow this guide on Well-Architected Framework review of an Azure NAT gateway.

Please let me know if you have any additional questions or concerns. I will be glad to continue with our discussion. Thank you!




0 Votes 0 ·