0

In every scenario I've seen, a Site-to-Site VPN tunnel is used to bridge 2 virtual networks with a private IP address range - this all makes sense as a use-case to me, and I've implemented such in scenarios other than this one.

The problem is, a client is asking that I provide a public IP address behind a Site-to-Site tunnel to interface with. They don't want to interface with a private IP address.

I've researched until exhaustion, and can't figure out a way to make this work in Azure. Does anyone have any experience doing this?

EDIT: The tunnel needs to be IPsec. I've attempted a host-based VPN solution, and the Azure VPN gateway solution, but was not able to get either working in the manner requested.

purplepickles
  • 1
  • 1
  • 1
    I don't have time to write a full answer right now, but would an [ExpressRoute](https://azure.microsoft.com/en-us/services/expressroute/) perhaps help? You can use it to route all traffic from on premise to Azure using BGP routing. Microsoft can then advertise its public IP ranges to you through the BGP, having you effectively access the public IP through a tunnel you control. – Reaces Aug 16 '17 at 19:25
  • I appreciate the suggestion - I should have mentioned that the client insists on using an IPsec tunnel (I've updated my question). It looks like ExpressRoute doesn't support IPsec... – purplepickles Aug 16 '17 at 20:54
  • Doesn't make much sense to me. Why use S2S if he wants to use a public IP address? just use the internet to reach that server. It may be possible using UDR, but I'm not sure if UDR accepts Public IPs as the next hop. – Bruno Faria Aug 16 '17 at 23:24
  • I agree - a colleague and I said as much when we were discussing things earlier! Why not just whitelist my IP in their firewall? Unfortunately, my senses tell me that this client is dictated substantially by bureaucratic policies, rather than what makes the most sense technically... – purplepickles Aug 17 '17 at 03:47
  • @purplepickles The traffic goes to Public Internet does not transfer on Azure Site-to-Site VPN. – Shui shengbao Aug 17 '17 at 07:57

1 Answers1

1

We had a client with a similar ask - public IP address to interface, on the far end of a VPN tunnel. We got it to sort of work by using a a pfSense virtual machine, and NATing the network to a range of public IP addresses.

In practice, this was a bad solution. 1-to-1 NAT on a tunnel like this is unsupported by Azure, which is why we had to use pfSense. It was unstable and hacky, and we ended up insisting on private IP addresses from the client to use.

I recommend exhausting all other possible options before trying this.

B G
  • 11
  • 1