Is there a way to restrict access to Azure resources for certain point-to-site users? For example, I want to allow a P2S VPN user to have access one VM but not another, or one subnet but not others. Right now it seems like once you are in, you are in for everything that that VNET can access.
Asked
Active
Viewed 2,762 times
3 Answers
0
If you are using vWAN, You can use P2S user groups + Azure Firewall to achieve this. By using P2S user groups you can make Azure P2S to assign IP's from a specific IP address pool to a group of users. You can then add Firewall rule to allow only this address to access the resources.
https://learn.microsoft.com/en-us/azure/virtual-wan/user-groups-about
Goutham
- 343
- 2
- 6
-1
To restrict some clients to access to Azure resources like VM or subnet, you could add inbound port rules in the Network security groups associated with the subnet or NIC of VM. The Source in the Security rules would be the internal IP on the VPN client machine that connects to Azure resources with a point-to-site connection.
For more information, you could refer to the Azure network security overview.
Nancy
- 26,865
- 3
- 18
- 34
-
Thanks Nancy -- but the IP assigned to a client when connecting P2S isn't static. When you disconnect and reconnect, you might get allocated a different IP. Unless I am missing something? – Jon Dec 29 '20 at 17:16
-
I forgot that the P2S client IP address is not static. You may upvote this similar [feature request](https://feedback.azure.com/forums/217313-networking/suggestions/13073538-possibility-of-restrict-point-to-site-vpn-access-t). Currently, in this scenario, you could not restrict the VPN client to a specific resource unless the client is disconnected or revoke a client certificate to forbid it. If you mean some users to access the VM, the VM and users, should in an AD domain environment, then you can restrict users with a domain security policy that restricts some users to access domain VMS. – Nancy Dec 30 '20 at 02:52
-2
You can do this with a VPN Appliance like OpenVPN.net by defining User Groups and applying IP restriction per group. Look into "Access Control" section at https://openvpn.net/access-server-manual/user-management-group-permissions/
Hervé
- 1
- 1
-
Please don't post link-only answers. Also, this isn't the place to recommend products or services. – David Makogon Jan 23 '22 at 16:12