Azure WAN and P2S VPN Forced Tunneling

Question

I have setup Azure WAN with a secured hub(Azure Firewall). WAN also has a P2S VPN which am successfully able to connect to. I understand forced tunneling was not an option before Azure VWAN, but now can i do forced tunneling for my P2S clients and give them a common public IP address instead of their own ISP Public IP Address?

score 0 · Answer 1 · answered Oct 14 '21 at 16:41

0

Yes, you can do forced tunneling for your P2S clients.

If you secure internet traffic via Firewall Manager you can advertise the 0.0.0.0/0 route to your VPN clients. This makes your clients send all internet bound traffic to Azure for inspection. Then, firewall SNATs the packet to the PIP of Azure Firewall for egress to Internet.

answered Oct 14 '21 at 16:41

Gitarani Sharma

735
3
4

Hi, I have done it all but still my clients PIP doesnt show that of Azure Firewall. Do you have any documentation on how to achieve this. There might be something am missing. – user17146433 Oct 18 '21 at 01:50
You need to setup the Azure Firewall Policy to allow P2S traffic to Internet. And to advertise 0.0.0.0/0 route to your VPN clients, you need to break them into two smaller subnets 0.0.0.0/1 and 128.0.0.0/1 as mentioned in the below doc: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling You can also add the 0.0.0.0/1 and 128.0.0.0/1 routes directly in your downloaded azurevpnconfig.xml file. – Gitarani Sharma Oct 21 '21 at 14:02

Azure WAN and P2S VPN Forced Tunneling

1 Answers1