Internet acces via vWAN Azure

Wilan 21

Hi ,I have VPN Gateway + private APN from Orange without Internet access, it connects to the Azure s2s ipsec tunnel. Sometimes I need to release Internet traffic on Orange SIM cards and I wanted to do it using vWan and Virtual Hub but I came to the point that I need to run a secure Virtual hub which is too expensive for me :( Is this the only solution? without a secure hub? If it is, is it possible to use a vm machine with pfsense for this?

KapilAnanth-MSFT 45,111 Reputation points Microsoft Employee

2022-10-27T04:57:15.44+00:00

Hi @KrzysztofChwedynaWellDone-7604,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I am afraid I did not understand your environment or question here.

I see you have mentioned you are using S2S tunnel and would require internet access for remote users.
If your users are individual remote machines, connecting to Azure VPN gateway, then I believe you are referring to P2S connections.

For default route, 0.0.0.0/0, it is not mandatory that you have to use an Azure Firewall (i.e, Secured Hub).
You can use any NVA that you seem fit here as the NextHop.

Refer :
About virtual hub routing
How to configure virtual hub routing
Route traffic through an NVA
Route traffic through NVAs by using custom settings

I hope this helps.

Please let me know if my understanding of the issue is incorrect or if you have further queries on this.

Cheers,
Kapil
Wilan 21 Reputation points

2022-11-02T12:37:57.51+00:00

Hi @KapilAnanth-MSFT

I created a virtual machine with pfsesne(NVA) and created route table with nexthop to pfsense - this works only for Azure Vnet.
So, is it possible to support Internet access for the on-prem devices, over the S2S (egressing from Azure)?I don't see a place where I can route traffic for network s2s on prem.
Should it be done in virtual wan -> hubs-> Route Tables -> Default?

I would like to achieve such a result:
Local Network <->s2s<->Virtual Hub<->Pfsense<->VM Azure
Local Network <->s2s<->Virtual Hub<->Pfsense<->Internet
KapilAnanth-MSFT 45,111 Reputation points Microsoft Employee

2022-11-04T17:24:56.373+00:00
Hi @KrzysztofChwedynaWellDone-7604,

Yes, you are correct.
Any route updates should be done in vWAN -> Hubs-> Route Tables -> Default.

However, adding 0.0.0.0/0 here will not advertise the 0.0.0.0/0 across the VPN/Express Route Tunnel

You should configure your OnPremises Firewall/VPN device to send 0.0.0.0/0 traffic to Azure Gateway.

This should be done on the OnPrem side only.

Once the traffic reaches Azure gateway, then the routes in Route table will make the Gateway forward the traffic to the NVA (Pfsense)

Refer:
Virtual hub routing preference
About virtual hub routing
How to configure virtual hub routing
Create a Virtual WAN hub route table for NVAs: Azure portal

I hope this helps

Cheers,
Kapil
Wilan 21 Reputation points

2022-11-06T13:17:10.077+00:00

Thanks again for the hint, now my config looks good but internet traffic for s2s still doesn't work. Traffic to the Azure VM looks fine through pfsense, but when it does make it to the internet they create routing loops in which traffic never leaves the subnet.
I read that pfsense in a virtual machine cannot be NVA for my solution. Do I need to release traffic to create an NVA from a given marketplace?
KapilAnanth-MSFT 45,111 Reputation points Microsoft Employee

2022-11-07T04:48:28.463+00:00

Hi @KrzysztofChwedynaWellDone-7604,

Thanks for the update.

While only a certain NVAs are offered as default in vWAN, you can also use the Route tables to route traffic to any VM (in your case, your pfsense NVA).

Edit the route table and indicate the next hop as the specific IP of this NVA.
This should do the trick.

Refer: Workflow of Custom NVA
Wilan 21 Reputation points

2022-11-07T15:06:07.817+00:00

Thanks:) Everything works in this config. Internet traffic route to Interface WAN pfsense.

Accepted answer

KapilAnanth-MSFT 45,111 Reputation points Microsoft Employee

2022-11-08T05:05:09.357+00:00
Hi @KrzysztofChwedynaWellDone-7604,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

You informed us you would like to achieve:
Local Network <->s2s<->Virtual Hub<->Pfsense<->VM Azure
Local Network <->s2s<->Virtual Hub<->Pfsense<->Internet

I suggested you can do the routing updates in vWAN -> Hubs-> Route Tables -> Default.

However, adding 0.0.0.0/0 here will not advertise the 0.0.0.0/0 across the VPN/Express Route Tunnel

You should configure your OnPremises Firewall/VPN device to send 0.0.0.0/0 traffic to Azure Gateway.

This should be done on the OnPrem side only.

Once the traffic reaches Azure gateway, then the routes in Route table will make the Gateway forward the traffic to the NVA (Pfsense)

Refer:
Virtual hub routing preference
About virtual hub routing
How to configure virtual hub routing
Create a Virtual WAN hub route table for NVAs: Azure portal

For a custom NVA, you can refer: Workflow of Custom NVA

You informed you were able to configure this with the below architecture.

Cheers,
Kapil

----------------------------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Internet acces via vWAN Azure

0 additional answers

Your answer