Azure VWAN with P2S and whitelisting.

Tina Cheema 1 Reputation point
2021-06-08T14:15:26.227+00:00

We have recently implemented Azure Virtual WAN and the P2S gateway for our remote users to use. However, we are having some challenges around whitelisting services that do not use a proxy. As an example we access an SQL database with an 3rd party provider for a call center solution. This is on port 1433 and so does not hit the proxy. It also means that the Public IP that the users will be coming in on will be their ISPs own Public IP and it would be almost impossible to whitelist 2000 remote users in this manner. Is there a solution for this?

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
197 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SaiKishor-MSFT 17,216 Reputation points
    2021-06-08T18:08:29.26+00:00

    @Tina Cheema Thank you for reaching out to Microsoft Q&A.

    It looks like you are looking for something like this here- https://feedback.azure.com/forums/217313-networking/suggestions/13073538-possibility-of-restrict-point-to-site-vpn-access-t

    However, this is not currently possible. Please add your request/feedback on this page so that our team can consider the same. Thank you!

    Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    0 comments
  2. Tina Cheema 1 Reputation point
    2021-06-09T07:10:28.367+00:00

    Thanks for the answer but it does not match my request.

    We have a number of 3rd party SQL DBs that our users connect to remotely over P2S and that requires our Public IP to be whitelisted on their side. For http and https this is not an issue as we can push this to a proxy. However ms-SQL (1433) will not take the proxy and so we would have to whitelist every users ISP public IP which is not possible. We need a solution for this urgently please. That could be a way to use private endpoint for public services as well as Azure PaaS or some way to force tunnel the traffic over to an NVA.

    0 comments
  3. SaiKishor-MSFT 17,216 Reputation points
    2021-06-17T22:00:22.653+00:00

    @Tina Cheema

    Firstly we apologize for the delay in response to your question. QQ here, do you use service endpoint or private endpoint currently to access this SQL DB?

    If using service endpoint, you will have to whitelist the individual IPs and there is no other workaround for it. However, you can instead use private endpoint to access this SQL DB from on-premise via P2S VPN and this is a better approach without involving whitelisting multiple Public IPs. You will only whitelist the P2S VPN client IP address pool for this. Here are some videos and docs that explain the differences between service endpoint and private endpoint and how to utilize private endpoint for SQL DB:

    Azure Service Endpoint and Private endpoint Overview- https://www.youtube.com/watch?v=HbVCi2NcKyU
    Use private endpoint for Storage Account- https://video2.skills-academy.com/en-us/azure/storage/common/storage-private-endpoints

    Hope this helps. Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    0 comments