Point-to-Site VPN protected by Azure firewall from the outside

Marek Kurowski 21 Reputation points
2021-07-20T16:48:53.19+00:00

Hello,

I am wondering how I could configure the hub to route traffic as follows:

p2s tunnels over the internet -> azure FW - > vpnGateway - > AzureFW -> vnet subnets (and back to p2s clients the same way)

tia

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,514 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
653 questions
0 comments
Accepted answer
  1. SaiKishor-MSFT 17,231 Reputation points
    2021-07-27T21:48:01.573+00:00

    @Marek Kurowski Just to understand your need better, are you saying you want traffic from P2S VPN to go to the Firewall first and then to the VPN Gateway? If so, this is not possible as the traffic needs to first pass the VPN Gateway and then it can go through the Azure Firewall before it hits the Azure Vnet. This is possible by implementing Secure Hub as shown below:

    118413-diagram.png

    To know more about this architecture, please follow document- https://video2.skills-academy.com/en-us/azure/virtual-wan/manage-secure-access-resources-spoke-p2s

    Hope this helps. Please let us know if you have any further questions/concerns and we will be glad to assist further. Thank you!

    Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Cristian SPIRIDON 4,476 Reputation points
    2021-07-22T19:44:17.013+00:00

    You should be able to achieve any custom routing in Azure with a routing table.
    If you want resources from one vnet to follow a particular route to Internet or to other vnets you need to define custom routes with routing tables.

    https://video2.skills-academy.com/en-us/azure/virtual-network/virtual-networks-udr-overview

    Hope this helps.

    1 person found this answer helpful.
    0 comments
  2. Marek Kurowski 21 Reputation points
    2021-07-22T20:05:16.327+00:00

    Thanks Cristian, I should have specified exactly what has me stuck. I am able to do egress via the FW and east-west using routes. My issue is with structuring the route so that inbound traffic goes through the firewall from the outside. From what I've seen it might be that I will need to add a route onto the "Firewall" subnet, but I wasn't sure. I was able to enable logging finally, so I'll give that a test. thanks :)

    0 comments
  3. Marek Kurowski 21 Reputation points
    2021-07-29T18:30:04.83+00:00

    @SaiKishor-MSFT I will mark as accepted answer shortly. Let me ask this, what best practices are there on securing P2S tunnels, would the gateway just be protected by MS overall infrastructure or are there feature I can use to provide additional layers of protection of the p2s GW from the outside?

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.