Azure - Hub And Spoke P2S-IPSEC different customers

Cloudy 206 Reputation points
2022-04-22T08:32:23.387+00:00

Dear community ! I'm thinking about a network architecture for the diagram below ![195440-usecase.png][1] The situation is the following : - The aim is to force traffic to go through AzureFirewall when customers wants to reach their workloads (Each customer corresponds to one spoke) - Each customers needs to be able to connect through their onprem site connected by a VPN IPSEC tunnel or using a P2S connection when working out from office. I so have some limitations/questions : - As a VPN GW can only have one address pool for P2S, that means that all customers will be using the same P2S address pool, how to avoid customer1 to access customer2 workloads ? (Does a virtual Wan is needed per customer for IPSEC and P2S ? [https://video2.skills-academy.com/en-us/azure/virtual-wan/manage-secure-access-resources-spoke-p2s][2]) [1]: /api/attachments/195440-usecase.png?platform=QnA [2]: https://video2.skills-academy.com/en-us/azure/virtual-wan/manage-secure-access-resources-spoke-p2s - Or maybe due to the limitations, one VPN GW is needed for eacht customer Spoke(VNET) ? and so traffic would noe be filtered by Azure Firewall or maybe by using UDR ? - Another possibility is to use a 3rd NVA as FortiGate or Sophos which will allow multiple SSL vpn address pools rather than using Azure Firewall? Thanks at all for your comments/suggestions !

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,514 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
653 questions
0 comments
Accepted answer
  1. GitaraniSharma-MSFT 49,466 Reputation points Microsoft Employee
    2022-04-25T12:57:32.68+00:00

    Hello anonymous user ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to implement a hub and spoke architecture where each customer corresponds to one spoke and all the traffic should be forced to go through Azure Firewall when customers wants to reach their workloads via either S2S or P2S VPN.

    The VPN client address pool is a range of private IP addresses that you specify (this range shouldn't overlap with the on-premises location that you connect from, or the VNet that you want to connect to). The clients that connect over a Point-to-Site VPN dynamically receive an IP address from this range. Since all the spoke/customer Vnets will be connected to the Hub Vnet where the VPN gateway is situated, you need to enable BGP and "allow gateway transit" on the VPN gateway to be able to access the peered Vnets from P2S VPN clients and hence all the 3 Vnets address ranges will be advertised to the P2S VPN clients.
    Refer : https://video2.skills-academy.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing#multivnets2sbranchbgp

    To avoid customer1 access to customer2 workloads, it is better to go with one VPN gateway for each customer or use a 3rd party NVA for separate VPN address pools.

    You can also opt for Azure Virtual WAN where you can isolate Vnets and branches along with Azure Firewall to inspect the traffic.
    Refer : https://video2.skills-academy.com/en-us/azure/virtual-wan/scenario-isolate-virtual-networks-branches

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.