Requirement:
I need to configure the Azure VPN client so that users can get a static public IP to access various services (e.g., SaaS services that require IP whitelisting).
Current Setup:
- We have a VPN gateway with site-to-site connections for on-premises.
- We also have a point-to-site VPN connection for users to connect with Azure resources.
Issue:
In my research, I found that the VPN gateway does not support egress to the internet. Additionally, it’s not possible to route traffic from the gateway subnet or the VPN client address pool through the Azure firewall.
Question:
Has anyone faced a similar issue or found a workaround for this? Any insights or suggestions would be greatly appreciated.
Update: Traditional VPN Gateway will not route traffic to internet by default. Need to use azure virtual wan and deploy point to site vpn gateway which can be associated to azure firewall to route traffic to internet with static public ip of firewall.
I saw somewhere about enabling forced tunneling on the VPN client, then using DNS Conditional forwarding to push requests out the AFW. Never tired it myself, but might be an unsupported work around…
Edit: SNAT exhaustion might be an issue depending on your load, so you can use a NAT Gateway with the AFW.
You could add a route table to the VPN Gateway Subnet and send it to a firewall if you wanted. I’m curious as to what services you’re connecting to. Are these azure services? If so, have you looked to see if they support Private Endpoints? If so, you could connect privately from the VNET your GW resides in. If you must go through the internet, like previously mentioned, you could look at sending traffic through something like a NAT GW, but I’m not sure it would make sense to send your traffic to Azure at all at that point. Meaning, you may be able to configure your on-prem routing for the site-to-site, to just talk straight to your companies internet (which is likely going to be one IP). Then, do the same routing for your point-to-site, don’t send everything to Azure, public stuff have the default route (0.0.0.0/0) be the internet using the local ISP and that public IP.