I am having to transition from an on prem VPN using Fortigates to something cloud based because we are going 100% remote and no longer have any on prem infrastructure. We have access to a lot of our resources in Azure limited to the WAN IP’s of our Fortigates, so users would have to connect to the VPN to access them. The VPN we were using was a full tunnel VPN.
When I connect to the AzureVPN, none of my internet traffic is going through the public IP assigned to the VNetGW and I"m not sure how to force that to happen. I’m completely new to AzureVPN, and have been working on this since yesterday and have gotten nowhere so far. Is Azure VPN not meant for this kind of purpose? Is there a better solution I should look into? Cost is somewhat of an issue, as the purse strings are pretty tight this year.
Hello, to answer the 1st question…Microsoft Azure provides a range of options for setting up a cloud-based VPN. Here are some best practices to consider:
Choose the right VPN gateway: Azure offers several VPN gateway options, including Basic, Standard, and High-Performance gateways. The choice depends on your network requirements and the amount of traffic that will pass through the VPN.
Select the appropriate VPN protocol: Azure VPN supports several VPN protocols, including IKEv2, SSTP, and OpenVPN. IKEv2 is a popular choice for its reliability and security.
Configure network and routing: Ensure that the virtual network and subnet settings are correctly configured. Also, configure routing tables and peering connections as necessary to ensure that traffic flows correctly.
Configure authentication and encryption: Use strong authentication and encryption protocols to secure the VPN connection. Azure VPN supports several authentication methods, including RADIUS and certificate-based authentication.
Monitor and troubleshoot: Monitor the VPN connection regularly to identify issues before they become critical. Use Azure monitoring and logging tools to collect and analyze data on the VPN connection and troubleshoot issues.
Consider using Azure VPN Client: Azure VPN Client is a lightweight VPN client that can be used to connect to Azure VPN gateways. It provides an easy-to-use interface and supports multiple VPN protocols.
By following these best practices, you can set up a reliable and secure cloud-based VPN using Microsoft Azure.
To answer the question in your paragraph…“When I connect to the AzureVPN, none of my internet traffic is going through the public IP assigned to the VNetGW and I"m not sure how to force that to happen”. if split-tunneling is enabled by default, which means that only traffic destined for the VNet is routed through the VPN tunnel, while all other traffic goes directly to the internet.
To force all internet traffic through the VPN tunnel, you can disable split-tunneling by following these steps:
Navigate to the Virtual Network Gateway resource in the Azure portal.
Click on “Point-to-site configuration” under the “Settings” menu.
Under the “Client Address Pool” section, click on “Edit”.
Set the “Address pool” option to a specific IP address range, such as 10.0.0.0/24.
Uncheck the “Split-tunnel” option.
Click “Save” to save the changes.
This should force all traffic, including internet traffic, through the VPN tunnel to the VNetGW. However, please note that this may increase latency and reduce internet speed, as all traffic will now be routed through the VPN tunnel.
Look at hub and spoke architecture and you can use P2S VPN to a virtual network gateway to set up a secure environment.
If your company is looking to work 100% cloud based then I highly recommend to consult a cloud architect.
Feel free to hit my dm’s for any questions and I’ll see if I can help.
Click on “Point-to-site configuration” under the “Settings” menu.
Under the “Client Address Pool” section, click on “Edit”.
Set the “Address pool” option to a specific IP address range, such as 10.0.0.0/24.
Uncheck the “Split-tunnel” option.
Thanks for the reply, however I do not have an edit option in the P2S config screen nor is there a split tunnel option to check or uncheck.
I have it set up using the Gen2 VpnGw2 SKU, OpenVPN protocol, and Azure AD for authentication.
however, you can’t have forced tunneling on Azure unless you are prepared to use Azure Firewall with VWAN, am i right?
Thanks for the reply, however I do not have an edit option in the P2S config screen nor is there a split tunnel option to check or uncheck.
I have it set up using the Gen2 VpnGw2 SKU, OpenVPN protocol, and Azure AD for authentication.
If you’re using the Gen2 VpnGw2 SKU, OpenVPN protocol, and Azure AD for authentication, the steps to disable split-tunneling and route all internet traffic through the VPN tunnel are slightly different.
You can follow these steps to route all internet traffic through the VPN tunnel:
Open the Azure portal and navigate to the Virtual Network Gateway resource.
Click on the “Configuration” tab under the “Settings” menu.
Under the “Point-to-site configuration” section, click on “Download VPN client” and download the OpenVPN configuration file.
Open the downloaded configuration file in a text editor.
Add the following line at the end of the configuration file:
Copy code
route 0.0.0.0 0.0.0.0 vpn_gateway
This route statement instructs the OpenVPN client to route all traffic through the VPN tunnel.
Save the configuration file and import it into your OpenVPN client.
Connect to the VPN and verify that all internet traffic is going through the VPN tunnel.
With this configuration, all traffic, including internet traffic, will be routed through the VPN tunnel to the VNetGW. This will ensure that all traffic is encrypted and secured while being transmitted over the internet.
I need more info on your use case but I assume you can get this done by having a hun and spoke network and routing all traffic to a virtual network appliance through UDR’s Configure forced tunneling for Virtual WAN Point-to-site VPN - Azure Virtual WAN | Microsoft Learn elaborates on this. I’m sorry if I misunderstood your question.