Point-to-Site Internet Breakout through Azure Virtual WAN
Point-to-Site Internet Breakout through Azure Virtual WAN
As organizations adapt to the evolving needs of remote work, some customers often ask for a secure solution to force tunneling their remote workers' traffic through Azure and NAT it out to the Internet using a Microsoft public IP. This setup simplifies user whitelisting for SaaS applications and provides a static public IP for geo-blocking scenarios.
While cost-effectiveness and simplicity remain key, achieving this natively in Azure requires careful planning. Let’s explore how to implement this using Azure Virtual WAN.
Can’t I Use a VPN Gateway with a Point-to-Site Connection?
Although Azure VPN Gateways support forced tunneling via custom default routes, Internet-bound traffic is dropped by design. Therefore, this approach won’t work for outbound traffic routing.
How Can This Be Achieved?
Azure Virtual WAN provides a viable solution. It enables routing Point-to-Site traffic through a secure Virtual Hub, using Azure Firewall to SNAT outbound traffic. Essentially, Azure Virtual WAN serves as a virtual router, facilitating secure traffic routing for remote users.
While this approach involves higher costs, it makes sense for organizations with additional Azure networking needs that can leverage Virtual WAN and Azure Firewall.
Deployment Steps
1. Deploy a Virtual WAN
- Use the Standard SKU to support Point-to-Site connections.
- This step is straightforward and lays the foundation for your connectivity.
2. Create a Virtual Hub
- The Virtual Hub is a Microsoft-managed virtual network used for routing and connectivity.
- Configure the Point-to-Site VPN gateway during this step. Ensure OpenVPN is enabled if you’re planning to use Azure AD authentication.
- Deployment may take around 40 minutes, primarily for the VPN gateway setup.
3. Create a Firewall Policy
- Use Firewall Manager to define and configure a policy for your Azure Firewall.
- Deploy either a Standard or Premium SKU Azure Firewall, as the Basic SKU does not support the required routing configurations.
- Example: Start with an outbound "Allow All" rule but aim for more restrictive policies tailored to your needs.
4. Attach the Policy to the Virtual Hub
- Through Firewall Manager, associate the firewall policy with the Virtual Hub.
- This creates an Azure Firewall resource and assigns the policy to it.
5. Assign Security Configuration
- In the Virtual Hub's security configuration, set traffic to route through Azure Firewall.
- This updates the default route of the Virtual Hub to use the Firewall as the next hop. Expect about 10 minutes of downtime during this step.
- Confirm that the User VPN configuration profile shows ‘Secured by Azure Firewall.’
6. Enable InternetSecurityFlag for Forced Tunneling
-
Ensure the Point-to-Site gateway has this property enabled. Run the following PowerShell commands to verify:
$p2sgw = Get-AzP2sVpnGateway -ResourceGroupName "virtualwan" Update-AzP2sVpnGateway -ResourceGroupName $p2sgw.ResourceGroupName -Name $p2sgw.Name -EnableInternetSecurityFlag
7. Download, Edit, and Import the VPN Profile
- Download the WAN-level VPN profile for the Virtual WAN.
- Modify the
azurevpnconfig.xmlfile to set the<version>element to2. This ensures the VPN client uses the default0.0.0.0/0route. - Import the updated profile into the Azure VPN client. Ensure the client is at least version 2:1900:39.0 to support forced tunneling.
Testing the Setup
Once connected, verify the following:
- The VPN connection should have a single route of
0.0.0.0/0, confirming forced tunneling is active. - Use an IP checker to confirm that outbound traffic SNATs through the Azure Firewall’s public IP.
- Check firewall logs to see traffic originating from the VPN client’s address pool.
Conclusion
While Azure Virtual WAN combined with Azure Firewall provides a native solution, it comes at a cost—typically exceeding $500 per month. This setup is ideal as part of a broader Azure networking strategy rather than a standalone solution. For cost-conscious scenarios, consider exploring Azure Marketplace for a Network Virtual Appliance (NVA) supporting similar functionality.
By leveraging this architecture, you can secure remote workers' traffic, streamline whitelisting, and maintain compliance with geo-blocking and other security requirements—all using Azure-native tools.
Note: The cost of Azure Virtual WAN and Azure Firewall may not be suitable for all budgets. Consider alternative solutions like Network Virtual Appliances (NVAs) available in the Azure Marketplace for cost-conscious scenarios.
Note: It is important to note that the setup described in this article only works with forced tunneling over the
0.0.0.0/0route, meaning that all traffic from the VPN client is routed through Azure. If you have specific routes that you need to configure for the VPN client, it may not be possible with this setup. However, you can explore modifying the VPN client XML file (azurevpnconfig.xml) to add custom routes for the Virtual WAN VPN client.
Resources
I am a Cloud Solutions Architect and a Full Stack Developer. I love to work on cloud technologies and build scalable and reliable solutions. I am passionate about learning new technologies and sharing my knowledge with others.