Home

Vnet routing over IPSEC

%3CLINGO-SUB%20id%3D%22lingo-sub-904655%22%20slang%3D%22en-US%22%3EVnet%20routing%20over%20IPSEC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-904655%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20set%20up%20a%20Site-to-Site%20IPSEC%20connection%20between%20my%20customers%20Vnet%20in%20Azure%20and%20their%20on-premise%20network.%3C%2FP%3E%3CP%3EI%20all%20works%20just%20fine%20and%20the%20routing%20works%20fine%20for%20the%20address%20spaces%20in%20the%20tunnel.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%2C%20they%20want%20to%20specify%20address%20ranges%20that%20exists%20on%20the%20Internet%20to%20route%20through%20the%20VPN%20tunnel%20and%20reach%20Internet%20from%20their%20on-premise%20network.%20With%20other%20words%2C%20they%20want%20forced%20tunneling%20but%20only%20for%20specific%20addresses.%20Is%20this%20possible%20to%20set%20up%20in%20Azure%20in%20some%20way%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-904655%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EVirtual%20Network%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-909411%22%20slang%3D%22en-US%22%3ERe%3A%20Vnet%20routing%20over%20IPSEC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-909411%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F119121%22%20target%3D%22_blank%22%3E%40Marcus%20Pettersson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETake%20a%20look%20at%20setting%20up%20a%20User%20Defined%20Route.%20UDR%20will%20allow%20you%20to%20force%20addresses%20down%20any%20path.%20Azure%20routes%20traffic%20in%20the%20following%20order%2C%26nbsp%3BUser-defined%20route%2C%20BGP%2C%20route%20System%20route.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20should%20be%20able%20to%20tell%20the%20route%20to%20use%20either%20a%20virtual%20appliance%2C%20of%20the%20VPN%20gateway%20are%20the%20next%20hop.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20this%20fails%2C%20look%20at%20using%20Azure%20Firewall%20as%20a%20router%20to%20replace%20a%20virtual%20appliance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-910807%22%20slang%3D%22en-US%22%3ERe%3A%20Vnet%20routing%20over%20IPSEC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-910807%22%20slang%3D%22en-US%22%3E%3CP%3E%2B1%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102871%22%20target%3D%22_blank%22%3E%40Craig%20Wilson%3C%2FA%3E%26nbsp%3BThis%20is%20exactly%20how%20to%20can%20accomplish%20this.%20You%20can%20use%20the%20tools%20in%20network%20watcher%20to%20verify%20the%20traffic%20flow%20as%20well.%20IP%20flow%20verify%20and%20Next%20hop%20utilities%20can%20confirm%20its%20routing%20to%20your%20liking.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-911343%22%20slang%3D%22en-US%22%3ERe%3A%20Vnet%20routing%20over%20IPSEC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-911343%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102871%22%20target%3D%22_blank%22%3E%40Craig%20Wilson%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F183000%22%20target%3D%22_blank%22%3E%40Bryan%20Haslip%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20a%20lot%20for%20your%20help!%20I%20will%20try%20your%20suggestions%20and%20hopefully%20get%20it%20to%20work!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Marcus Pettersson
Occasional Contributor

Hello,

 

I have set up a Site-to-Site IPSEC connection between my customers Vnet in Azure and their on-premise network.

I all works just fine and the routing works fine for the address spaces in the tunnel. 

 

Now, they want to specify address ranges that exists on the Internet to route through the VPN tunnel and reach Internet from their on-premise network. With other words, they want forced tunneling but only for specific addresses. Is this possible to set up in Azure in some way?

3 Replies

Hi @Marcus Pettersson 

 

Take a look at setting up a User Defined Route. UDR will allow you to force addresses down any path. Azure routes traffic in the following order, User-defined route, BGP, route System route.

 

You should be able to tell the route to use either a virtual appliance, of the VPN gateway are the next hop.

 

If this fails, look at using Azure Firewall as a router to replace a virtual appliance.

 

 

 

+1 to @Craig Wilson This is exactly how to can accomplish this. You can use the tools in network watcher to verify the traffic flow as well. IP flow verify and Next hop utilities can confirm its routing to your liking. 

Hi @Craig Wilson and @Bryan Haslip

 

Thanks a lot for your help! I will try your suggestions and hopefully get it to work!

Related Conversations
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies