Hi @DTB 

 

1. Where do I check the NAT for a public IP, the VM itself and the NiC do not have one

2. I am currently usinf Bastian, RDP is disabled 

3. I dont want to us a public IP at all but it keeps flagging up with the Conditional Access I am unable to use its private static IP for some reason - the conditional access policy always favours the public IP

4. Where do I find the IP range for azure region ? 

5. Yes this changes all the time with random IPs

6. Would VPN stop it using the Public IP? Does using the whole range for azure environment fix this? Where so I find the range for whole environment is it the virtual network gateway? 

Hi @AB21805,

 

Let's address each of your points step-by-step to help you resolve the issues with Conditional Access and public IP detection.

Follow-Up Questions

 

1. Checking NAT for Public IP

To check if there is any NAT (Network Address Translation) affecting your VM, you can:

• Azure Portal:
  • Go to your Virtual Network.
  • Check any NAT Gateway associated with the subnet where your VM resides.
• Network Security Groups (NSGs):
  • Ensure there are no NSGs with NAT rules that might be translating internal IPs to public IPs.

 

2. Using Azure Bastion

Since you are using Azure Bastion, which provides secure RDP and SSH access to VMs without exposing public IPs, this setup should not involve public IPs for direct VM access. Ensure no other services or configurations are inadvertently exposing public IPs.

 

3. Avoiding Public IP Usage

To avoid using public IPs and ensure Conditional Access policies recognize the private static IP:

• Ensure Correct NSG Configuration:
  • Verify that your NSGs allow traffic from the specified private IP ranges and block all inbound and outbound traffic from public IPs except for necessary Azure services.
• Conditional Access Policies:
  • Double-check that the policies are correctly targeting the private IP range. It might be useful to define a named location with the IP range.

 

4. Finding the IP Range for Azure Region

To find the IP range for your Azure region (e.g., East US):

• Azure IP Ranges and Service Tags:
  • Microsoft provides a list of IP ranges for all Azure regions. You can find this in the Azure IP Ranges and Service Tags document.
  • Download the file and locate the section for your specific region (e.g., East US).

 

5. Dealing with Changing IPs

The dynamic nature of IP addresses for Azure services means they can change frequently. Ensure your configurations are as flexible as possible:

• Named Locations:
  • Define named locations in Azure AD Conditional Access that cover the broad IP ranges of your Azure region.

 

6. Using VPN to Avoid Public IP

Using a VPN can help ensure that your traffic is routed through a consistent private IP range:

• VPN Gateway Configuration:
  • Set up a VPN Gateway in Azure to route traffic securely.
  • Configure your VPN client to connect to the VPN Gateway, ensuring all traffic is routed through the VPN, thus avoiding public IP usage.
• Private IP Usage with VPN:
  • When connected via VPN, ensure that the traffic is recognized by Conditional Access policies as originating from the VPN's private IP range.

Steps to Implement VPN for Consistent IP Usage

1. Create a VPN Gateway:

   • Navigate to the Azure portal.
   • Go to Create a resource > Networking > VPN Gateway.
   • Follow the prompts to create a VPN gateway in your virtual network.

2. Configure Point-to-Site VPN:

   • Set up a Point-to-Site configuration on the VPN Gateway.
   • Download the VPN client configuration and distribute it to your users.

3. Connect to the VPN:

   • Ensure users connect to the VPN before accessing Office 365 services.
   • This ensures traffic is routed through the VPN gateway’s private IP range.

Example Configuration for Named Locations

1. Define Named Locations:

   • Navigate to Azure Active Directory > Security > Conditional Access > Named locations.
   • Click + New location.
   • Enter the name and specify the IP range(s) for your Azure region or VPN.

2. Update Conditional Access Policy:

   • Modify your Conditional Access policy to exclude the defined named location for MFA requirements.

By implementing these steps, you should be able to configure your environment to ensure that Conditional Access policies correctly recognize and handle traffic from private IPs, avoiding the issues with dynamic public IPs.

 

I hope this helps!

 

HI,

1. For this VM the NSGs are the default ones, does this transition IP to public by default?

3. Could you give me an example of this, also by doing thus when searching the internet for "WhatsmyIP" what would this bring up, nothing?

4. Would this be less secure?

6. Would this affect the way the other devices which connect to this virtual network? Also my virtual network gateway has a Public IP, am I correct in thinking this is needed for on-prem and cantt be removed unless onprem services is not required?

Thanks for your clear guidance!

Hi @DTB 

 

If we were to go with a NAT gatway would this require higher SKU then what I currently got? - VpnGw1

 

If so what would the cost impact be on a VpnGw2 in comparison also does a NAT Gateway cost much?