Is using Remote Access Services (RAS) Gateway on Azure is recommended?

%3CLINGO-SUB%20id%3D%22lingo-sub-1547735%22%20slang%3D%22en-US%22%3EIs%20using%20Remote%20Access%20Services%20(RAS)%20Gateway%20on%20Azure%20is%20recommended%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1547735%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20need%20your%20inputs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20an%20Azure%20subscription%20where%20we%20are%20hosting%20retail%20applications.%20The%20retail%20application%20is%20hosted%20on%20Azure%20VMs.%26nbsp%3B%20The%20requirement%20is%20to%20publish%20the%20retail%20application%20to%20the%20business%20users%20over%20a%20VPN.%20I%20have%20implemented%20an%20Azure%20Point-to-Site%20VPN%20using%20Certificate%20authentication%2C%20but%20I%20couldn't%20find%20a%20way%20to%20restrict%20access%20to%20the%20only%20website%20of%20the%20retail%20application.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%2C%20the%20user's%20machine%20who%20has%20Azure%20Point-to-Site%20VPN%20configured%20he%20can%20access%20all%20the%20resources%20such%20as%20remote%20desktop%20of%20the%20VMs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20the%20recommended%20solution%20for%26nbsp%3B%3CSPAN%3Eremote%20users%20to%20securely%20access%20shared%20resources%2C%20intranet%20Web%20sites%2C%20and%20applications%20on%20Azure%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIs%20using%20Remote%20Access%20Services%20(RAS)%20Gateway%20on%20Azure%20is%20recommended%3F%20Or%20another%20alternative%20product%20available%20in%20Azure.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1547735%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Resource%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EVirtual%20Network%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1549741%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20using%20Remote%20Access%20Services%20(RAS)%20Gateway%20on%20Azure%20is%20recommended%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1549741%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F172390%22%20target%3D%22_blank%22%3E%40RAJAKUMAR%20SELVARAJ%3C%2FA%3E%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20the%20published%20Applications%20Web%20Applications%3F%3C%2FP%3E%3CP%3EHave%20you%20taken%20a%20look%20on%20the%20possibility%20to%20publish%20them%20with%20a%20Azure%20App%20Proxy%3F%3C%2FP%3E%3CP%3EMaybe%20this%20is%20a%20easier%20and%20better%20way%20to%20get%20them%20available%20from%20external%2C%20with%20the%20use%20of%20the%20Azure%20AD%20Security%20mechanisms%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20Regards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPeter%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1555377%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20using%20Remote%20Access%20Services%20(RAS)%20Gateway%20on%20Azure%20is%20recommended%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1555377%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F172390%22%20target%3D%22_blank%22%3E%40RAJAKUMAR%20SELVARAJ%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20agree%20with%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F294699%22%20target%3D%22_blank%22%3E%40Peter_Beckendorf%3C%2FA%3E%26nbsp%3Bthat%20Azure%20AD%20Application%20Proxy%20is%20a%20great%20alternative%20to%20traditional%20reverse%20proxy%20solutions%2C%20especially%20if%20you%20want%20to%20publish%20web%20application.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20case%20a%20VPN%20is%20a%20hard%20requirement%2C%20you%20could%20still%20use%20Azure%20VPN%20Gateway%20(and%20have%20either%20P2S%20connections%20from%20your%20users%20regardless%20of%20their%20location%2C%20or%20S2S%20VPN%20from%20their%20office%20network)%20and%20restrict%20access%20to%20the%20VNet%20where%20you%20are%20hosting%20your%20retail%20app%20using%20NSGs.%20In%20a%20typical%20scenario%2C%20you%20have%20a%20VNet%20with%20a%20%3CEM%3EGatewaySubnet%3C%2FEM%3E%20(where%20you%20host%20your%20VPN%20GW)%20and%20then%20one%20or%20several%20other%20subnets%2C%20where%20you%20host%20your%20workloads.%20By%20applying%20an%20NSG%20on%20the%20workload%20subnet%2C%20permitting%20only%20TCP%2F443%20or%20TCP%2F80%20(depends%20on%20your%20configuration)%20protocol%2Fport%20for%20inbound%2C%20you%20can%20control%20what%20%22services%22%20will%20your%20remote%20users%20have%20available.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20other%20products%20and%20solutions%20in%20the%20Azure%20Marketplace%20you%20could%20use%20as%20your%20VPN%20gateway%2C%20but%20majority%20of%20my%20customers%20prefer%20a%20managed%20service%20(Azure%20VPN%20Gateway)%2C%20so%20they%20don't%20need%20to%20manage%20that%20component%20(typically%20an%20appliance%20running%20on%20Azure%20VM)%20themselves.%20But%20it%20all%20depends%20on%20your%20requirements%2C%20organizational%20capabilities%2C%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%2C%3C%2FP%3E%3CP%3EDavid%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

 

I need your inputs.

 

We have an Azure subscription where we are hosting retail applications. The retail application is hosted on Azure VMs.  The requirement is to publish the retail application to the business users over a VPN. I have implemented an Azure Point-to-Site VPN using Certificate authentication, but I couldn't find a way to restrict access to the only website of the retail application.

 

For example, the user's machine who has Azure Point-to-Site VPN configured he can access all the resources such as remote desktop of the VMs.

 

What is the recommended solution for remote users to securely access shared resources, intranet Web sites, and applications on Azure?

 

Is using Remote Access Services (RAS) Gateway on Azure is recommended? Or another alternative product available in Azure.

 

2 Replies

Hi @RAJAKUMAR SELVARAJ

 

Are the published Applications Web Applications?

Have you taken a look on the possibility to publish them with a Azure App Proxy?

Maybe this is a easier and better way to get them available from external, with the use of the Azure AD Security mechanisms?

 

Kind Regards,

 

Peter 

Hi @RAJAKUMAR SELVARAJ ,

 

I agree with @Peter_Beckendorf that Azure AD Application Proxy is a great alternative to traditional reverse proxy solutions, especially if you want to publish web application.

 

In case a VPN is a hard requirement, you could still use Azure VPN Gateway (and have either P2S connections from your users regardless of their location, or S2S VPN from their office network) and restrict access to the VNet where you are hosting your retail app using NSGs. In a typical scenario, you have a VNet with a GatewaySubnet (where you host your VPN GW) and then one or several other subnets, where you host your workloads. By applying an NSG on the workload subnet, permitting only TCP/443 or TCP/80 (depends on your configuration) protocol/port for inbound, you can control what "services" will your remote users have available.

 

There are other products and solutions in the Azure Marketplace you could use as your VPN gateway, but majority of my customers prefer a managed service (Azure VPN Gateway), so they don't need to manage that component (typically an appliance running on Azure VM) themselves. But it all depends on your requirements, organizational capabilities, etc.

 

Best regards,

David